International Agreement for Control of Cyber Weapons

The FBI Report on Russian Hacking

2016 The Year of Cyber War 0.7

Is Interference in Campaigns “Cyber War”?

2016 was the year of cyber war, and we will call it “cyber war 0.7” because it not a complete cyber war in the proper sense of the word. The most incredible event was the role of WikiLeaks in the election for the president of the United States. WikiLeaks was able to publish a large number of emails from the Democratic National Committee. These emails indicated a certain level of untoward behavior on the part of the leadership of the Democratic committee. As a result of this, there were various personnel changes in the Democratic National Committee.

The emails seem to indicate a number of activities that were considered by the opposition to be improper. Although these activities or not reported upon widely in the mainstream media, nevertheless, they seemed to have a decisive effect on the election. The connection between the leak of these emails and the election found it’s nexus in the investigation by the Federal Bureau of Investigation. In particular, only about one week before the vote, the FBI announced that it was re-opening its investigation of the Clinton emails. According to most commentators on the Democratic side, this specific action by the FBI was responsible primarily for the loss of Hillary Clinton in the election. The opposition claimed however that the real reason why she lost the election had to do with her policies regarding industrialization and foreign trade policy for the United States. It is difficult to know what all of the reasons were, but this discussion regarding the role of WikiLeaks, and the role of cyber warfare in the election has continued.

US Retaliation Against Russian Diplomats

After the election for the president but before the inauguration of the new administration, President Obama announced that the United States would be taking retaliatory action against the Russian Federation. This retaliation involves the expiration of 35 diplomats and their families from the United States within 72 hours. That’s at the same time, the Russians or forced to abandon two facilities that they have been operating for more than a quarter of a century. And additional hardship imposed upon the Russians was that this expulsion came only a few days before the New Year’s celebration which in Russia, like in so many other countries, is a major celebration. The representative of the Russian Federation in San Francisco stated that the cook for the New Year’s festivities had been expelled from the United States. He lamented publicly on television that because of this it would not be possible for the consulate to invite the large number of American guest as was customary.

This time, it still is not clear exactly what role the Russian Federation had in the release of the Clinton emails. For example, Julian Assange, the head of WikiLeaks, as stated on numerous occasions, including today in a live interview on the Fox news Channel, that the Russian Federation government had absolutely no connection to the release of the emails. In spite of these numerous denials, many still argue that it was the intervention of the Russian government in the presidential election that was responsible for the election of Donald Trump as the 45th president of the United States.

During this past week, there also was a report that malicious code from the Russian Federation had been injected into the electrical supply control mechanism for the state of New Hampshire. This news item turned out to be false.

The Chinese Office of Personnel Hack

There were many other significant events involving cyber warfare or cyber espionage during the year 2016. One of the most significant incidents was when a group operating from the People’s Republic of China managed to hack into the personnel records of more than 2 million employees of the federal government. They took a large amount of extremely confidential information including background investigation and security information regarding these government employees. What is peculiar about this incident is that the Obama administration did not take the type of harsh countermeasures that it has taken in the case of the legend Russian hacking of the US election.

Terrorists Use of Social Media

A third major theme of cyber warfare during the year 2016 involved the role of I S I S in it’s propaganda efforts to recruit terrorists around the world. These recruitment efforts have been very successful, particularly in Europe. During this year, Europe has seen a dramatic increase in terrorism and has lost a large number of people. In general, the situation seems to be getting much worse in Europe. In spite of this rise in the number of deaths originating in terrorism, Europe still seems to be refusing to place any controls on the propaganda coming from the Middle East. Placing controls on information is very difficult because it is a direct contravention of the international law regarding freedom of speech and freedom of communication. These principles were incorporated into the Universal Declaration of Human Rights. Unfortunately, we can see that international declarations are not to the same as international law.

We can say confidently that the year 2016 was one in which all aspects of the cyber issue came to the forefront in the international news. We can also say that during the coming year we should continue to see an escalation of problems in the cyber domain.

This blog continues to maintain the position that until there is a very significant outage or Internet crisis which affects a number of countries at the same time there will not be any recognition of the need for an international agreement to limit the proliferation and development of cyber weapons.



Insuring a Cyber 9/11


Cyber insurance has emerged as a dynamic and growing sector. In the United States alone, it is expected to earn more than $20 billion in premiums by 2020. Almost without exception, cyber insurance is written for individual organizations, usually corporations. There is a growing risk, however, that a giant cyber catastrophe might take place in which the failure of one information system will trigger a chain reaction between firms, leading to a massive systemic breakdown across entire sectors in the economy. If this happens, it will provoke a crisis across the insurance industry, not unlike the effects of the 1906 earthquake in San Francisco.

[These are a set of notes compiled from a recent Infragard meeting. This blog entry is copied from a pdf file, so there may be glitches in the formatting in a few places.]

1 The landscape of cyber risk

By 2013, cybercrime had a global impact of more than $3 trillion dollars, making it larger and more profitable than the world’s drug trade.1 In the UK, 55% of businesses have been hacked, and worldwide, 36% report the same. In 2015 there were around 80,000 cyber security incidents and in 2,100 of those cases, significant amounts of data were either lost or compromised.2

The FBI reports 12,000 corporations have been victim to email money transfer scamming, and the costs to business of this fraud alone is $2 billion a year.3 The corporate controller of an established grain trading and storage company Scoular was tricked by fake emails into wiring $17.2 million into an offshore bank account. In January 2015, Xoom was tricked into transferring $30.8 million into an overseas account. Ubiquiti Networks was tricked into transferring out $46.7 million.4 Table 1 on the following page shows a few of the largest hacks.5

These numbers are suspect, because most corporations never report a cyber incident. Most companies have tremendous incentives not to report because of fear their reputation will be damaged. Since these giant dollar amounts are only for those cyber incidents that are reported, they probably represent less than 1 of the actual problem. Most believe the actual number 4 of serious cyber incidents is much larger, even 2-3 times larger.

Ransomware. There are so many different types of cyber attacks, it is difficult to list them all, and any list soon would be obsolete. One new trend is so-called “ransomeware”, which locks of all of your enterprise data, and then demands money to unlock it.6 Ransomeware is becoming more common, and companies thus far have failed to develop any effective way to defend against it. The recent trend is for the extortion payments to be made in Bitcoin,7 an untraceable virtual currency. It appears that 2,453 ransomeware incidents were reported to the FBI in 2015, and about about $24 million was paid out. This is for the United States alone, and this data only mentions what was reported.8 Ransomware is good business. A full set of stolen medical data on an individual can go for up to $50 dollars on the black market. Hollywood Presbyterian Hospital in Los Angeles paid a ransom of $17,000 in bitcoin to get its data back.9 To create a phishing page and mass spam email costs $150 dollars. Good crypto ransomware costs about $2,000 on the dark net. So only eight users need to be caught to make a profit. The Cryptowall ransomware earned more than $18 million in 2014, but again that is what was reported.10

PII. Loss of personally identifiable information (PII) can have serious consequences. In the Ashley Madison breach, the embarrassment caused two suicides. In the breach of the U.S. Office of Personnel Management by a foreign intelligence service, believed to be the People’s Republic of China, the highly detailed information on all persons with a security clearance in the U.S. government was revealed. The national security consequences are incalculable.11

Botnets.  Botnets12 have shown the ability to compromise millions of computers in a single attack.13

Some organizations have funded serious research to assess cyber risk. For example, cyber is now part of the formal work of risk managers in the London Stock Exchange Group.14 And the same is echoed in other financial centers around the world.

There are many efforts underway to prepare for major data breaches. Companies recognize they are increasing in frequency, but most data breach preparadness programs often fail to deal with all aspects of a cyber incident.

There is little faith companies will be able to to deal the with consequences of a data breach. Plans on the book are not considered to be effective, and one reason is that they are not regularly reviewed. More training and awareness plans are needed, and top management needs to be more involved.

In many companies, a number of different managers are responsible for management of a data breach including a) the Chief Information Security Officer; b) the Compliance Officer; c) The Head of Business Continuity Management; d) the Chief Information Officer; e) the Chief Risk Officer; f) the Chief Security Officer; sometimes g) the Head of PR and communications; h) the General Counsel; i) the Chief Privacy Officer; or j) Human Resources. Around 1 of companies do not have a person designated to handle a major 4 data breach.15

The reality is that no information system is safe. There simply is not a perfect information system anywhere. For those organizations that wish to invest in penetration testing, the results more or less always are the same — every system is vulnerable. If there is a determined effort, then any system can be broken. And since there is no invulnerable information system, and this fact is combined with the regulatory and litigation costs, it is easy to see how it cyber insurance is a boom market. At least for now.

1.1 Classification of Loss

We can divide operational losses into four classes: a)Intangible;b)Tangible; c) Operational; and d) Litigation.

