“What If They Gave a War and Nobody Came?” I’ve loved the naïve optimism in that question ever since I saw it on bumper stickers when I was a kid in the 1960s. Lately though I’ve been thinking that this delightful question ironically describes cyber warfare.
In a prescient moment Bertold Brecht famously said, “Suppose they gave a war, and nobody came? Why then, the war would come to you!” He could have been talking about cyber warfare. Nobody comes to a cyber war. Cyber attacks come to you.
But does a cyber attack really bring war to the victim? The answer has taken on greater importance recently. In 2018 Zurich American Insurance Company denied coverage under a property insurance policy issued to Mondelez International, Inc. for loss the company sustained as a result of the NotPetya malware attack on June 27, 2017. Zurich based its denial on the following exclusion in the policy:
B. This Policy excludes loss or damage directly or indirectly caused by or resulting from any of the following regardless of any other cause or event, whether or not insured under this Policy, contributing concurrently or in any other sequence to the loss:
. . .
2) a) hostile or warlike action in time of peace or war, including action in hindering, combating or defending against an actual, impending or expected attack by any:
(i) government or sovereign power (de jure or de facto);
(ii) military, naval, or air force; or
(iii) agent or authority of any party specified in i or ii above.
While I haven’t seen Zurich’s coverage correspondence, I think it is reasonable to assume that they think the exclusion applies because releasing NotPetya was a hostile action and the governments of the United Kingdom and the United States both determined that NotPetya originated with the Russian military. Not surprisingly, Mondelez disagreed, and filed suit against Zurich on October 10, 2018.
I don’t envy Zurich’s position in the suit. They will have the burden to prove that the NotPetya attack was a “hostile or warlike action.” Although Zurich will certainly argue that the attack was a hostile action, the same could be said for every cyber attack. The litigation is likely to turn on whether the NotPetya attack took place in a context that was warlike enough that the war exclusion should apply.
This problem reminds me of the difficulty the US Supreme Court faced over 50 years ago when it had to decide whether a pornographic film was obscene. Acknowledging the difficulty of defining what constitutes hard core pornography, Justice Potter Stewart simply said, “I know it when I see it.” Hopefully it will be possible to decide whether the NotPetya attack was an act of war using more objective criteria. There are many court decisions that provide guidance.
A Little Bit of History
The applicability of war exclusions outside the context of a declared war is not a new issue. Courts have wrestled for centuries with the question of what constitutes a war, and for at least one hundred years with the applicability of war exclusions. Decisions interpreting war exclusions have adopted two different analytical approaches.
The first approach is a technical one. Courts focus on whether a specific conflict is a formally declared war. While this approach has the virtue of providing certainty about whether the war exclusion applies, it prevents its application in conflicts like the Korean and Vietnam wars. Courts have reasoned that the insurers control the wording of war exclusions and that if they want them to apply more broadly they can write them to do so. That could explain the breadth of the exclusion in the Mondelez policy.
The second analytical approach courts use is to interpret “war” to mean what ordinary people think it means. Courts look at the factual context of a conflict and look for indicia of war such as whether the combatants wore uniforms, the organization of the combatants, and the types of weapons used. Courts also look at the act that caused the loss. This “common meaning” approach is the one courts use today. It is seen as being most consistent with the legal requirement that insurance policies be construed according to the reasonable expectations of the people that buy them.
War Exclusions in the Terrorism Epoch
On September 6, 1970 Pan Am flight 83 was hijacked in the air over London by individuals acting on behalf of the Popular Front for the Liberation of Palestine. The hijackers diverted the plane to Beirut then flew on to Cairo where the passengers were allowed to leave. The plane was destroyed in Cairo with explosives obtained in Beirut.
Pan Am made a claim under its all-risk aviation policies. The insurers denied coverage on the basis that war exclusions in those policies applied. Pan Am also made a claim under war risk policies. The war risk insurers took the position that coverage wasn’t available because the war exclusions in the all-risk policies didn’t apply.
In the coverage litigation that followed courts held that the war exclusions in the all-risk policies did not apply. The US Court of Appeals for the Second Circuit concluded that, “war is a course of hostility engaged in by entities that have at least significant attributes of sovereignty,” and that the hijackers “were the agents of a radical political group, rather than a sovereign government.” It decided that the exclusions did not apply because the hijacker’s acts were criminal rather than military.
