Just days after the September 11 terrorist attacks the U.S. Federal Bureau of Investigation
began warning the public that the potential for future attacks exist, and among the threats was
that of cyber terrorism. The concept is not a new one, such attacks have been taking place
between Palestinian and Israeli groups, and between U.S. and Chinese sources, in response to
political conflicts. And now, in light of new terrorism and cyber exclusions in insurance
policies, commercial insurance buyers are wondering how to protect themselves from the potential threat of today's "hacktivists" becoming tomorrow's cyber terrorists, and weapons of mass disruption turning into weapons of mass destruction.
February 2002 - Al-Qaida, (the notorious terrorist group formed by Osama bin Laden, has not engaged in computer-based attacks in the past. However, in the wake of the World Trade Center (WTC) attacks, bin Laden has suggested that Al-Qaida has the expertise to use computer technology as a weapon, reports Canada's Office of Critical Infrastructure Protection and Emergency Preparedness (OCIPEP).
In response to reports from the FBI about the potential threat of cyber attacks in the wake of September 11, OCIPEP began issuing such advisories, and notes that "retaliatory cyber attacks" against coalition countries, primarily in the form of website defacements had already begun. In late November, the Canadian government helped draft the Council of Europe's Convention on Cybercrime, an international effort to deal with issues of terrorist financing, money laundering and cyber terrorism.
The September 11 terrorist attacks changed perceptions of the world's security infrastructure, and the insurance industry's understanding of risk. What had once been inconceivable was now reality and so began the process of imagining the unimaginable in terms of catastrophic risks. Cyber terrorism, a heretofore unconsidered threat, was suddenly put on the world stage amongst a host of new potential threats.
Digital Pearl Harbor
When the U.S. government's new cyber terrorism expert, Richard Clarke, suggested the possibility of a "digital Pearl Harbor", he was greeted with skepticism. The concept of one, large-scale attack on the Internet seems far-reaching, despite the claims of Al Qaida and other Muslim extremist groups who claim to, or are known to, use the Internet as a tool. That said, there is ample evidence that politically motivated hack attacks are on the rise, notes DK Matai, chairman and CEO of the mi2g intelligence unit, which deals in cyber security.
Tensions between the U.S. and China following the accidental bombing of the Chinese Embassy in Belgrade led to a cyber conflict. In the U.S., key government sites, including the Energy Department, the Interior Department and even the White House were targeted. The Chinese domain, ".cn", and that of Taiwan, ".tw", became the two most defaced domains behind ".com" last year. India (.in) and Pakistan (.pk) saw similar increases in the number of web site defacements due to political tensions.
Following NATO air attacks on Serbia in 1999, hackers began to tap into U.S. defense computers and those of other defense related businesses. And, since September 11, several high profile U.S. government sites have been defaced, some bearing the Saudi flag and threatening messages aimed at the U.S. The groups involved, sometimes called "cyber mujihadeens", have hit sites including the U.S. Army Waterways Experiment Station and the National Institute of Health's Human Genome Project.
Striking at .ca
Canada is not immune to the cyber threat, experts say. Matai points out that the ".ca" domain experienced a similar increase in defacements last year, with 215 hits, up from 59 in 2000 and 52 in 1999. He notes that many Canadian sites bear the ".com" domain, as well as ".org" and ". net", also popular targets. Hits are similarly not aimed solely at government sites, he adds. "Admittedly there is some bias of attacks towards high profile sites such as whitehouse.gov or fbi.gov, however more and more attacks are on commercial web sites."
"The 11 September attack had an even deeper ripple effect: the temporary disruption of the entire U.S. financial and transportation infrastructure," notes the OCIPEP report. "If the terrorists did not fully anticipate these aftershocks, they can see them clearly now. This raises the possibility that those responsible may shift their sights away from primarily symbolic targets, such as heavily populated buildings or sports stadiums, toward critical infrastructures."
There are about 10,000 "serious grade crackers" using original code attack systems, as opposed to what Matai calls "script-kiddies", or hackers who rely on ready-made tools. "In terms of defacement attacks on large corporations, attackers penetrate the systems as multi-level attacks using subterfuge and social engineering," he explains. Criticisms of lax electronic security are still being heard, despite the growing awareness created by large-scale attacks such as the "I Love You" and "Melissa" viruses, and worms like "Nimda" and "Code Red". Criticisms of lax electronic security are still being heard, despite the growing awareness created by large-scale attacks such as the "I Love You" and "Melissa" viruses, and worms like "Nimda" and "Code Red".
