|
Just days after the September 11 terrorist attacks the U.S. Federal Bureau of Investigation
began warning the public that the potential for future attacks exist, and among the threats was
that of cyber terrorism. The concept is not a new one, such attacks have been taking place
between Palestinian and Israeli groups, and between U.S. and Chinese sources, in response to
political conflicts. And now, in light of new terrorism and cyber exclusions in insurance
policies, commercial insurance buyers are wondering how to protect themselves from the potential threat of today's "hacktivists" becoming tomorrow's cyber terrorists, and weapons of mass disruption turning into weapons of mass destruction.
February 2002 - Al-Qaida, (the notorious terrorist group formed by Osama bin Laden, has not
engaged in computer-based attacks in the past. However, in the wake of the World Trade Center
(WTC) attacks, bin Laden has suggested that Al-Qaida has the expertise to use computer
technology as a weapon, reports Canada's Office of Critical Infrastructure Protection and
Emergency Preparedness (OCIPEP).
In response to reports from the FBI about the potential threat of cyber attacks in the wake of
September 11, OCIPEP began issuing such advisories, and notes that "retaliatory cyber attacks"
against coalition countries, primarily in the form of website defacements had already begun. In
late November, the Canadian government helped draft the Council of Europe's Convention on
Cybercrime, an international effort to deal with issues of terrorist financing, money laundering
and cyber terrorism.
The September 11 terrorist attacks changed perceptions of the world's security infrastructure,
and the insurance industry's understanding of risk. What had once been inconceivable was now
reality and so began the process of imagining the unimaginable in terms of catastrophic risks.
Cyber terrorism, a heretofore unconsidered threat, was suddenly put on the world stage amongst
a host of new potential threats.
Digital Pearl Harbor
When the U.S. government's new cyber terrorism expert, Richard Clarke, suggested the possibility
of a "digital Pearl Harbor", he was greeted with skepticism. The concept of one, large-scale
attack on the Internet seems far-reaching, despite the claims of Al Qaida and other Muslim
extremist groups who claim to, or are known to, use the Internet as a tool. That said, there
is ample evidence that politically motivated hack attacks are on the rise, notes DK Matai,
chairman and CEO of the mi2g intelligence unit, which deals in cyber security.
Tensions between the U.S. and China following the accidental bombing of the Chinese Embassy
in Belgrade led to a cyber conflict. In the U.S., key government sites, including the Energy
Department, the Interior Department and even the White House were targeted. The Chinese domain,
".cn", and that of Taiwan, ".tw", became the two most defaced domains behind ".com" last year.
India (.in) and Pakistan (.pk) saw similar increases in the number of web site defacements due
to political tensions.
Following NATO air attacks on Serbia in 1999, hackers began to tap into U.S. defense computers
and those of other defense related businesses. And, since September 11, several high profile
U.S. government sites have been defaced, some bearing the Saudi flag and threatening messages
aimed at the U.S. The groups involved, sometimes called "cyber mujihadeens", have hit sites
including the U.S. Army Waterways Experiment Station and the National Institute of Health's
Human Genome Project.
Striking at .ca
Canada is not immune to the cyber threat, experts say. Matai points out that the ".ca" domain
experienced a similar increase in defacements last year, with 215 hits, up from 59 in 2000 and
52 in 1999. He notes that many Canadian sites bear the ".com" domain, as well as ".org" and ".
net", also popular targets. Hits are similarly not aimed solely at government sites, he adds.
"Admittedly there is some bias of attacks towards high profile sites such as whitehouse.gov or
fbi.gov, however more and more attacks are on commercial web sites."
"The 11 September attack had an even deeper ripple effect: the temporary disruption of the
entire U.S. financial and transportation infrastructure," notes the OCIPEP report. "If the
terrorists did not fully anticipate these aftershocks, they can see them clearly now. This
raises the possibility that those responsible may shift their sights away from primarily
symbolic targets, such as heavily populated buildings or sports stadiums, toward critical
infrastructures."
There are about 10,000 "serious grade crackers" using original code attack systems, as opposed
to what Matai calls "script-kiddies", or hackers who rely on ready-made tools. "In terms of
defacement attacks on large corporations, attackers penetrate the systems as multi-level attacks
using subterfuge and social engineering," he explains. Criticisms of lax electronic security are
still being heard, despite the growing awareness created by large-scale attacks such as the "I
Love You" and "Melissa" viruses, and worms like "Nimda" and "Code Red". Criticisms of lax
electronic security are still being heard, despite the growing awareness created by large-scale
attacks such as the "I Love You" and "Melissa" viruses, and worms like "Nimda" and "Code Red".