Intangible.  Loss of intellectual property such as a) compromise of patents; b) illegal reproduction of copyrighted matter; or c) theft of trade secrets. These losses can have downstream effects such as competitive displacement (loss of position in the market). There also can be significant compromise of the organization’s reputation. This sometimes can have a disastrous effect on market valuation.16

Tangible.  A cyber attack can result in the real loss of goods and services.17 For example, shipment of goods might be diverted, or money might be stolen. In a more serious light, cyber attacks can compromise the physical infrastructure of a building, or other installation, e.g., nuclear power plant, resulting in extraordinary damage.18 Hacking to steal cash is a major criminal activity in cyberspace.19

Operational.  Any cyber incident is a traumatic event for IT personnel, and can be a career-ender. Systems must be restored back to working condition. There can be a number of costs for this both direct and indirect including: a) diagnosis and forensic investigation for fault- determination; b) restoration of most recent reliable backup; c) replacement of hardware that has been completely disabled; d) preservation of evidence in case of possible investigation by law enforcement; e) hiring of external consultants and others to help with clean up; and f) lost business during interruption. Post-incident actions can take weeks or even months to be finished completely.

litigation In a 15 month period during 2015 and the end of 2014, in the United States, 240 firms filed data privacy law suits and 70 firms filed data breach suits.[19] Organizations face substantial risk of litigation in several dimensions: a)Federal and State regulatory authorities who seek to impose penalties; and b) Consumers or others who file a class action suit in order to recover damages, or even potential damages; and c) Other third parties (not class of plaintiffs) who are damaged by the cyber incident. The Federal and State penalties vary greatly, but if the maximum allowable amount of penalty if reached, the results can be substantial, and even result in bankruptcy. The damages obtained in a class action suit can be devastating, and even if there is no finding of fault, simply the litigation costs in defending against these suits can be very large.

Table 3 on the next page summarizes a few of the calculations that might be made from a cyber incident for a corporation.20 Which costs are the largest will depend on the particular circumstances of the enterprise. For ex- ample, the loss of personal information such as credit card numbers, social security numbers, or addresses on customers easily can trigger a gigantic class action suit that eventually can results in very large damages.21

2 Regulatory Risk

There are three dimensions of risk from a legal and regulatory perspective. First, there is a rising threat of class action suits that attack a cyber crime victim must endure; Second, there are a number of enforcement actions at the Federal level and these actions seek to impose substantial fines;22 and Third, similar regulatory issues are found at the state level. See Table 4 on the following page.

In the past ten years, around 543 million records have been lost from over 2,800 data hacks. Approximately $13.3 billion has been lost by consumers in 2010 alone.23

In the 15 month period from the third quarter of 2013 until the third quarter of 2014, 110 class action suits were filed against 25 unique defendants, which means that companies often face multiple class action suits at the same time. Around 80% of class action suits were aimed at retailers who accounted for only 14.5% of data breaches that were publicly reported. Up to 24 different legal theories were used to justify these suits including a) negligence; b) Unfair, Deceptive or Abusive Acts and Practices (UDAP;  c) breach of contract; d) problems with data breach notification (required by Federal and State statutes); e) unfairness; f) invasion of privacy; g) unjust enrichment; and others.24

Any organization that sustains a cyber attack may find they must respond to all three risks at the same time. They can be facing a class action suit, a Federal investigation with the threat of fines, and also legal and regulatory action at the state level. Any one of these dimensions of risk can lead to debilitating costs, all three simultaneously can be a catastrophe.

It is interesting to note that Health Insurance Portability and Accountability Act (HIPAA), Fair Debt Collection Practices Act (FDCPA), Electronic Communications Privacy Act (ECPA), Video Privacy Protection Act of 1988 (VPPA), Computer Fraud And Abuse Act Reform (CFAA) and the CAN-SPAM Act of 2003 were the least used theories in these suits.

2.1 Standard of Care.

The term “standard of care” is a legal concept that is used in determining whether or not a party of negligent, and thus subject to tort action. In general, if the defendant can show that they have met a reasonable standard of care, then they are not negligent.25

In a number of FTC actions26 have resulted in settlements with corporations, and these settlements are summarized in a consent decree.27 A common element of these settlements is that the corporation recognizes a duty to establish, implement and maintain a “comprehensive privacy program” that is “reasonably designed” to address risk. This program typically includes a) designation of accountable employees; b) identification of fore- seeable risks; c) design and implementation of “reasonable privacy controls and procedures” to address reasonably foreseeable risks; and d) development and use of “reasonable steps” to retain security vendors.

A problem is that there is no clear path an organization may take to meet the necessary “standard of care”. There are a number of standards that may apply. For example, a) there may be specific laws in place that define clearly how information must be handled — examples are the HIPAA28, GLB29, and SOX30 laws in the United States; b) there may be a number of state laws that determine when a consumers or others must be notified of a cyber incident and how consumers and their information must be protected; c) there are numerous other regulations and guidelines; d) companies can use recognized industry standards; e) or they can adopt best practices that are determined by a community of their peers. In addition, there are recognized cyber security frameworks from organizations such as NIST31 and the ISO.32

2.2 Emerging Case Law.

Particularly when faced with the threat of a class action suit, many companies fold. Particularly after the legal fight that leads to a class action being “certified”,33 many companies simply give up the fight and settle. Sony settled for $15 million when its PS2 gaming platform network was compromised. St. Joseph Hospital settled for $28 million.34 Many indus- try observers argue settling is a bad idea because it simply invites further litigation.

Liability without negligence. A number of cases both decided and still sub judicae indicate a mixed message regarding potential risk going for- ward. One important trend is the more active role of the U.S. government in extracting penalties from organizations that are hit by cyber attacks. The company gets blamed. How the Federal Trade Commission (FTC) obtained its statutory authority to go after hacked companies is peculiar. In the Wyndham Worldwide case,35 it was ruled that the FTC has authority to regulate a corporation’s cyber security. This is based on the unfairness language in § 5 of the FTC act.36 At first glance it appears somewhat astounding that vague language such as “unfair” and “deceptive” can be used to open up a gigantic regulatory enforcement area in cyber litigation. In other words, a company engages in “unfair” practices when it is hacked. This appears to be blaming the victim.

There are even more surprises. The law in the United States is not settled. There is currently a disagreement between different circuits37 regarding whether or not identity theft is actionable if the plaintiffs are unable to show any harm. See Table 6. In one Federal Trade Commission (FTC) case, the Administrative Law Judge (ALJ) ruled against imposing penalties on a corporation that had been hacked because the FTC had “failed to demonstrate that consumers had suffered concrete injury from two data breaches”. Although it is a fundamental principle of jurisprudence that penalties should not be imposed if there is no demonstration of harm,38 it appears this case is being appealed, and according to experts, the ruling likely will be over-turned.39 If it is overturned, the result will be that companies will risk having large fines and penalties imposed by the FTC even if there is no showing of harm from the data breach they have suffered.

Cyber risk is challenging to understand because it has a trifecta of dimensions. First, it is based on complex technological systems that can be understood only by teams of highly-trained engineers; Second, there are a number of regulatory rules that bring about severe financial penalties for any organization that may suffer from a cyber incident; Third, the sweep-up operational costs that must be endured by a compromised organization can be vast, and have a very long tail. Losses caused by cyber incident can be substantial, but not necessarily easy to calculate. So given the regulatory and technological uncertainty, understanding the fully-loaded risks in this segment of the insurance market is difficult.

This suggest the following conclusions on the regulatory side:

  • There is a substantial risk of suffering large financial losses from penalties and tort damages even if there was no harm.
  • It might be less expensive to simply settle a suit than to fight it out in the courts and risk an even higher loss.
  • It is not necessary to be negligent or careless in order to face large penalties because there is no clear standard of duty for maintaining information systems and penalties can be imposed regardless of the cause.
  • The trend towards liability without proof of harm is troubling.

3 San Francisco earthquake 1906

The world’s insurance industry has a track record of reasonable management, stability and growth that occasionally is interrupted by surprise, chaos and near collapse. The explanations for this phenomena of always falling into a risk trap vary. But there are two inter-related phenomena that appear to have transformed the risk landscape for the insurance industry.

Urbanization. The gradual concentration of human activity into gigantic urban centers has compressed into relatively small geographic areas multiple institutions, infrastructures, and persons;

Complexity.  This urbanization has been made possible only by stellar advances in technology. But these technologies create a vast web of inter-connections and dependencies between different social and infrastructure systems. And interdependencies can be a platform for a cascade or “chain reaction” of events.