"My own opinion is that the potential is there [for cyber terrorists to attack], everyone's networks are so poorly protected, but no one has taken advantage of it," says Chuck Wilmink, director of the Canadian Center for Information Technology Security (CCITS).
A study by the U.S.-based Computer Security Institute reports that 85% of companies admit to having their networks breached in 2000, and 64% acknowledge significant financial losses due to those breaches. A recent report by the U.S. Congress gave two-thirds of American's federal agencies failing grades in cyber security, including the departments of Defense, Justice, Energy and Treasury.
Similarly, in Canada, a 1999 Senate report pointed to the potential for a major cyber attack in Canada, and admitted that the FBI has characterized Canada as a "hacker haven". Perhaps fortunately, Canada is more often a base for hackers to attack other countries, rather than a target itself. "Canadian hackers have traditionally tended to attack outside of Canada as opposed to within," says Matai. He notes that Canada's quieter political demeanor means that it is less often viewed as a target. ".ca Canadian sites are less vulnerable than .com or .uk because Canada is not seen to be so aggressive on the world stage."
"I really don't think we've ever considered Canada to be at the same threat level (as the U.S.)," says Max London, manager of public affairs for OCIPEP. However, OCIPEP has issued the FBI warnings post-September 11, giving companies advance warning in the event of a cyber attack. Ultimately, London explains, corporations are responsible for their own security systems.
He notes that OCIPEP is aware of "hacktivist" activity in Canada, specifically "around some of the larger meetings", such as the G-8 Summit or World Trade Organization meetings. However, these are a far cry from the threat by a foreign government or terrorist organization that might harm Canada's critical infrastructure, including systems that support communications, transportation and services such as health care and finance. With the "increasing dependence and increasing interconnectivity" of such systems comes a greater risk, however. In the past, OCIPEP has been involved in public awareness campaigns around threats including the "Code Red" worm, which was viewed as "a very real threat to the Internet", and has worked with the U.S. National Infrastructure Protection Center (NIPC), an FBI operation, to disseminate infornation. The NPIC issued warnings in mid-October of a potential cyber threat aimed at the U.S. power grid, and yet another aimed at online financial sites.
Canada's insurers have been jumping into the terrorism risk fray since September 11, trying to understand what exposures they might face in the future. Just as no one predicted the events that represent the largest insurance loss in history, there is fear of what other unforeseen risks may lie ahead.
As insurers met through the Insurance Bureau of Canada's (IBC) terrorism task force to discuss the new risk horizon, cyber threats were one possibility on the table, says Anne MacKenzie, assistant vice president, claims technical, at the Dominion of Canada General Insurance Company and a member of the task force. She adds, however, that they did not top the list of concerns for several reasons, including the notion that terrorists generally tend towards visible, high profile acts. "It's usually physical acts of terrorism," she says. "Terrorists like to put the population at fear." OCIPEP also notes that terrorists have traditionally relied on "bombs over bytes" as the weapon of choice.
Cyber terrorism has not dominated discussion of electronic risks, adds Jennifer Soper, assistant vice president, technology, at St. Paul Canada. Most of the talk seems centered around the major viruses that have plagued companies. This is partly because many companies do not see themselves as targets for such acts. "When you're not in the Fortune 500 or brand name companies, you can get an 'it can't happen to me', almost false sense of security."
She adds that companies often do not discuss the nature of attacks, and still have a "keep it in the closet" attitude about cyber security breaches. The benefit is that this policy of silence denies attackers the desired result of publicity. However, terrorists may soon find that cyber attacks will gain them the same kind of notoriety as physical attacks, MacKenzie adds. "Nothing would scare people more than to learn that terrorists had hacked into government sites".
Commercial insurance buyers are no doubt facing a tough market in the post-September 11 era, although the situation was already beginning to grow bleak prior to the terrorist attacks. Reinsurers had already stated their intention to introduce cyber exclusions into their treaties, leaving insurers to follow suit.