In subsequent cases courts have generally followed the Pan Am court’s reasoning when deciding whether war exclusions apply to acts of terrorism. That could explain why insurers did not attempt to rely on war exclusions after the September 11, 2001 attacks in the US. Pressure from the US Congress may also have played a role.
So where does this leave the unfortunate Mondelez? Under the Pan Am decision Zurich will have to prove that the NotPetya attack was:
1. A hostile act;
2. Part of a course of hostility; and
3. Committed by actors with significant attributes of sovereignty.
I doubt it will be hard for Zurich to establish that releasing NotPetya into the wild was a hostile act. NotPetya certainly wasn’t created with an innocent intent. I’ve seen nothing suggesting that its release was intended to be a hostile act against Mondelez though.
Zurich will be able to point to the Russian military’s alleged involvement to demonstrate that the attack was perpetrated by an entity with the “significant attributes of sovereignty” required by the Pan Am decision. Zurich probably will be forced to prove that though, and that could be an insurmountable obstacle.
Zurich is likely to point to years of fighting between forces allegedly sponsored by Russia and Ukrainian forces as the “course of hostility” in which the NotPetya attack took place. Some circumstantial evidence could support that argument. The virus was released on Ukraine’s Constitution Day, and was placed on a Ukrainian website that provided updates to tax preparation software. Again though, there was no course of hostility between the Russian military and Mondelez.
Assuming these three points can be proved, that arguably would meet the requirements in the Pan Am decision for the war exclusion to apply.
While that result is possible, I do not think it is likely, nor do I think it would be right. War exclusions were developed with physical conflicts in mind. They apply primarily to limit coverage for loss and damage sustained by citizens of the states at war. A typical war exclusion in the context of cyber war might apply too broadly. It could reach loss sustained by unintended targets like Mondelez that are half a world away.
While a cyber attack by one warring party against another could be an act of war, the same would not be true of an unintended attack on an innocent third party. That attack is better viewed as a criminal act or possibly an act of terrorism. If I’m wrong, then every cyber attack launched by an entity with “significant attributes of sovereignty” would be tantamount to starting a new world war. I do not think that any court is likely to agree that a cyber attack is a warlike action against all victims because the common populace would be unlikely to equate such an attack with war.
If Zurich prevails against Mondelez, insureds with NotPetya or similar claims under cyber policies should not be overly concerned.
The wording of the exclusion in the Zurich property policy issued to Mondelez is broader than exclusions in many cyber policies. The Zurich exclusion applies if a hostile act plays any role at all in causing the loss. Further, the term “hostile” is not defined, and conceivably could be interpreted very broadly. War exclusions in cyber policies frequently are more limited.
Cyber insurers have not taken positions similar to Zurich’s despite having many opportunities to do so. Numerous state-sponsored cyber attacks have taken place in recent years. Some have been notorious, like the WannaCry attack in 2017 attributed to the North Korean government, while others have been known to companies, their cyber insurers, and few others. I am not aware of any cyber insurer ever denying coverage for such attacks on the basis that the war exclusion applies.
Cyber insurers are increasingly willing to modify war exclusions so that they don’t apply to cyber terrorism. While definitions of cyber terrorism differ, they generally include acts perpetrated electronically by any party to cause harm, intimidate the public, or for political, religious or ideological purposes.
Finally, cyber underwriters understand the risks of cyber attacks better than anyone else in the insurance industry. They are therefore more comfortable covering those risks than a property insurance underwriter might be. As a result, cyber insurers may not feel a need to apply war exclusions to exclude attacks like NotPetya because they understood that risk and intended to cover it.
I am not suggesting that companies with cyber policies should be complacent about what is happening in the Mondelez suit. An unexpectedly broad ruling in Zurich’s favor might give cyber insurers an argument under their war exclusions. Insurers that decide to make that argument might win a battle, but they would lose a larger commercial war. An insurer that takes an aggressive position on the applicability of war exclusions will certainly lose business to insurers that don’t.
Although cyber insurers are unlikely to follow Zurich’s lead with respect to the war exclusion, that doesn’t mean that existing war exclusions, even those with cyber terrorism exceptions, don’t need to be improved. Issues such as attacks on innocent bystanders, when an undeclared war is deemed to end, and whether cyber attacks alone can, or should, amount to “war” need to be addressed to create the necessary certainty about when a war exclusion will apply.