Losses keep getting larger. In 1970 they were only a few billion, but in 2010 there were economic losses of more than $400 billion of which only around $125 billion were insured.40 Nevertheless, during 2015, the insurance industry “has proven to remain functioning and stable in the midst of an often challenging economic and financial environment”.41

The earthquake that destroyed San Francisco in 1906 was a near disaster for the world’s insurance industry. There were hundreds of buildings insured for earthquake coverage. Each owner had a separate policy. Everything was compartmentalized. Like today, residents of San Francisco were prepared for a small tremor once in a while, or even some minor damage. Once in a while owners could expect some damage, but nothing terribly serious. And the insurance policies had been written with this in mind.

But in 1906 the type of event that comes along rarely visited its wrath on that fair city. First, the earthquake was so severe as to collapse both small and medium-sized buildings. Then the earth started to make even larger displacements. San Francisco had invested in much infrastructure. One improvement was the provisioning of natural gas for lighting and heat. But the movement of our earth was too great. The gas mains broke, and it did not take long for fire to break out. Pictures of the time show the horrible scale of the disaster. See Figure 3 on the following page.

Although concrete, bricks, steel and morter were being used in larger structures, the vast majority of buildings were made from the wood found in the generous forests still populating the surrounding countryside. Wood burns. The buildings burned, and burned, and burned. For all practical purposes we can say that most of San Francisco simply burned to the ground. Everything was destroyed, hundreds of dwellings and all their contents. A disaster. One of the great disasters of the century or of all time.

The Call-Chronicle-Examiner newspaper on April 19th, 1906 said it all in its headlines: “Entire City of San Francisco Danger of Being Annihilated”; “Big Business Buildings Already Consumed”; “30,000 Smaller Structures Swept Out and Remainder are Doomed”; “Panic-Stricken People Flee”; “Heartbreaking Scenes at the Pavilion”; “Loss is $200,000,000”; “San Jose is Ruined”; “Earthquake and Fire, San Francisco in Ruins”; “No Hope Left for Safety of Any Buildings”; “Whole City is Ablaze”; “Church of Saint Ignatius is Destroyed”; “Buildings are All Ruined”; “Newspaper Row is Gutted”; “Theaters Ruined”; “Residences Burning”; “Dead in Street”.42

Insurance claims. As the insurance claims started to come in, it quickly became clear that the primary carriers were going to be far over their limit. That is when the reinsurance treaties were activated. The shockwave of liability started to reverberate all the way back along the treaty chain to Munich, and Zurich, and London. The amount of damage was greater than the entire state budget of California.

Something had to be done to limit the liability and reduce the payouts. One of the first responses from the insurance community was to attempt making a distinction between earthquake insurance and fire insurance. Policyholders were told that although their earthquake insurance claims were to be honored, “they were not related to fire insurance, and would not cover damages for fire”. It seems at first the law was on their side in particular Clayburgh v. Agricultural Insurance Company of Watertown, N.Y., and Pacific Heating & Ventilating Company v. Williamsburgh City.

As can be expected, once word got around that the insurance companies were attempting to squelch on their payouts, this caused a public uproar.

The California legislature got involved. Without going into details, we can sum up the situation as follows. It soon became clear that if the involved insurance companies wanted to continue to do business in the United States, then they would have to make the payouts.43

4 Cyber Insurance

Even though premium rates are “firming”,44 the insurance sector is cautious about cyber. Michel Liès who recently retired from being the chief executive of Swiss Re stated that insurance companies were finding it difficult to understand future claims for cyber.45 Julian Enoizi of Pool Re agrees that a better model is needed to under the business of cyber insurance.The insurance broker Marsh, in the UK, has hired the former head of GCHQ46 (the British NSA) to draft a study of cyber resilience of London’s financial community.47 Nickel [33] created a high-level model of cyber risk: L = F × E × S where L is the total cyber risk losses for an insurance client; F is the frequency or number of attacks per unit of exposure; E is exposure, which interestingly is defined as the number of statt with unencrypted access to customer data; and S severity, which is defined as the average size of loss per attack. These values are surmised using a number of different attack types including a) viruses, worms trojans; b) malware; c) stolen & lost devices; d) botnets; e) web-based attacks; f) phishing & social engineering; g) malicious code; h) malicious insiders; or i) denial of service.

But this type of effort does not consider wider system effects. Major reinsurance companies are working on a Global Earthquake Model (GEM) that examines a number of inter-connected effects with “a unified framework for seismic hazard and risk modeling, data collection, and risk assessment at lo- cal to global scales”. There is no evidence of a Global Cyber-incident Model (GCM) being developed.48

Nevertheless, in spite of these cautions, protection from the cost of the effects of cyber attacks is a new form of insurance. By the end of 2014, there were at least 60 companies offering it.49 It is popular primarily in the United States and in 2016 has a gross premium income of between $2 and $3 billions dollars. This is expected to rise to more than $10 billion by 2020, and this growth in premiums represents a CAGR of more than 40% percent.50 Similar optimistic forecasts ($25 billion by 2025) have been stated by Willis Towers Watson insurance brokers.51 There are warnings, however, that many underwriters are writing premiums for cyber insurance that are “very thin”.52

Apart from caution on the part of providers, there are other barriers to cyber insurance. Many businesses state they “don’t need” coverage. Around a third think they are covered already under other policies. A tenth complain about premiums being too high. And the insurance response may not match needs. Only 18% of policies cover cyber extortion, such as through ransomware. More than half insurers and insurance agencies do not have dedicated cyber risk teams. More than ninety percent of companies offer cyber only as an endorsement on existing policies.53 See Table 7 based on Nickel [33].

Identify exposure. According to AIG,54 the first step in considering cyber insurance is identification of possible exposures. Factors to consider include:

  • Handling of confidential information. This is divided into two parts: a) Employee information or other confidential information that concerns the internal operations of the firm; and b) Client information, any information that is confidential, personal or commercial in nature.
  • Storage of information. This includes both paper and electronically-stored information. The corporate information is examined to determine what parts are controlled internally, and what, if any, parts are outsourced to vendor. This is crucial, because if one of your vendors of IT services suffers a breach of your confidential information, your corporation still is held responsible. This type of an event also will raise insurance issues, e.g., coverage for actions of third-parties.
  • The nature of the corporate web site. Content of the web site is examined to find any potential liabilities. Another important factor to examine is whether either a) employees; or b) third parties are able to upload content to the website. This would include information such as blogging, posting of pictures, or making comments on different topics. The reality is that the enterprise can sometimes be held responsible for information uploaded by third parties.

Cyber event scenarios. The compromise of corporate information can arise from either internal or external forces. Internally, your own employees might become involved in theft of information. Card skimming is an example of this type of abuse. There may be instances of negligence, for example, when an employee loses their laptop, smartphone or tablet, which contains sensitive information. And as mentioned earlier, your vendors (considered “internal”), might be the source of a compromise.55 Here a question arises regarding whether or not there is a system of indemnification between your organization and a vendor being relied upon. To determine this, the vendor contracts must be examined. Do not be surprised if the vendor’s contract has excluded the possibility of indemnification.

Externally, the organization faces a number of adversaries including individual hackers, organized crime, and even cyber espionage agents of foreign governments. Much of this activity is concerned with theft of information. Stolen customer or health records can be sold on the black market. Hackers can also send in malware to disrupt system, or to act as hidden agents for later theft of information. In the UK, for example, one satellite TV vendor destroyed the market position of a competitor by breaking their encryption, making it possible for consumers to access the competitor’s signals without paying. But for the most part, viruses and malware do harm, but without any specific benefit to the writer. External hacking can also disrupt a business, and we mentioned elsewhere, ransomware can be used to extort vast sums of money. So considering both internal and external sources of disruption, there are a number of different scenarios that an organization must be prepared for.

Getting insurance for cyber-related business interruption (BI) currently is the strongest driver of increased demand for cyber insurance. Other important coverage drivers of demand include a) Regulatory defense expense; b) Computer fraud; c) Funds transfer fraud; d) Cyber-related contingent business interruption (CBI); e) Cyber extortion; and f) Internet media liability. Insurance carriers sell a) standalone policies; as well as b) endorsement56 policies. Most cyber endorsements are written for Errors & Omissions (E&O). Other endorsements are for a) Other professional; b) Directors and officers liability insurance (D&O); c) Business-owners Policy (BOP); d) Crime; e) General Liability (GL); f) Healthcare medical malpractice; g) Lawyers professional; h) Property; and i) “other”.57

4.1 Types of Cyber Insurance Coverage

There are two types of cyber insurance coverage available: Third party and first party.