However, insurers assert that cyber or "data" coverage was never really part of commercial general liability (CGL) policies. In light of the potential for differing interpretations (such as the U.S. case of Ingram v. Micro, where it was found that business interruption due to computer failure should be included in CGL policies), more specific wording was added to most policies. "The data exclusion was just a clarification to make sure consumers knew what they were buying, there never was coverage for data," explains MacKenzie. This clarification is apparent in most policies as of yearend 2001, adds Dominion president George Cooke. "Our view is that the wordings don't do anything the old wordings didn't do, they're just clearer."
However, the wordings have left many companies scrambling for coverage, Soper says. "What is available is not widely available." Companies will either have to negotiate coverage as a limited buy-back option in existing policies, or hunt it down as a separate policy from another carrier. "In terms of coverage, if there is anything going on it is on a customer-by-customer level. It has to be." Given the difficulty in quantifying cyber risks, there is no "one size fits all" policy.
Cooke says he is concerned with the lack of cyber coverage available, but acknowledges that insurers simply are not in a position to offer it. "It's a situation that troubles me. But we can't buy coverage [in the reinsurance market], so it's impossible for us to offer it."
September 11 did not help the situation either. He predicts that notwithstanding the terrorist attacks, cyber coverage would have been a top issue for insurers, but given the shift in priorities, insurers were unable to come up with private market capital solutions in advance of yearend commercial policy renewals. "September 11 kind of eclipsed concerns over whether we should be developing new products to deal with cyber risks," says MacKenzie. However, she adds, "we will want to revisit it" in the future.
Regardless of new cyber covers, with the current terrorism exclusions being written, any act deemed as "cyber terrorism" would not be covered, as the terrorism exclusion would be overriding. In the wake of September 11, with reinsurers refusing to cover terrorism in their treaties, insurers were forced to either introduce similar exclusions in their policies or to negotiate a deal with the government, which would act as excess of loss reinsurer through a "terrorism pool" arrangement.
By yearend, no such pool had been devised, despite lengthy discussions between IBC representatives and the government. "The nature of the discussions evolved as the market evolved," says Cooke, who is also chair of the IBC. "The decision was taken to wait. It was probably a smart decision."
The U.S. government's inability to come to a solution prior to breaking at the end of the year was among the contributing factors. Cooke recognizes that it was "politically difficult" for the Canadian government to come forward with a solution before the U.S., given the fact that the situation was not of the same scale here. This situation may change as the U.S. House reconvenes in late January. "People have said that the government wasn't prepared to act, but I don't buy that," he adds. "Minister Peterson and the staff in Finance were seriously engaged in discussions and are prepared to act if the need arises."
The need for a solution may not be quite as pressing as originally thought, with renewals moving along despite the lack of a solution, and the fact that many commercial policies on target risks have not yet reached renewal.
However, Cooke still feels a solution is needed. The government has consulted with other associations, most notably the Canadian Bankers Association (CBA), who claim that there is no need for the coverage. "I think they're wrong," Cooke says, but their resistance makes it difficult for insurers to press for a solution. He is most displeased with the view that insurers are looking for a "bail out". "We are not doing an 'Air Canada' here. We're more than prepared to take our pains for our past sins." But without reinsurance coverage in place, it is not economically feasible for insurers to offer the coverage.
The terrorism task force was "driven by the sudden recognition that there was now infinite risk and infinite exposure and that wasn't economically sustainable," says MacKenzie. "It [terrorism coverage] isn't anything we could write even if we wanted to."
With no cap on the exposure, insurers would be leaving themselves open to unquantifiable risks, a situation that extends into the domain of cyber terrorism.
"Putting a box around the exposure" or quantifying the risk is especially difficult with cyber risks, says Soper.. "The 'net is worldwide. It is difficult to know where it (an attack) is going to come from, and how it's going to come."
She adds, "It's hard when you're an industry that likes to put dollars and cents to things. There's just no history. You can't go into the archives and pluck out something and say 'this is going to work for me today'." September 11 was a "humbling" experience for the industry, says MacKenzie, and as the industry learns more about that event, "we realize we don't know about all the risks". Prior to September 11 "there was a sense that we could talk about 100-year events and worst case scenarios...everyone's trying to come up with scenarios, however, the end of the conversation always comes to the same conclusion, we just can't imagine."