"My own opinion is that the potential is there [for cyber terrorists to attack], everyone's
networks are so poorly protected, but no one has taken advantage of it," says Chuck Wilmink,
director of the Canadian Center for Information Technology Security (CCITS).
A study by the U.S.-based Computer Security Institute reports that 85% of companies admit to
having their networks breached in 2000, and 64% acknowledge significant financial losses due
to those breaches. A recent report by the U.S. Congress gave two-thirds of American's federal
agencies failing grades in cyber security, including the departments of Defense, Justice,
Energy and Treasury.
Similarly, in Canada, a 1999 Senate report pointed to the potential for a major cyber attack in
Canada, and admitted that the FBI has characterized Canada as a "hacker haven". Perhaps
fortunately, Canada is more often a base for hackers to attack other countries, rather than
a target itself. "Canadian hackers have traditionally tended to attack outside of Canada as
opposed to within," says Matai. He notes that Canada's quieter political demeanor means that
it is less often viewed as a target. ".ca Canadian sites are less vulnerable than .com or .uk
because Canada is not seen to be so aggressive on the world stage."
"I really don't think we've ever considered Canada to be at the same threat level (as the
U.S.)," says Max London, manager of public affairs for OCIPEP. However, OCIPEP has issued the
FBI warnings post-September 11, giving companies advance warning in the event of a cyber attack.
Ultimately, London explains, corporations are responsible for their own security systems.
He notes that OCIPEP is aware of "hacktivist" activity in Canada, specifically "around some of
the larger meetings", such as the G-8 Summit or World Trade Organization meetings. However,
these are a far cry from the threat by a foreign government or terrorist organization that might
harm Canada's critical infrastructure, including systems that support communications,
transportation and services such as health care and finance. With the "increasing dependence and
increasing interconnectivity" of such systems comes a greater risk, however. In the past, OCIPEP
has been involved in public awareness campaigns around threats including the "Code Red" worm,
which was viewed as "a very real threat to the Internet", and has worked with the U.S. National
Infrastructure Protection Center (NIPC), an FBI operation, to disseminate infornation. The NPIC
issued warnings in mid-October of a potential cyber threat aimed at the U.S. power grid, and
yet another aimed at online financial sites.
Insurer reaction
Canada's insurers have been jumping into the terrorism risk fray since September 11, trying to
understand what exposures they might face in the future. Just as no one predicted the events
that represent the largest insurance loss in history, there is fear of what other unforeseen
risks may lie ahead.
As insurers met through the Insurance Bureau of Canada's (IBC) terrorism task force to discuss
the new risk horizon, cyber threats were one possibility on the table, says Anne MacKenzie,
assistant vice president, claims technical, at the Dominion of Canada General Insurance Company
and a member of the task force. She adds, however, that they did not top the list of concerns
for several reasons, including the notion that terrorists generally tend towards visible, high profile acts. "It's usually physical acts of terrorism," she says. "Terrorists like to put the population at fear." OCIPEP also notes that terrorists have traditionally relied on "bombs over bytes" as the weapon of choice.
Cyber terrorism has not dominated discussion of electronic risks, adds Jennifer Soper, assistant
vice president, technology, at St. Paul Canada. Most of the talk seems centered around the major
viruses that have plagued companies. This is partly because many companies do not see themselves
as targets for such acts. "When you're not in the Fortune 500 or brand name companies, you can
get an 'it can't happen to me', almost false sense of security."
She adds that companies often do not discuss the nature of attacks, and still have a "keep it
in the closet" attitude about cyber security breaches. The benefit is that this policy of
silence denies attackers the desired result of publicity. However, terrorists may soon find
that cyber attacks will gain them the same kind of notoriety as physical attacks, MacKenzie
adds. "Nothing would scare people more than to learn that terrorists had hacked into government
sites".
Exclusions, exclusions
Commercial insurance buyers are no doubt facing a tough market in the post-September 11 era,
although the situation was already beginning to grow bleak prior to the terrorist attacks.
Reinsurers had already stated their intention to introduce cyber exclusions into their treaties,
leaving insurers to follow suit.
