According to the article, “he attacks reflect Russia's mounting aggression in cyberspace as part of a larger ‘hybrid warfare’ doctrine that marries traditional military means with cyber-tools to achieve its goal of regional dominance” (emphasis added). On January 12, 2018, The Washington Post reported that the CIA had attributed NotPetya to the Russian military.Ĭritically, and to fully understand the concerns raised by the Merck court’s decision, worldwide attribution for the attack was nearly unprecedented. However, unlike ransomware, NotPetya did not have a decryption key – once data had been encrypted, it was irretrievably lost. The NotPetya malware was designed to masquerade as then existing ransomware known as Petya, the latter of which encrypted computer files until the victim paid a ransom in return for a decryption key. The cyberattack perhaps remains the most destructive of its kind, infecting computer systems worldwide and reportedly causing in excess of $1 billion in losses to three US organizations alone. On June 27, 2017, the eve of Ukraine’s “Constitution Day” – a day that commemorates approval of Ukraine’s Constitution following the country’s independence from the former Soviet Union – the malware NotPetya was unleashed. Yet, to appreciate the decision’s context fully, it is important to revisit the NotPetya attack. The facts of the case are straightforward. And, as unreasoned as a decision we believe Merck is, we cannot ignore it or say that it will be the last of its kind. The Merck decision’s logic declares in no uncertain terms that if the word “cyber” is not used in an exclusion, some courts will hold that it does not apply to a cyberattack. Nevertheless, the decision should serve as an alarm bell for carriers, their claims personnel, and their underwriters. (We’re not joking.) The reasoning of this decision looks backward to a century past, and we believe it will not age well. Further, the decision relies upon case law rendered before the Internet existed and before “cyber” was a word. It inserts an undefined and unaddressed conception of “traditional” into the exclusion, relies upon an arbitrary conclusion as to the meaning of war in a vacuum of kinetic weaponry, and wholly ignores the meaning of “hostile” activities. We are not going to be coy about this – we think this decision is wrong. Instead, the court concluded that because the attack by one nation state on another did not involve “traditional” warfare, the exclusion cannot apply. The basis of the court’s holding was not a lack of attribution – indeed, as detailed below a lack of attribution is a weaker argument than many contend. UNN-L-2682-18, that the Hostile/Warlike Action Exclusion in various property policies did not prohibit coverage for the NotPetya cyberattack launched by the military arm of the Russian Federation government against the country of Ukraine. On January 13, 2022, the Superior Court of New Jersey, Law Division, held in Merck & Co., Inc., et al.
0 Comments
Leave a Reply. |