by Vikki Spencer
Just days after the September 11
terrorist attacks the U.S. Federal Bureau of Investigation began warning the
public that the potential for future attacks exist, and among the threats was
that of cyber terrorism. The concept is not a new one, such attacks have been
taking place between Palestinian and Israeli groups, and between U.S. and
Chinese sources, in response to political conflicts. And now, in light of new
terrorism and cyber exclusions in insurance policies, commercial insurance buyers
are wondering how to protect themselves from the potential threat of today's
"hacktivists" becoming tomorrow's cyber terrorists, and weapons of
mass disruption turning into weapons of mass destruction.
February 2002 - Al-Qaida, (the
notorious terrorist group formed by Osama bin Laden, has not engaged in
computer-based attacks in the past. However, in the wake of the World Trade
Center (WTC) attacks, bin Laden has suggested that Al-Qaida has the expertise
to use computer technology as a weapon, reports Canada's Office of Critical
Infrastructure Protection and Emergency Preparedness (OCIPEP).
In response to reports from the
FBI about the potential threat of cyber attacks in the wake of September 11,
OCIPEP began issuing such advisories, and notes that "retaliatory cyber
attacks" against coalition countries, primarily in the form of website
defacements had already begun. In late November, the Canadian government helped
draft the Council of Europe's Convention on Cybercrime, an international effort
to deal with issues of terrorist financing, money laundering and cyber
terrorism.
The September 11 terrorist
attacks changed perceptions of the world's security infrastructure, and the
insurance industry's understanding of risk. What had once been inconceivable
was now reality and so began the process of imagining the unimaginable in terms
of catastrophic risks. Cyber terrorism, a heretofore unconsidered threat, was
suddenly put on the world stage amongst a host of new potential threats.
Digital Pearl Harbor
When the U.S. government's new
cyber terrorism expert, Richard Clarke, suggested the possibility of a
"digital Pearl Harbor", he was greeted with skepticism. The concept
of one, large-scale attack on the Internet seems far-reaching, despite the claims
of Al Qaida and other Muslim extremist groups who claim to, or are known to,
use the Internet as a tool. That said, there is ample evidence that politically
motivated hack attacks are on the rise, notes DK Matai, chairman and CEO of the
mi2g intelligence unit, which deals in cyber security.
Tensions between the U.S. and
China following the accidental bombing of the Chinese Embassy in Belgrade led
to a cyber conflict. In the U.S., key government sites, including the Energy
Department, the Interior Department and even the White House were targeted. The
Chinese domain, ".cn", and that of Taiwan, ".tw", became
the two most defaced domains behind ".com" last year. India (.in) and
Pakistan (.pk) saw similar increases in the number of web site defacements due
to political tensions.
Following NATO air attacks on
Serbia in 1999, hackers began to tap into U.S. defense computers and those of
other defense related businesses. And, since September 11, several high profile
U.S. government sites have been defaced, some bearing the Saudi flag and
threatening messages aimed at the U.S. The groups involved, sometimes called
"cyber mujihadeens", have hit sites including the U.S. Army Waterways
Experiment Station and the National Institute of Health's Human Genome Project.
Canada is not immune to the cyber
threat, experts say. Matai points out that the ".ca" domain
experienced a similar increase in defacements last year, with 215 hits, up from
59 in 2000 and 52 in 1999. He notes that many Canadian sites bear the
".com" domain, as well as ".org" and ".net", also
popular targets. Hits are similarly not aimed solely at government sites, he
adds. "Admittedly there is some bias of attacks towards high profile sites
such as whitehouse.gov or fbi.gov, however more and more attacks are on
commercial web sites."
"The 11 September attack had
an even deeper ripple effect: the temporary disruption of the entire U.S.
financial and transportation infrastructure," notes the OCIPEP report.
"If the terrorists did not fully anticipate these aftershocks, they can
see them clearly now. This raises the possibility that those responsible may
shift their sights away from primarily symbolic targets, such as heavily
populated buildings or sports stadiums, toward critical infrastructures."
There are about 10,000
"serious grade crackers" using original code attack systems, as
opposed to what Matai calls "script-kiddies", or hackers who rely on
ready-made tools. "In terms of defacement attacks on large corporations, attackers
penetrate the systems as multi-level attacks using subterfuge and social
engineering," he explains. Criticisms of lax electronic security are still
being heard, despite the growing awareness created by large-scale attacks such
as the "I Love You" and "Melissa" viruses, and worms like
"Nimda" and "Code Red". Criticisms of lax electronic
security are still being heard, despite the growing awareness created by
large-scale attacks such as the "I Love You" and "Melissa"
viruses, and worms like "Nimda" and "Code Red".