However, insurers assert that cyber or "data" coverage was never really part of commercial
general liability (CGL) policies. In light of the potential for differing interpretations
(such as the U.S. case of Ingram v. Micro, where it was found that business interruption due
to computer failure should be included in CGL policies), more specific wording was added to
most policies. "The data exclusion was just a clarification to make sure consumers knew what
they were buying, there never was coverage for data," explains MacKenzie. This clarification is
apparent in most policies as of yearend 2001, adds Dominion president George Cooke. "Our view
is that the wordings don't do anything the old wordings didn't do, they're just clearer."
However, the wordings have left many companies scrambling for coverage, Soper says. "What is
available is not widely available." Companies will either have to negotiate coverage as a
limited buy-back option in existing policies, or hunt it down as a separate policy from another
carrier. "In terms of coverage, if there is anything going on it is on a customer-by-customer
level. It has to be." Given the difficulty in quantifying cyber risks, there is no "one size
fits all" policy.
Cooke says he is concerned with the lack of cyber coverage available, but acknowledges that
insurers simply are not in a position to offer it. "It's a situation that troubles me. But we
can't buy coverage [in the reinsurance market], so it's impossible for us to offer it."
September 11 did not help the situation either. He predicts that notwithstanding the terrorist
attacks, cyber coverage would have been a top issue for insurers, but given the shift in
priorities, insurers were unable to come up with private market capital solutions in advance
of yearend commercial policy renewals. "September 11 kind of eclipsed concerns over whether we
should be developing new products to deal with cyber risks," says MacKenzie. However, she adds,
"we will want to revisit it" in the future.
Overriding concern
Regardless of new cyber covers, with the current terrorism exclusions being written, any act
deemed as "cyber terrorism" would not be covered, as the terrorism exclusion would be
overriding. In the wake of September 11, with reinsurers refusing to cover terrorism in their
treaties, insurers were forced to either introduce similar exclusions in their policies or to
negotiate a deal with the government, which would act as excess of loss reinsurer through a
"terrorism pool" arrangement.
By yearend, no such pool had been devised, despite lengthy discussions between IBC
representatives and the government. "The nature of the discussions evolved as the market
evolved," says Cooke, who is also chair of the IBC. "The decision was taken to wait. It was
probably a smart decision."
The U.S. government's inability to come to a solution prior to breaking at the end of the year
was among the contributing factors. Cooke recognizes that it was "politically difficult" for
the Canadian government to come forward with a solution before the U.S., given the fact that
the situation was not of the same scale here. This situation may change as the U.S. House
reconvenes in late January. "People have said that the government wasn't prepared to act, but
I don't buy that," he adds. "Minister Peterson and the staff in Finance were seriously engaged
in discussions and are prepared to act if the need arises."
The need for a solution may not be quite as pressing as originally thought, with renewals
moving along despite the lack of a solution, and the fact that many commercial policies on
target risks have not yet reached renewal.
However, Cooke still feels a solution is needed. The government has consulted with other
associations, most notably the Canadian Bankers Association (CBA), who claim that there is
no need for the coverage. "I think they're wrong," Cooke says, but their resistance makes it
difficult for insurers to press for a solution. He is most displeased with the view that
insurers are looking for a "bail out". "We are not doing an 'Air Canada' here. We're more
than prepared to take our pains for our past sins." But without reinsurance coverage in place,
it is not economically feasible for insurers to offer the coverage.
The terrorism task force was "driven by the sudden recognition that there was now infinite risk
and infinite exposure and that wasn't economically sustainable," says MacKenzie. "It [terrorism
coverage] isn't anything we could write even if we wanted to."
With no cap on the exposure, insurers would be leaving themselves open to unquantifiable risks,
a situation that extends into the domain of cyber terrorism.
"Putting a box around the exposure" or quantifying the risk is especially difficult with cyber
risks, says Soper.. "The 'net is worldwide. It is difficult to know where it (an attack) is
going to come from, and how it's going to come."
She adds, "It's hard when you're an industry that likes to put dollars and cents to things.
There's just no history. You can't go into the archives and pluck out something and say 'this
is going to work for me today'." September 11 was a "humbling" experience for the industry, says
MacKenzie, and as the industry learns more about that event, "we realize we don't know about
all the risks". Prior to September 11 "there was a sense that we could talk about 100-year
events and worst case scenarios...everyone's trying to come up with scenarios, however, the
end of the conversation always comes to the same conclusion, we just can't imagine."