Third party. Third party coverage focuses on covering payments that must be made to third parties in case of a cyber incident. Examples of third parties include government agencies, that may impose fines; individuals who may sue in tort for the downstream effects of a cyber incident or other businesses that might be harmed by a cyber incident the organization is responsible for. A good example is a privacy event in which confidential information leaks out. There is a duty of any organization to protect confidential information, whether it is in printed form or online. Failure in this duty can lead to violation of Federal or state statutes. For example, the loss of credit card information on customers would be a violation of the Payment Card Industry Data Security Standard (PCI DSS). And as discussed elsewhere, a single incident can trigger Federal, State and consumer tort actions all at the same time.

First party. First party coverage is aimed to help the organization that has become a victim of a cyber incident. Depending on what is involved, the potential liability of the aggrieved firm might change drastically. Some of the covered items in this line of insurance might include: a) Consultation costs. Experts might be brought in to examine what has happened. Legal experts may be consulted to understand further the potential liability of the firm, and take a leadership role in crisis management. Legal counsel may well be needed to assess liability and to minimize further potential exposure to risk. b) Forensic experts might be brought in to first determine how the cyber incident occurred, and then to advise on what steps need to be taken to recover and restore the system in a way so that further damage is avoided. c) State mandates may compel the organization to notify all parties of what has happened. Depending on the numbers involved, notification can be a giant exercise, and there are many details to manage, including the precise wording of what to say, so that even further liability is not incurred. d) It may be necessary to put in place ID- or Credit-monitoring. e) Recovery must be had for lost data as systems are restored. This sometimes may mean re- creation of lost data form physical records, if there are any that can be used.

Other possible payouts might be triggered by a) Network interruptions that result in loss of income because the transactions processing capabilities of the firm are temporarily suspended. For some firms in financial services, the transactions/second rate is so great than even a few minutes of pro- cessing. b) Cyber extortion is another area where large payouts might be required.

4.2 Revisiting San Francisco

The insurance situation at this time is an exact parallel to what happened at the turn of the last century in San Francisco. Just as at that time each house and building had purchased a separate policy for earthquake insurance, so today each corporation has purchased a separate policy for its cyber insurance.

And so in the same way that the earthquake in 1906 broke the gas mains and caused a city-wide fire that burnt the city to the ground, a major cyber event will be capable of crossing over from one information system to another, and from one company to another and causing a mega-disaster of unprecedented proportions. Technology observers warn of a “cyber 9/11”.58 But they are not alone, key government leaders familiar with the financial services sector echo the same warning.59

There is little indication that chain-reaction type risks such as those encountered in the great earthquake of San Francisco in 1906 are being accounted for.60

So where does that leave us today? If these observers are correct, it suggests the following:

  • Eventually there will be a mega-cyber event that will cause unexpected and severe damage.
  • The damage will spill across into areas that are not insured or foreseen, but there is a likelihood that the insurance industry will be forced to pay out.
  • A prudent strategy would be for the insurance industry to re-check its treaty networks an build in larger payouts as a potential eventuality.
  • Studies should be undertaken to expand the types of coverage offered, and this might produce a new product line for some insurance writers.


* Director of Scientific Intelligence, Barraclough NY LLC, 135 East 54th St 4B, New York, N.Y. 10022-4509 USA

1  Source is McCarthy [1] quoting a Europol document EU Serious and Organised Crime Threat Assessment [2].

2  Data is from Verizon, quoted by Ralph [3].

3  Reported by Stern [4] who is quoting a survey taken by PwC.

4  Reported by Scannell [5] which provides details on various clever impersonation techniques used.

5  Adapted from Balkhi [6].

6  Ransomware is a type of malware that restricts access to the infected computer system in some way, and demands that the user pay a ransom to the malware operators to remove the restriction. Some forms of ransomware systematically encrypt files on the system’s hard drive, which become difficult or impossible to decrypt without paying the ransom for the encryption key, while some may simply lock the system and display messages intended to coax the user into paying.

7  Bitcoin is a digital asset and a payment system. The system is peer-to-peer; users can transact directly without an intermediary. Transactions are verified by network nodes and recorded in a public distributed ledger called the block chain. The ledger uses bitcoin as its unit of account. The system works without a central repository or single administrator, which has led the U.S. Treasury to categorize bitcoin as a decentralized virtual currency. (Source: adapted from Wikipedia)

8 Reported by Secureworld [7]. There are also many useful statistics on malware, botnets, Spam, and other problems in a comprehensive OECD document [8].

9 Reported by Ralph [9].

10 Data from Scott and Spaniel [10] at p. 29. See also Kaminska [11] who compares ransomware to a passage in Augustine’s City of God “For what are robberies themselves, but little kingdoms?” (Book IV, Chapter 4.)

11 These government employees were left with no assistance for legal protection against foreign tort and criminal charges, as detailed by Roche [12].

12 A botnet is a number of Internet-connected computers communicating with other similar machines in which components located on networked computers communicate and coordinate their actions by command and control or by passing messages to one another. They have been used many times to send spam email or participate in distributed denial-of-service attacks. The word botnet is a combination of the words robot and network. (Source: Wikipedia)

13 See Messmer [13] who gives examples: a) Zeus, 3.6 million; b) Koobface, 2.9m; c) TidServ, 1.5m; d) Trojan.Fakeavalert, 1.4m;e) TR/Dldr.Agent.JKH, 1.2m;f) Monkif, 520,000; g) Hamweq, 480,000.

14 Reported by Stafford [14].

15 This information is paraphrased from a Ponemon Institue research report [15].

16 In the London financial market, reports of a cyber security problem with a bank had a large enough effect on reputation to lower its stock price enough to allow the bank to be taken over by another. In financial services, the price of shares for a company can be sensitive to cyber-security problems. After all, in banking, reputation for security and reliability is an important part of customer trust.

17 In the Lakisha Pettus case, it was alleged that cyber was used to divert “hundreds of thousands of dollars” of “shipments of luxury goods and jewelry to and from warehouses and stores”. See Vance [16].

18 Gugerli [17] (p. 190) writes that the insurance industry has had a difficult time in assessing the risks of nuclear power. “[I]t was almost impossible to assess their [nuclear power plants] potential risk, because there was (almost) no experience of accidents to fall back on.”

19 One hacking group stole more than $1 billion from 100 banks in a period of two years according to Viebeck [18] quoting Kaspersky Labs.

20 Based on Roche [20], but modified with information from Gerson [21].

21 See, for example, a discussion of the TJX, Inc. case in Bishop [22].

22 According to Batterman [23, p. 6] in the UK, data protection legislation can impose fines of up to £ 500,000. 23 Data is from Romanosky et al. [24]. The consumer loss data is quoting Bureau of Justice Statistics compiled by the U.S. Department of Justice [25].

24 This information is found in a report from Bryan Cave LLP report [26]. It is interesting to note that Health Insurance Portability and Accountability Act (HIPAA), Fair Debt Collection Practices Act (FDCPA), Electronic Communications Privacy Act (ECPA), Video Privacy Protection Act of 1988 (VPPA), Computer Fraud And Abuse Act Reform (CFAA) and the CAN-SPAM Act of 2003 were the least used theories in these suits.

25 In tort law, the standard of care is the only degree of prudence and caution required of an individual who is under a duty of care. The requirements of the standard are closely dependent on circumstances. In “Baltimore & Ohio R. Co. v. Goodman, 275 U.S. 66”. United States Reports (Supreme Court of the United States) 275: 66. October 31, 1927 it notes that “In an action for negligence, the question of due care is not left to the jury when resolved by a clear standard of conduct which should be laid down by the courts.”

26 There have been more than 70 consent decrees according to S. M. Gerson [21]. Most of the legal and regulatory discussion herein is based on Gerson’s presentation at an Infragard meeting March 21, 2016.

27 A consent decree is an agreement or settlement to resolve a dispute between two parties with- out admission of guilt (in a criminal case) or liability (in a civil case) and most often refers to such a type of settlement in the United States.

28 The Health Insurance Portability and Accountability Act of 1996 (HIPAA; Pub.L. 104–191, 110 Stat. 1936, enacted August 21, 1996) was enacted by the United States Congress and signed by President Bill Clinton in 1996.

29 The Gramm-Leach-Bliley Act requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to ex- plain their information-sharing practices to their customers and to safeguard sensitive data.

30 The Sarbanes–Oxley Act of 2002 (Pub.L. 107–204, 116 Stat. 745, enacted July 30, 2002), also known as the “Public Company Accounting Reform and Investor Protection Act” (in the Sen- ate) and “Corporate and Auditing Accountability and Responsibility Act” (in the House) and more commonly called Sarbanes–Oxley, Sarbox or SOX, is a United States federal law that set new or expanded requirements for all U.S. public company boards, management and public accounting firms. There are also a number of provisions of the Act that also apply to privately held companies, for example the willful destruction of evidence to impede a Federal investigation.

