In the context of cyber war exclusion clauses, attribution means apportioning responsibility for a cyber operation to a state or to a non-state actor. In practice, this can be far less straightforward than it might at first appear.
Attribution stems from the doctrine of state responsibility; in essence, whether or not a state can be held responsible for an internationally wrongful act. If it cannot, then international law cannot be applied to the activity. The fundamental importance of attribution in an insurance context is that it will almost always be a requirement, inter alia, to attribute a cyber operation to a state, in order for a cyber war exclusion to apply.
Taking the recently published LMA Cyber War Exclusions clauses for example, attribution is dealt with as follows:
4. The primary but not exclusive factor in determining attribution of a cyber operation shall be whether the government of the state (including its intelligence and security services) in which
the computer system affected by the cyber operation is physically located attributes the cyber operation to another state or those acting on its behalf.
5. Pending attribution by the government of the state (including its intelligence and security services) in which the computer system affected by the cyber operation is physically located, the insurer may rely upon an inference which is objectively reasonable as to attribution of the cyber operation to another state or those acting on its behalf. It is agreed that during this period no loss shall be paid.
6. In the event that the government of the state (including its intelligence and security services) in which the computer system affected by the cyber operation is physically located
6.1. takes an unreasonable length of time to, or
6.2. does not, or
6.3. declares it is unable to attribute the cyber operation to another state or those acting on its behalf, it shall be for the Insurer to prove attribution by reference to such other evidence as is available.
This provides a neat example of why attribution can become a significant problem – it needs to take place, first and foremost, but it also needs to take place in a timely fashion. The issue here is that the act of credible attribution is typically the preserve of state intelligence agencies. The process by which the attribution itself takes place is typically secret and the decision to divulge this intelligence publicly is strictly within the gift of the respective government. If, for some political reason, a government decides against public attribution, as they routinely do, both insurers and insureds can then be left in a lacuna of uncertainty over how a claim should progress. It is crucial to recall as well, that any claim likely to engage a cyber war exclusion will be systemic in nature, and therefore likely to be one of many, and valued monetarily very highly indeed.
So, what can organisations do about this? It is important to note that the insurer bears the burden of proving attribution in the event of a failure by states to attribute, but insureds need to be aware of the ability for insurers to seek to rely on such other evidence which may be available to them. It is almost certain that any such situation will result in lengthy consultation and a significant exchange of views, though the scope for dispute in this area is clearly substantial. Regrettably, this may be one of those areas in which litigation becomes a necessary precursor to greater certainty in the application of cyber war exclusions.
In the context of the ongoing conflict between Russia and Ukraine, political caution over public attribution is less likely to be a problem, but in the present era of perpetual competition between states, it is entirely conceivable that a substantial cyber operation could be launched by a particularly influential state, or one with highly influential allies, for which public attribution is not deemed widely to be politically expedient. It is from just such a cyber operation that any wide scale litigation is this area is liable to follow.