"My own opinion is that the
potential is there [for cyber terrorists to attack], everyone's networks are so
poorly protected, but no one has taken advantage of it," says Chuck
Wilmink, director of the Canadian Center for Information Technology Security
(CCITS).
A study by the U.S.-based
Computer Security Institute reports that 85% of companies admit to having their
networks breached in 2000, and 64% acknowledge significant financial losses due
to those breaches. A recent report by the U.S. Congress gave two-thirds of
American's federal agencies failing grades in cyber security, including the
departments of Defense, Justice, Energy and Treasury.
Similarly, in Canada, a 1999
Senate report pointed to the potential for a major cyber attack in Canada, and
admitted that the FBI has characterized Canada as a "hacker haven".
Perhaps fortunately, Canada is more often a base for hackers to attack other
countries, rather than a target itself. "Canadian hackers have
traditionally tended to attack outside of Canada as opposed to within,"
says Matai. He notes that Canada's quieter political demeanor means that it is
less often viewed as a target. ".ca Canadian sites are less vulnerable
than .com or .uk because Canada is not seen to be so aggressive on the world
stage."
"I really don't think we've
ever considered Canada to be at the same threat level (as the U.S.)," says
Max London, manager of public affairs for OCIPEP. However, OCIPEP has issued
the FBI warnings post-September 11, giving companies advance warning in the event
of a cyber attack. Ultimately, London explains, corporations are responsible
for their own security systems.
He notes that OCIPEP is aware of
"hacktivist" activity in Canada, specifically "around some of
the larger meetings", such as the G-8 Summit or World Trade Organization
meetings. However, these are a far cry from the threat by a foreign government
or terrorist organization that might harm Canada's critical infrastructure,
including systems that support communications, transportation and services such
as health care and finance. With the "increasing dependence and increasing
interconnectivity" of such systems comes a greater risk, however. In the
past, OCIPEP has been involved in public awareness campaigns around threats
including the "Code Red" worm, which was viewed as "a very real
threat to the Internet", and has worked with the U.S. National
Infrastructure Protection Center (NIPC), an FBI operation, to disseminate
infornation. The NPIC issued warnings in mid-October of a potential cyber threat
aimed at the U.S. power grid, and yet another aimed at online financial sites.
Insurer reaction
Canada's insurers have been
jumping into the terrorism risk fray since September 11, trying to understand
what exposures they might face in the future. Just as no one predicted the
events that represent the largest insurance loss in history, there is fear of
what other unforeseen risks may lie ahead.
As insurers met through the
Insurance Bureau of Canada's (IBC) terrorism task force to discuss the new risk
horizon, cyber threats were one possibility on the table, says Anne MacKenzie,
assistant vice president, claims technical, at the Dominion of Canada General
Insurance Company and a member of the task force. She adds, however, that they
did not top the list of concerns for several reasons, including the notion that
terrorists generally tend towards visible, high profile acts. "It's
usually physical acts of terrorism," she says. "Terrorists like to
put the population at fear." OCIPEP also notes that terrorists have traditionally
relied on "bombs over bytes" as the weapon of choice.
Cyber terrorism has not dominated
discussion of electronic risks, adds Jennifer Soper, assistant vice president,
technology, at St. Paul Canada. Most of the talk seems centered around the major
viruses that have plagued companies. This is partly because many companies do
not see themselves as targets for such acts. "When you're not in the
Fortune 500 or brand name companies, you can get an 'it can't happen to me',
almost false sense of security."
She adds that companies often do
not discuss the nature of attacks, and still have a "keep it in the
closet" attitude about cyber security breaches. The benefit is that this
policy of silence denies attackers the desired result of publicity. However,
terrorists may soon find that cyber attacks will gain them the same kind of
notoriety as physical attacks, MacKenzie adds. "Nothing would scare people
more than to learn that terrorists had hacked into government sites".
Exclusions, exclusions
Commercial insurance buyers are
no doubt facing a tough market in the post-September 11 era, although the
situation was already beginning to grow bleak prior to the terrorist attacks.
Reinsurers had already stated their intention to introduce cyber exclusions into
their treaties, leaving insurers to follow suit.