31 The National Institute of Standards and Technology (NIST) is an agency of the U.S. Department of Commerce. Recognizing that the national and economic security of the United States depends on the reliable functioning of critical infrastructure, the President issued Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity, in February 2013. The Or- der directed NIST to work with stakeholders to develop a voluntary framework – based on existing standards, guidelines, and practices – for reducing cyber risks to critical infrastructure. See

32 The International Organization for Standardization (ISO) is an independent, non-governmental international organization with a membership of 162 national standards bodies. Through its members, it brings together experts to share knowledge and develop voluntary, consensus- based, market relevant International Standards that support innovation and provide solutions to global challenges. The Central Secretariat is based in Geneva, Switzerland. See http://www.

33 Class actions are governed by Rule 23 of the Federal Rules of Civil Procedure. The prerequisites must be met for a class to be certified. “One or more members of a class may sue or be sued as representative parties on behalf of all members only if: (1) the class is so numerous that joinder of all members is impracticable; (2) there are questions of law or fact common to the class; (3) the claims or defenses of the representative parties are typical of the claims or defenses of the class; and (4) the representative parties will fairly and adequately protect the interests of the class.”

34 In re Sony Gaming Networks and Customer Data Security Breach Litigation, and St. Joseph Hospital System of California. Cited by Gerson [21].

35 FTC v. Wyndham Worldwide Corp. Third Circuit.

36 Section 5 of the Federal Trade Commission Act (FTC Act), Ch. 311, §5, 38 Stat. 719, codified at 15 U.S.C. §45(a) prohibits entities from engaging in unfair or deceptive acts or practices in interstate commerce. “(1) Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful. (2) The Commission is hereby empowered and directed to prevent persons, partnerships, or corporations, [except certain specified financial and industrial sectors] from using unfair methods of competition in or affecting commerce and unfair or deceptive acts or practices in or affecting commerce.” According to the IT Law Wiki “In the data security context, the Commission has challenged the failure to implement reasonable safeguards to protect the privacy of consumer information, where the failure causes substantial injury without offsetting benefits, as an unfair practice.” See

37 The term “circuit court” refers to different appellate courts in the United States. There are 11 circuits and each circuit covers a number of states in a region. If there is disagreement between rulings in different circuits, then eventually the issue will be decided by the Supreme Court.

38 See comments of Patricia M. Wagner of Epstein Becker & Green, PC [23, p. 11] “In terms of damages related to the plantiffs in the litigation, there should be actual demonstrated harm. Theoretical or potential for harm is not sufficient.”

39 The case is In re LabMD, Inc. Observations are from Gerson [21].

40 See Figure 2 in the Global Reinsurance Forum report [27]. 41 Comments from the International Association of Insurance Supervisors [28] who also note that a) there is increased competition; b) premiums have come under pressure for non-life insurers and reinsurers in the commercial lines, property and catastrophe markets; c) investment yields for (re)insurers have declined slightly; d) there has been a “surge of mergers and acquisitions (M&As); “more than 10 percent of the global reinsurance industry is currently involved in major mergers activity”.

42 The newspaper is digitized by the National Endowment for the Humanities; http://

43 See extensive discussion by James [29].

44 According to Swiss Re [30, p. 14].

45 Quoted by Atkins [31] who noted that reinsurance accounts for 85% of Swiss Re’s revenues. Swiss Re has found that “the premium income was not significant” from cyber and recommended being “massively selective” in choosing which policies to write or treaties to accept.

46 Government Communications Headquarters (UK)

47 Reported by Ralph [32]. One motivator for the move was that in January 2016 HSBC’s personal banking and mobile applications were brought down by a cyber attack, raising questions about the entire sector.

48 See details on the GEM initiative in the report of the Global Reinsurance Forum [27, p. 28]. Perhaps a few cyber earthquakes need to occur before the reinsurance industry begins to study the issue in the same level of depth as they do earthquakes.

49 Higgins [34].

50 Similar data is quoted by Ralph [3]. This also is the source of the information on Pool Re mentioned above.

51 Quoted by Ralph [35].

52 Freeman [36, p. 4], “Insurers wrote layers of major retailers at minimum premiums that now look thin to say the least.” Her analysis contains a detailed look at the Target incident. “The company reported $61 million pretax expenses related to the breach, but expected $44 million in cyber insurance payments against this figure. . . . [it is] estimated that the total exposure to Target could be $450–$500”.

53 Data is from Stubel [37] citing a study from Hanover Research [38].

54 See presentation of Saeed [39].

55 Swiss Re writes “A large insurer typically needs to deal with hundreds of third-party partners across dozens of countries, and the IT systems of these partners can be vulnerable to security breaches.” [30, p. 24].

56 An endorsement is a written document attached to an insurance policy that modifies the policy by changing the coverage afforded under the policy. Insurance endorsements are important additions to an insurance policy.

57 This data comes from a survey done by PartnerRe [40].

58 Naughton [41] who writes “There is another, deeper, fear – that the mysterious botnets that have been assembled by the merchants of malware may one day be used in some co-ordinated way to engineer a massive global event — cyberspace’s equivalent of 9/11, if you will.”

59 See comments of Ben Lawsky, head of the New York Department of Financial Services, quoted by Viebeck [18].

60 See David Gugerli’s discussion [17] of the effects on the insurance industry of the 1906 earthquake.


[1] Thomas McCarthy. Briefing on cyber security. Private briefing for Infragard, March 21 2016. McCarthy is the Principal Security Consultant for

[2] European Policy Office. The eu serious and organised crime threat assessment (socta). Technical report, Europol, The Hague, Netherlands, 2013.

[3] Oliver Ralph. Pool Re should ‘evolve’ to cover cyber attacks and pandemics. Financial Times, February 22 2016.

[4] Stefan Stern. Ceo email scam is wake-up call for boards. Financial Times, March 16 2016.

[5] Kara Scannell. Cyber crime: How companies are hit by email scams. Financial Times, February 24 2016.

[6] Syed Balkhi. 25 biggest cyber attacks in history. List 25 Blog, May 6 2013.

[7] SecureWorld Post. Fbi warns of increasing ransomware attacks. Databreach Today Reports, March 13 2016. https://www. warns- increasing- ransomware- attacks.

[8] OECD Working Party on Information Security and Privacy (WPISP). Computer viruses and other malicious software – a threat to the internet economy. Technical report, Organisation for Economic Co- operation and Development, Paris, 2009.

[9] Oliver Ralph. Malicious attacks account for bulk of data loss. Financial Times, March 8 2016.

[10] James Scott and Drew Spaniel. The ICIT ransomware report – 2016 will be the year ransomware holds America hostage. Technical report, Institute for Critical Infrastructure Technology, Washington, D.C., 2016.

[11] Izabella Kaminska. On the economic power of ransom. Financial Times, March 9 2016. FTAlphaville Blog.

[12] Edward M. Roche. When the intelligence community is exposed – the U.S. must protect its employees from foreign lawsuits. The Washington Times, August 31 2015.

[13] Ellen Messmer. America’s 10 most wanted botnets. Network World, July 22 2009.

[14] Philip Stafford. BoE set to review market risk managers. Financial Times, March 6 2016.

[15] Ponemon Institute LLC. Is your company ready for a big data breach? Second Annual Study on Data Breach Preparedness, September 2014. 2014- ponemon- 2nd- annual- preparedness.pdf.

[16] Cyrus R. Vance Jr. Lakisha Pettus indicted for intercepting deliveries of designer clothes and products. Press Release from the New York County District Attorney, January 7 2016.

[17] David Gugerli. The Value of Risk: Swiss Re and the History of Reinsurance, chapter Reinsurance Comes into Its Own 1860-1960, pages 147–236. Oxford University Press, Oxford, United Kingdom, first edition, 2013. See pps. 168-171 for details on the San Francisco earthquake of 1906.

[18] Elise Viebeck. Wall street regulator warns of ‘cyber 9/11’. The Hill, February 26 2015.

[19] Scott Flaherty. Cyber litigation: The next big thing? The American Lawyer, January 1 2016.

[20] Edward M. Roche. Internet and computer related crime: Economic and other harms to organizational entities. Mississippi Law Journal, 76:639– 665, 2006-2007.

[21] Stuart M. Gerson. Legal aspects of cyber insurance. Private briefing for Infragard, March 21 2016. The author is at the law firm Epstein Becker & Green, P.C. in Washington, D.C. and New York City.

[22] Derek A. Bishop. No harm no foul: Limits on damages awards for individuals subject to a data breach. Shidler Journal of Law Communications and Technology, 2008.

[23] Herbert Smith Freehill. Data protection and cyber security litigation. Corporate Disputes, October-December 2015.

[24] Sasha Romanosky, David Hoffman, and Alessandro Acquisti. Empirical analysis of data breach litigation. Journal of Empirical Legal Studies, 11(1):74–104, March 2014.

