The mass production of the internal combustion engine facilitated many new kinds of insurable damage and loss. It also provided opportunities to extend and expand older forms of crime. Before cars, robbers were reduced to committing burglary within their own town or village, potentially aided by a speedy horse. Cars took these crimes to a new level. Cars facilitated “smash-and-grab” raids on banks, and kidnap and ransom, grabbing the unfortunate victim on the street and hustling them into the back of the car. Cars facilitated rapid getaway after any kind of attack, whatever the motivation — sabotage, vandalism, revenge. And that is before all the causes of loss associated with cars themselves, such as hit-and-run, manslaughter, dangerous driving, or speeding.
The term “car crime” relates specifically to the robbery of the car or its contents, or otherwise damaging the car — we would not consider lumping together all these different ways in which the car has facilitated losses and crimes under a single heading.
So why does it make sense to lump together all those varieties of crime and loss facilitated by another quantum leap in communications, through computing and the Internet? Because that is what we currently do when it comes to the use of the catch-all term “cyber”.
Everything is Cyber
Even with its origin, the word “cyber” is misleading — shorthand for the 1940s word “cybernetics” popularized by Norbert Wiener’s book — a term used to describe control systems. Somehow “cyber” jumped to mean everything that happens through the agency of computing and the Internet. Accepting that cyber has become a name for the medium, it is by no means all-encompassing when describing the motivation.
To start with, let us look at an event filed under the “cyber” heading. The failure of British Airways IT systems during a peak U.K. public holiday weekend in late May this year led to the cancellation of 726 flights and cost £80 million (US$105 million). As far as we know it was caused by an IT engineer causing an “uncontrolled restoration of power” at BA’s Boadicea House data center in west London. Why is that any different to an interruption in electricity or water supplies, cell phone services or of a critical supply chain?
Look at a cloud service outage, it might be the result of a trawler dragging an anchor through a concentration of subsea fiber optic cables, or freak thunderstorms hitting three data centers on the same evening. Or, adding to all those risks, it could also be a result of a cyberattack.
New Ways to Commit Old Crimes
Before the last decade, a partial list of business intrusions may have included:
- breaking into a bank safe
- robbing a money delivery truck
- breaking into an office to steal the addresses, passwords and credit card numbers of subscribers
- breaking in to steal the latest top-secret blueprints
- breaking into a factory to sabotage an industrial process
- planting a bomb that can only be disabled after payment of a ransom
(I use the term “breaking in”, but an employee may have been duped to let someone in, by providing a key, or leaving a door unlocked.)
We can now update all these diverse styles of attack to a world in which the “breaking in” part can be achieved online. Yet, just as in this list, what we now call “cyber” encompasses a range of different categories of crimes and attackers, with very different motivations.
So, who are the “cyber” actors, their crimes and their motivations?
A Short History of Cybercrime
In the early days, many intrusions were simply the work of a dedicated hacker, to prove the point that the so-called security was not that great. Motivation: personal hacker pride.
Then there were attacks inspired by some ethical or political antagonism – as with the organization called “Anonymous”. The 2015 Ashley Madison takedown and release of all customer records was politically motivated. Organizations that promote a wide range of causes, from abortion, investment banking, to big game hunting, coal mining or neo-Nazism, might expect to find themselves targets of political action. Motivation: political enmity.
Stealing intellectual property (IP) is more likely to be done to order, by rival companies, keen to receive the latest blueprints. Motivation: To gain a commercial or strategic technical advantage. Probably with the tacit backing of a foreign government.
As the defenses have improved, it has required greater coordination to seek financial gain — whether by stealing and selling on credit card passwords, or locking up files until a bitcoin ransom has been paid. Some of these schemes are elaborate, picking on multiple targets at the same time, and must reflect the labors of a team of hackers. But someone must be paying them, or maybe this is like seventeenth Century pirates in the Caribbean, or the Great Train Robbers — crime syndicates, with an implicit business plan, prepared to share the spoils according to a predetermined formula, and with some appreciation of the risks and consequences of getting caught. The WannaCry attacks are only believed to have netted US$130,000. Was that because they had a lousy business plan, or bad execution? More likely money was not the only object in an attack generally believed to have been sponsored by North Korea.
Crimes of the State
The most significant feature of cyber is that it has raised the bar of detection for a state to use deliberate misinformation, disruption or sabotage, to try to destabilize and weaken an enemy country. Many of the most audacious and damaging attacks are clearly state-sponsored, outside of Bond movies there are not “Dr. Evil” figures intent on bringing down the whole world order. Some of these attacks have the signature of their masterminds all over them. The “Guardians of Peace” November 2014 capture of emails and prerelease of films from Sony, for example, after Sony produced a movie satirizing the North Korean leadership. The December 2015 and 2016 attacks against the electricity grid in Ukraine are a natural extension of Russian involvement in undermining Ukraine. Motivation: low grade warfare.
One hallmark of these attacks, they will be concentrated in countries deemed to be enemies. If Russia is taking the lead, one would not, for example, expect an attack in a friendly country like Italy or Cyprus. However, to throw pursuers off the scent, the attackers might provide a feint by also including a company in their own territory. The June 2017 Petya/NotPetya malware attack infected commercial networks, including those of U.S. based pharma Merck, the Danish Maersk shipping company and Rosneft in Russia, although by far the largest disruption was to banks and infrastructure in Ukraine, which appears to have been the principal target of the attack.
All the while we know the security services are busy exploiting the vulnerabilities they have identified in core software products, which they use to gain entry into the computing systems of foreign powers. In this game of cat and mouse, nothing is quite what it seems and there will not be clean boundaries between the categories. A state-sponsored attack on bank transfers from the central bank in Bangladesh, undertaken by North Korean operatives, was intended to steal money, and to undermine the safety of the international interbank system.
It is only these state-sponsored attacks that are likely to have the finances and motivation to cause catastrophic losses involving physical damage. But there is also the deterrent, that no state would want to be caught committing such an attack.
Should insurers be covering the potential damage and consequences of state-sponsored attacks? After the loss of the Twin Towers, insurers applied a universal terrorism exclusion on all commercial policies. The same “following day exclusions” would be applied following a US$35 billion insured loss physical damage cyberattack. The FBI would be tasked with declaring an attack as “state-sponsored”, and the government would be forced to offer some alternative financial backstop to continue the cover. But until it happens, in principle at least, insurers will remain on the hook.
We have moved from the old Cold War (played out through proxy conflicts in secondary countries) to the new Cold War (played out through proxy conflicts in cyberspace).
So, what is my proposal? It is now time to call-out the specific crime in our naming conventions, to which we can then append “cyber”: viz cyber-robbery, cyber-ransom, cyber blackmail, cyber-vandalism, cyber sabotage, cyber warfare. And to look at the actors involved — is it individuals or organized groups, is it state-sponsored? Only through understanding the motivations will we be able to manage the risk.