However, insurers assert that
cyber or "data" coverage was never really part of commercial general
liability (CGL) policies. In light of the potential for differing
interpretations (such as the U.S. case of Ingram v. Micro, where it was found
that business interruption due to computer failure should be included in CGL
policies), more specific wording was added to most policies. "The data
exclusion was just a clarification to make sure consumers knew what they were
buying, there never was coverage for data," explains MacKenzie. This
clarification is apparent in most policies as of yearend 2001, adds Dominion
president George Cooke. "Our view is that the wordings don't do anything
the old wordings didn't do, they're just clearer."
However, the wordings have left
many companies scrambling for coverage, Soper says. "What is available is
not widely available." Companies will either have to negotiate coverage as
a limited buy-back option in existing policies, or hunt it down as a separate
policy from another carrier. "In terms of coverage, if there is anything
going on it is on a customer-by-customer level. It has to be." Given the
difficulty in quantifying cyber risks, there is no "one size fits all"
policy.
Cooke says he is concerned with
the lack of cyber coverage available, but acknowledges that insurers simply are
not in a position to offer it. "It's a situation that troubles me. But we
can't buy coverage [in the reinsurance market], so it's impossible for us to
offer it."
September 11 did not help the
situation either. He predicts that notwithstanding the terrorist attacks, cyber
coverage would have been a top issue for insurers, but given the shift in
priorities, insurers were unable to come up with private market capital solutions
in advance of yearend commercial policy renewals. "September 11 kind of
eclipsed concerns over whether we should be developing new products to deal
with cyber risks," says MacKenzie. However, she adds, "we will want
to revisit it" in the future.
Overriding concern
Regardless of new cyber covers,
with the current terrorism exclusions being written, any act deemed as
"cyber terrorism" would not be covered, as the terrorism exclusion
would be overriding. In the wake of September 11, with reinsurers refusing to
cover terrorism in their treaties, insurers were forced to either introduce
similar exclusions in their policies or to negotiate a deal with the
government, which would act as excess of loss reinsurer through a
"terrorism pool" arrangement.
By yearend, no such pool had been
devised, despite lengthy discussions between IBC representatives and the
government. "The nature of the discussions evolved as the market
evolved," says Cooke, who is also chair of the IBC. "The decision was
taken to wait. It was probably a smart decision."
The U.S. government's inability
to come to a solution prior to breaking at the end of the year was among the
contributing factors. Cooke recognizes that it was "politically
difficult" for the Canadian government to come forward with a solution
before the U.S., given the fact that the situation was not of the same scale
here. This situation may change as the U.S. House reconvenes in late January.
"People have said that the government wasn't prepared to act, but I don't
buy that," he adds. "Minister Peterson and the staff in Finance were
seriously engaged in discussions and are prepared to act if the need
arises."
The need for a solution may not
be quite as pressing as originally thought, with renewals moving along despite
the lack of a solution, and the fact that many commercial policies on target
risks have not yet reached renewal.
However, Cooke still feels a
solution is needed. The government has consulted with other associations, most
notably the Canadian Bankers Association (CBA), who claim that there is no need
for the coverage. "I think they're wrong," Cooke says, but their
resistance makes it difficult for insurers to press for a solution. He is most
displeased with the view that insurers are looking for a "bail out".
"We are not doing an 'Air Canada' here. We're more than prepared to take
our pains for our past sins." But without reinsurance coverage in place,
it is not economically feasible for insurers to offer the coverage.
The terrorism task force was
"driven by the sudden recognition that there was now infinite risk and
infinite exposure and that wasn't economically sustainable," says
MacKenzie. "It [terrorism coverage] isn't anything we could write even if
we wanted to."
With no cap on the exposure,
insurers would be leaving themselves open to unquantifiable risks, a situation
that extends into the domain of cyber terrorism.
"Putting a box around the
exposure" or quantifying the risk is especially difficult with cyber
risks, says Soper.. "The 'net is worldwide. It is difficult to know where
it (an attack) is going to come from, and how it's going to come."
She adds, "It's hard when
you're an industry that likes to put dollars and cents to things. There's just
no history. You can't go into the archives and pluck out something and say
'this is going to work for me today'." September 11 was a
"humbling" experience for the industry, says MacKenzie, and as the
industry learns more about that event, "we realize we don't know about all
the risks". Prior to September 11 "there was a sense that we could
talk about 100-year events and worst case scenarios...everyone's trying to come
up with scenarios, however, the end of the conversation always comes to the
same conclusion, we just can't imagine."
Source: http://www.crime-research.org/library/mi2g.htm
Comments