[25] Bureau of Justice Statistics. Identity theft reported by households, 2005– 2010. Technical report, U.S. Department of Justice, Washington, D.C., 2011.

[26] Josh Zeetoony, David; James. 2015 data breach litigation report. Technical report, Bryan Cave LLP, n.d. references 19

[27] Global Reinsurance Forum. Global reinsurance: strengthening disaster risk resilience. Technical report, The Geneva Association, Basel, September 2014.

[28] Macroprudential Policy and Surveillance Working Group (MPSWG). 2015 global insurance market report (gimar). Technical report, International Association of Insurance Supervisors, Basel, January 6 2016.

[29] Robert A. James. Six bits or bust: Insurance litigation over the 1906 San Francisco earthquake and fire. Western Legal History, 24(2):1– 39, Summer/Fall 2011. Available at siteFiles/Publications/SixBitsorBustInsuranceLitigation.pdf.

[30] Kurt Karl, Thomas Holzheu, Clarence Wong, and Paul Ronke. Global insurance review 2015 and outlook 2016/17. Technical report, Swiss Re, Zurich, 2015.

[31] Ralph Atkins. Swiss Re chief cautions on cyber security risks. Financial Times, February 23 2016.

[32] Oliver Ralph. Former spymaster to help fight City cyber crime. Financial Times, February 11 2016.

[33] Loren Nickel. Cyber risk analytics. In Miscellaneous Papers. Southern California Casualty Actuarial Club, May 15 2014.

[34] Kelly Jackson Higgins. Cyberinsurance resurges in the wake of mega-breaches. Information Week Dark Reading, October 2 2014.

[35] Oliver Ralph. Safe drivers offered pizza and films by insurers. Financial Times, February 22 2016.

[36] Emily Freeman. State of the cyber insurance market – ten lessons learned from major retailer breaches. Technical report, Lockton Companies, San Francisco, August 2014.

[37] Shiela Strubel. Here’s why you arn’t selling more cyber insurance. Weekly Industry News blog, November 12 2014. blogpost/1199781/202434/.

[38] Market Insight Center. Cyber insurance survey prepared for iso. Technical report, Hanover Research, November 2014. http://www.verisk. com/downloads/emerging- issues/cyber- survey.pdf.

[39] Shiraz Saeed. Briefing on cyber insurance. Private briefing for Infragard, March 21 2016. The presenter is a product specialist for cyber liability at AIG Property Casualty.

[40] Advisen Ltd. Cyber liability insurance market trends: survey. White Paper, October 2015.

[41] John Naughton. The cyberplague that threatens an internet armageddon. The Guardian, April 30 2011.


“Because That’s Where The Money Is”

Robbing banks. Cyber crime. It was reported today that hackers broke into the United States Federal Reserve computer system and took $100 million dollars of money out of the account for Bangladesh.  Part of the money was moved through gambling casinos in the Philippines.

Around the world, government are building cyber weapons. Many are tested, others lay in wait until they are needed. We already have seen that in times of conflict, cyber weapons are an integral part of warfare.

Apple v. FBI

Two Islamic terrorists came into the United States. Syed Rizwan Farook moved to San Bernardino California, made friends with people at his place of employment, and served the numerous elderly patients there.  When the time came, he murdered a number of people, shortly after those same people had thrown for him a birthday party.  “Animal”, “Scum” are two appropriate words for Farook.

In the course of the investigation it was determined that the terrorists used an iPhone. The FBI wants to read its contents. The problem is that Apple’s iPhone security prevents access.  If someone more than ten times uses the wrong pass code to access an iPhone, it will erase itself.

At the core of the problem is the reality that Apple’s technology for the iPhone is actually secure. No one, not Apple, no one, has access to the encrypted personal information held on your iPhone. That is why ApplePay is so successful.  When it is used, the merchant never knows your identity or even your credit card number.

The FBI through a court order is asking Apple to develop software that would disable this protection mechanism.  It would allow a brute force cryptologic attack against the iPhone.  The term “brute force attack” refers to the submission of different codes over and over until the right code is found, then the phone will be unlocked.(*)

So far, Apple is resisting the court order. The argument on Apple’s side is that (1) Apple is not being asked to provide information, but instead is being asked to write software for the FBI; (2) If the US government forces Apple to do this, then any government (read China, Russia) would start to demand the same thing; (3) if this happened, then the iPhone no longer would be secure because eventually the secrets of how to dismantle its protection would leak out to hackers; (4) Apple would be put at a disadvantage because it would be unlikely that a foreign phone maker such as Samsung could be forced to comply. And there are other reasons also.

One hacker has argued that it is easy for Apple to break the iPhone security:

“On a technical level, Apple could carry out the order by creating a RAM disk signed by the company’s production certificate for the specific ECID of the suspect’s iPhone. This solution would allow Apple to use existing technologies in the firmware file format to grant access to the phone ensuring that there is no possible way the same solution would work on another device.” (comments of Will Strafach, Legendary iPhone hacker weighs in on Apple’s war with the FBI“)

There also are broader issues involving the balance of national security and privacy. Where should the balance be, and who is to make that determination?  This is going to be a difficult problem to solve.

What should be the power of governments to protect their people?  And what rights or privileges should be sacrificed in order for the government to accomplish this objective?

There are powerful arguments on either side.  But the way this is heading is fairly clear:  Secure systems might eventually be made illegal.

Note (*) The Order Compelling Apple, Inc. To Assist Agents in Search, No. ED 15-0451M, In the Matter of the Search of An Apple iPhone Seized During the Execution of a Search Warrant on a Black Lexus IS300, California License Plate 35KGD203 relies upon the All Writs Act, adopted in 1789 and listed as 28 U.S.C. § 1651. It says that:

(a) The Supreme Court and all courts established by Act of Congress may issue all writs necessary or appropriate in aid of their respective jurisdictions and agreeable to the usages and principles of law.
(b) An alternative writ or rule nisi may be issued by a justice or judge of a court which has jurisdiction.
Note: The rule nisi is means that the ruling of a court is final unless one or both parties show cause for it not to be. (Black’s Law Dictionary)



Cyber War in Outer Space

The Director of National Intelligence, James Clapper, has warned that Russia and China have been working hard at developing capabilities to shoot down U.S. satellites.  This purpose of building this capability is to has the capability to disable U.S. military communications.

In the United Nations Charter, signed on 26 June 1945 in San Francisco, it always has been recognized that the cut off of communications is an important sanction that can be imposed against a nation states.  For example, Article 41 states:

“The Security Council may decide what measures not involving the use of armed force are to be employed to give effect to its decisions, and it may call upon the Members of the United Nations to apply such measures. These may include complete or partial interruption of economic relations and of rail, sea, air, postal, telegraphic, radio, and other means of communication, and the severance of diplomatic relations.”

China is developing so-called “Satellite Killers“.  In addition, there is a fear of electromagnetic pulse (EMP) effects from high-altitude nuclear bombs. EMP has the potential to wipe out large parts of the entire telecommunications and computing infrastructure of the United States.

All of these developments show that in the future, if there is war, then attacks against the cyber infrastructure will be as important as those against any other target.

It is difficult to see how these developments could be controlled with a cyber arms control treaty.



Written by our Guest Author: Herbert O’Yardley


For reasons that will forever remain unknown, Roche has invited me to make another entry on his soon to be “must read”, viral blog (which if I had a computer and Internet access I might even visit from time to time). So I’ll just say right now that if I were you, I would not read this – and I don’t even know what it’s going to say yet! I just know that it is probably right, and that that is almost certainly a BAD thing. But…..What do I know? I’ve been wrong about everything lately; except the Fed. And you don’t want to get me started on that – although my thoughts from 5-6 years ago may still be on my own blog if you can find it.


For Christmas this year, I bought my Old Man a Chess Set – which was not that easy to find for obvious reasons, like anyone under 35 (or maybe even much older) would rather play some video game or be part of a multiplayer, online gaming platform. Now before we go any further, stop and think about that for a minute. Chess is a very complex game; perhaps the most complex ever created. In fact, I can remember a time – not so long ago – when an IBM computer beating a Grand Master was an international media event heralding the coming of the new “Information Age”. Strategy in Chess has been studied by some of the brightest minds in History, and forms the basis for much Military, Political and Business Strategy, although you might never guess that from the results of so-called “strategies” in those fields. But however complex the strategies in Chess may be, and however sophisticated the tools of analysis, the strategies required in instantaneous, multiplayer “Cybergames” are orders of magnitude more complex. This means that using standard tools like Game Theory to develop and evaluate a possible Cyber Treaty (or Cyber War for that matter) is like using a magnifying glass to study Particle Physics (which I’m sure most of us have tried at some point).

