Cyberwarfare

There’s an interesting account in a recent Economist (and also on their website (subscription)) about a recent cyber-warfare attack on Estonia’s infrastructure. This came amidst their recent spat with Russia over the re-siting of a statue commemorating the Glorious Motherland’s achievements in Estonia during the Great Patriotic War (aka WW2), which I read somewhere that the locals referred to as “the Unknown Rapist”.

> Even at their crudest, the assaults broke new ground. For the first time, a state faced a frontal, anonymous attack that swamped the websites of banks, ministries, newspapers and broadcasters; that hobbled Estonia’s efforts to make its case abroad. Previous bouts of cyberwarfare have been far more limited by comparison: probing another country’s internet defences, rather as a reconnaissance plane tests air defences.

> At full tilt, the onslaught on Estonia was also of a sophistication not seen before, with tactics shifting as weaknesses emerged. “Particular ‘ports’ of particular mission-critical computers in, for example, the telephone exchanges were targeted. Packet ‘bombs’ of hundreds of megabytes in size would be sent first to one address, then another,” says Linnar Viik, Estonia’s top internet guru. Such efforts exceed the skills of individual activists or even organised crime; they require the co-operation of a state and a large telecoms firm, he says. The effects could have been life-threatening. The emergency number used to call ambulances and the fire service was out of action for more than an hour.

[emphasis added]

Apart from the novelty of the concept–and if you want to get rather more scary you might want to look at the US Defence Department’s 2007 Report on China’s escalating cyberwarfare capabilities–the interesting thing from a re-/insurance point of view is how far such attacks would constitute acts of war and thus might be caught by the stock war exclusion clauses.

Here is a typical example:

> WAR AND CIVIL WAR EXCLUSION CLAUSE

> Notwithstanding anything to the contrary contained herein this Policy does not cover Loss or Damage directly or indirectly occasioned by, happening through or in consequence of war, invasion, acts of foreign enemies, hostilities (whether war be declared or not), civil war, rebellion, revolution, insurrection, military or usurped power or confiscation or nationalization or requisition or destruction of or damage to property by or under the order of any government or public or local authority.

As I understand the Estonian affair, it seems to fit reasonably enough into a number of the classes there: “hostilities”, “acts of foreign enemies” (it seems possible that Russia qua nation-state was behind it), even arguably “invasion”. However, one suspects that the clause was not drafted to take account of the present sorts of ‘expanded’ peril and it may be thought sensible either to revisit the wording or to ensure that there is some sort of cyberwarfare exclusion to the exclusion.

Of course, this also leads to all sorts of potential debate as to how one differentiates between cyberwarfare and cybercrime, where both terms are inherently inchoate and rather nebulous:

> The urgent need is for an international legal code that defines cybercrimes more precisely, and offers the basis for some remedies. The Council of Europe, a continent-wide talking-shop that is the guardian of many international legal conventions, has a treaty on cybercrime dating from 2001. Acceptance has been partial. From overseas, America and Japan have signed up; Russia so far hasn’t.

There is some talk of an international treaty by 2012, but again that needs sign-up and effective policing for it to have any real effect.

(First tipped off via Lunch over IP.)