Last Summer, I finally threw away a dozen or so Math books that I had held onto since College. Of course now I know it was a big mistake, but at the time it seemed like the thing to do. Among these were several books on Linear Algebra. Linear Algebra is particularly germane to a discussion of Strategy, War and Treaties because it allows the theoretician to create a set of rules and then study their consequences on a group of predetermined parameters. As such, it forms the basis for Game Theory. Game Theory had limited practical value even in its heyday due to the deterministic nature of the structure and rules of a game on its ultimate outcome. But in a world were even the best players have no idea what they are really doing or the true costs of their actions, where there are no “rules” – only winning and losing, and were the non-rules change at random or the at whim of the strongest players, there is not much room for Theory or Strategy, only the survival of the fittest – or the least fit if you prefer.

Of course, Roche and I have already tried to apply Game Theory to other contexts – this time to Business Strategy – and proposed the ill-fated concept of “Super-Games” – which I think I once said was our ticket to a Nobel Price (Wrong Again.). The Mathematics of Supergames have been explored to a limited extent; but while they are extremely sophisticated, they do little more than expand the structure and length of a game, allowing more complex strategies to be executed. Our approach added several more levels of complexity by allowing the rules to change without notice and players to enter and exit at random. It also added the notion of asymmetry – which allowed certain players to act outside the existing structure of the game, as well as allowing the formation and dissolution of coalitions and other partnerships, and the sharing of information and the use of deception. All of this is of course prevalent in the Business World. We made no claims about being able to formalize the Mathematics behind such a system, but we were able to create a simple set of rules which defined this Supergame, and reach some very tentative conclusions about the role of Strategy under these conditions. The fact that the paper was rejected by at least 24 journals reflects the imagination and insight of the Business World. But I don’t need to tell you that. All you have to do is watch CNBC for a few minutes or read the front page of the Fox Street Journal. Unfortunately, this “MBA Mentality” – as I like to call it – has infected every part of Society and Government, including the Civil Servants (if there still are such things) who would draft and negotiate a Cyber Treaty – or start a Cyber War – which is increasingly probably one and the same thing.


Traditional Theories and Strategies don’t offer much guidance in a World based on Cyber- and Super-Games. This is because the individuals involved in both treaty negotiation and potentially sanctionable behavior are likely to be far more capable of circumventing standard safeguards than previous generations. For actors raised on rapidly changing environments, both the contents and the enforcement mechanisms of any treaty must be based on a new set of principles that is far more complex and flexible than traditional methods to have any chance of success. Particularly in Technology-based environments, capabilities and actions move so quickly that it is literally possible for a treaty to be obsolete before it has even been negotiated. Thus, sanctionable behavior must be defined in a broader, non-specific way, which works against the basic nature of treaty negotiation. Similarly, new mechanisms must be devised to tie parties to sanctions and unwanted outcomes in an immediate and costly way.

At some point Roche and I looked into identifying the “necessary and sufficient” conditions for successful International Treaties based on historical analysis and a review of the literature. To my surprise, this was not a subject of great interest, although a few conditions received some attention, and are probably worth noting. I will mention three which should be useful in the present context: 1) The treaty should include all relevant parties in the negotiations, 2) Violations must be clearly defined and sanctions specified in advance, and 3) All violations and sanctions must be handled in a non-discriminatory way. Although these principles are still “necessary” and useful guidelines, they are clearly not “sufficient” to guarantee a successful Cyber Treaty due the rapid, unpredictable changes endemic in the basic structure and nature of the activities involved. Thus, devising a successful Cyber Treaty will be extremely difficult and require great knowledge and creativity. In other words, just forget about it.

But there is still one Law of Game Theory that’s hard to argue. Make the Rules, and you may have a better chance of winning. But that’s only if you’re smart enough to see clearly several moves in advance. And that’s still not easy, even for the experts. Of course, if all else fails you can always just kill your adversary, or better yet, beat him to death with a hammer or cut off a few of his fingers. Just watch “Casino” again and see what I mean. In any case, it’s probably best not to bet against the House.


Ever once in a while I come up with a good idea, and in the context of a Cyber Treaty here it is. If the use of new Internet and Social Media Technology really is changing the way individuals think and act – and there is no doubt that it has had profound effects – particularly with regard to the rapidly changing, interactive, strategic situations you might find in Cybergames, then it makes sense to let this “new breed” play a key role in structuring a Cyber Treaty – even if they are only 13 years old kids, failing most subjects in school, who couldn’t carry on an intelligent conversation with their favorite Action Hero. (Just remember, these are the Bankers, Doctors, and Lawyers of tomorrow.)  So instead of Governments or International Institutions drafting and negotiating a treaty to limit Cyber Weapons and Warfare, why not let the individuals most familiar with the (un-) realities of Cyberspace create the treaty through an open, interactive platform designed for this purpose. The site could be set up as either a Cybergame or a Wikepedia-like knowledge platform where ideas and actions could be vetted and tested by the community. For example, a game could be developed which closely resembles the actual structure of the global Political Economy, with Nations, National and International Institutions, various types of Infrastructure, and other Economic, Social and Political factors. Players would seek ways to disrupt and destroy other nations, and through their strategies and actions, safeguards could be developed to minimize the results of those activities. Over time it should be possible to identify a set of rules or procedures which would ultimately eliminate the treat of Cyber War, and these principles could form the basis of a future Cyber Treaty.  Of course this has probably already been going on for a long time in a basement somewhere in Virginia……and Moscow, and Beijing, or at a University or Tech company in a town or city near you.


Anyone who has ever read anything I’ve written in recent years knows that I am extremely pessimistic about any sort of remedial action to improve the Sorry State of Man and the World. For me, these activities typically fail to either address the core problems, or provide a lasting solution to even the most superficial aspects of the mess we have created. They may be done in good faith and have the best intentions, but in the end nothing ever changes, and things just seem to get worse. Until we all understand that we are in this (sinking) ship together, no Treaty, Threat or Action is going to stop War, Hate and Stupidity. It will only give one group of idiots a temporary advantage over their rivals, and in the process breed more hate and resentment, causing another round of stupidity which wastes (limited) global resources, human energy and time. We have to do better, as individuals, nations and members of whatever communities we populate. I still believe it’s possible. But it’s getting increasingly difficult to Keep the Faith.

Herbert O. Yardley


Rumination on the Coming Cyber War

By Herbert O. Yardley, guest editor.


A friend of mine likes to joke that if the Grid ever goes down, everyone under the age of 35 will be dead within 3 days from starvation, media withdrawal and having to think for themselves. This fits well with the claim that “We are just 7 meals away from anarchy” thanks to the introduction of Just-In-Time inventory control to the nation’s (and world’s) food delivery system. So perhaps there is something to this Cyber Treaty thing after all.

But, as one who has never owned a cell phone, does not have Internet access, has never banked, traded stocks or made a purchase online I see things from a different perspective. Sure a Cyber Attack could throw the global financial system into chaos; but can it really do more harm than the World’s Central Banks or the large cadre of Harvard MBAs trading trillions of dollars, marks and yen unsupervised on a 24/7 global basis have already done? I doubt it. And even if some high level global Strategist tries to meltdown a few “enemy” nuclear reactors, or shutdown Facebook or Amazon for a few weeks; is that any more dangerous than Curtis Lemay (the Head of SAC) purportedly violating Soviet airspace at the height of the Cuban Missile Crisis in hopes of provoking an incident that would justify a US first strike? Estimated “fallout”, 150-250 million dead, but the near total destruction of the USSR’s military capability. So let’s put things into perspective here.

The real question – which no one is even asking, let alone trying to solve – is this: “How can we improve basic Human Nature so that War of any kind, Hate, and the so-called “Strategic” calculus that has contributed so much to the present sorry state of the World are no longer acceptable to even the most Neanderthal Governments and persons?”. I may be crazy, but I believe this problem can be solved, and in less than 3 generations if the “best and brightest” from all nations and fields resist the temptation to work for and enable the worst elements which seem to dominate Government and Business.


For reasons that remain obscure, I read the Bible last Summer for the first time, and among other things the story of the Tower of Babel stands out in my mind, particularly in the current context. For me there are two key lessons: First, the God of the Bible is a jealous, hateful, petty god, who feared the potential power of a united Mankind, particularly one that could build a tower to Heaven (This, like everything else, was explored in a classic South Park which provides further insight into the matter). As a result He destroyed the Tower, and replaced a universal language with a multiplicity of tongues so that men could not communicate with each other. The rest as they say is History. But perhaps even more disturbing is the idea that Man was made in this God’s image. While that would seem to explain everything, it almost certainly guarantees a future Cyber War since new technologies provide a vehicle for seamless global communication which poses a serious threat to current national and international institutions and the established global power structure. Roche and I have addressed this issue elsewhere using a new concept we call Asygnosis. Unfortunately, the idea was universally panned by the academic community and remains unknown, although we still discuss it occasionally.

The problem, of course, is that to those desperately seeking to maintain their fragile grip on global Wealth, Power and Control, Cyber Weapons and Cyber Warfare seem like a cheap, expedient option. And since the old “Military-Industrial Complex” has been replaced by a Military-Technology alliance, “What’s good for Google is good for the global strategic position of the US” as Charlie Wilson might have said – although we can rest assured that he’s rolling over in his grave at the very thought of such a thing. The same goes for tech companies in other countries. In a world defined by two-dimensional computer and cell phone screens, whoever controls the flow of data, financial and economic transactions, and communications thinks they control everything. But as a former Painter I can assure you that no matter how closely a two-dimensional surface appears to represent Reality, it is at best no more than an Illusion. And in the case of many new technologies, they promote a very convincing “illusion” which has a plethora of dangerous implications; the threat of Cyber Warfare being just one of them.


The main problem with much new Telecommunication and Internet Technology (and I have been talking about this for at least a decade) is the “de-humanizing” – for lack of a better word – effect it has on users. This is clearly evident in the general loss of “intimacy” among people, and the inability of almost everyone to deal effectively with simple social interactions and situations. For me, the epiphany came a few years ago during a family Christmas gathering when my nieces and nephew – who were sitting on a couch next to each other – texted among themselves rather than turning their heads and speaking face to face, which would of course have included anyone present in their conversation. It is important to stress that it is exactly this type of technology-driven social interaction that makes the likelihood of a Cyber War so high. As “reality” becomes condensed to a computer or cell phone screen, the real “human” costs and consequences of any action become irrelevant. Instead, the calculus becomes: “How many hits would a major Cyber Attack get on YouTube or other Social Media platforms, and how can that response be controlled and monetized to the fullest?” And don’t think some of the “smartest” minds haven’t already figured this out. In fact a recent study of the top ten topics on Social Media in 2015 included no less than 6 major disasters, including the 2 Paris Bombings and the Earthquake in Nepal. So don’t discount a Cyber War as part of a major Corporate or Political advertising campaign.

The other major problem with many new technologies is the false sense of knowledge and reliability they offer users. Once again Roche and I explored this subject in a widely rejected study of an Intelligence-based software product. The only difference we could find in the results of this product versus conventional methods was that its users were far more confident in their mediocre results. Once again this bodes ill for the coming Cyber War, since Strategist are likely to downplay or neglect altogether the true costs of attack and at the same time feel extremely confident about their (mis-) calculations. Wikepedia is a poor substitute for Knowledge. Of course, the irony here is that the most developed nations have the most to lose in an all-out Cyber War, since the third or more of global population that still struggles for food and clean water on a daily basis would remain largely unaffected by a major Cyber Attack.


There is, however, one thing for sure. The day after the Great Cyber War the Sun will still rise, birds will still sing, and the Earth’s vegetation will continue to convert sunlight, water and carbon dioxide into energy for growth and oxygen. (Note that this may not have been the case after the Great Nuclear – Nuckuler for you Republicans – War that so many dreamed of for so long.) There is unfortunately another (near) certainty. And that is that the remnants of Human Civilization will soon reassemble, led by the most malevolent, egomaniacal elements to quickly rebuild barriers to fellowship and free expression. It will not take long before the lessons of the last Cyber War lead to the development of even more powerful methods to address perceived threats and control the “masses”. So, Cyber War or Cyber Treaty? The answer lies in whichever suites the whims and perceived interests of the most powerful at the moment, especially if the projected results might hurt their competitors even more than themselves. Flip a coin. Either way we all lose.

I like to say that we have the ability to turn this World into a true Paradise – eliminate Hunger, Disease, Fear and Want; and that’s all before breakfast. The only barrier is Human Nature. Improving that is a problem worthy of our full attention and dedication. But what do I know? I’ve been wrong about everything lately.

December 2015 Cyber War Coverage

December, the supposed holiday time for most of the world, was filled with substantial coverage of the world’s raging cyber war.  Newsweek Magazine carried a special edition on The Art of (Cyber) War. It noted that a federal government database had been hacked so that the highly personal information for 21 million government employees information was published. It also notes that “by 2018” we can expect that the U.S. Department of Defense will deploy a new cyber defense program that will include a “task force” to protect America. Here is some more information.  The Identity Theft Resource Center reported 641 data breaches in 2015.  It also reported that “more than 175 million [U.S. citizens] people had their information exposed in data breaches in 2015”.

Companies such as Sift Science were reporting rapid growth: “Every day, businesses worldwide rely on Sift Science to eliminate fraud, slash costs, and grow revenue. Our cloud-based machine learning is powered by 5,000+ unique fraud signals and a network of 1,500+ websites (and growing).” Sift uses “large scale machine learning technology” to analyze data and connect “thousands of seemingly unconnected clues left behind by fraudsters.”  Artificial intelligence (AI) is being used to catch Internet fraud. Machine intelligence (The Helix(TM) Security Engine) also is being used by Lookout, a security firm that focuses on the mobile phone market.

Not only the United States is concerned.  Salìh Biçakcī from Kadir Has University in Turkey reports that cyber attacks against Turkey are increasing, and that “the state is not prepared for approaching cyber wars”.  Turkey has been under a Distributed Denial of Service (DDoS) attack for most of December. Biçakcī argues that Turkey’s government is not set up for the type of coordination needed to withstand a determined cyber attack.  Many other governments must be having the same thoughts.  Biçakcī has authored such documents as The Rebirth of NATO between New War and Cyber Security and The role of information technology in responding to Terrorism. Because of ties between Turkey and ISIS, Anonymous attacked Turkey’s banking sector, according to TechWorm. Anonymous warned “Dear government of Turkey, if you don’t stop supporting ISIS, we will continue attacking your Internet, your root DNS, your banks and take your government sites down“.  Anonymous “took 400,000 [Turkish] sites offline for 7 days“.

Anonymous has published a chronology of events in its war against ISIS.  It calls the action “OpISIS”.

In India, Tarun Vijay a member of the Bharatiya Janata Party (BJP) has been demanding that India set up a separate ministry for cyber security. As reported in the Indian Express, “[I]n the last five months 50,000 cyber attacks have been reported and nearly half of India’s internet population was being hit by cyber attackers”.

The above summarizes only a few events in December. As stated earlier, cyber war and cyber weapons are multiplying.  They are one of the most important tools of today’s warfare. A set of Cyber Arms limitation talks are surely needed.

Xi Jinping and Laws for Cyberspace

At the recent World Internet Conference, held in Wuzhen, Zhejiang province, the President of China Mr. Xi Jinping gave a speech setting forth priorities for Internet Governance.  The view of the Government of China is that each country should control its own Internet and set its own rules for cyberspace.

This means that the Chinese government sets a priority on monitoring the Internet to ensure that it is not used for unlawful activity.

It is hard to argue with a government that does not wish for the Internet to be used for unlawful activity.  All governments agree with this view.  The Internet should not be a free zone for criminals.

The only issue, then, is what is criminal activity.  Obviously this varies from nation to nation.  What is protected speech in one country might be illegal in another.  What is protected journalism in one country might be illegal activity in another.

This distinction is a source of conflict in debates over Internet governance.  People on outside of China might criticize Chinese monitoring of the Internet inside China, but in essence what they are criticizing is Chinese law as it is written or interpreted or enforced inside China.

An international issue arises if activities take place on the Internet outside of China, but those activities if carried out inside China would be considered criminal.  In those cases, China reserves the right to block those activities from crossing through the Internet into China.  Again, this is a question of Chinese sovereignty.

And here we are using the example of China, but national sovereignty is an important issue for all nation states.

A complication arises in cases where China cuts off entire services from being provided in the Chinese market.  For example, Facebook is not allowed in China.  This is not a question of Chinese law, but instead is a matter of non-tariff barriers to trade in services.  Many are of the view that it should be condemned because there is no reason why Facebook or any other outside provider of Internet services could not be monitored for criminal activity the same way that services inside China are monitored.

These are issues that need to be considered in negotiations concerning international trade in services.

It also is true that it is illegal to hack in China.  This means that if one is in China and they hack a Chinese website, then a law is broken.  It is not clear if it is a violation of Chinese law if a person inside China hacks a computer that is located outside of China. There might be a potential to further international discussions on this issue.

These discussions on Internet censorship and control, and its connection to national sovereignty are interesting and important, but are outside the scope of consideration regarding cyber weapons.  The reality is that development of cyber weapons will always be legal within a nation state the same way the development of any other type of weapon is legal.  Cyber weapons are an integral part of the right of self-defense of a nation.

There is a cyber arms race now, and people need to be thinking about how to control the proliferation of cyber weapons.