It is commonly said that cyberspace is the “Wild West,” a realm where there are no laws and no sheriff in sight. Even acknowledging that this view contains a degree of hyperbole, it is unfortunately no less true after last year’s fruitless conclusion to a decade’s worth of international discussions regarding the future of international law in cyberspace.  The United Nations (“UN”) Group of Governmental Experts (“GGE”) on Developments in the Field of Information and Telecommunications in the Context of International Security had been considering the application of international norms to the member countries’ activities in cyberspace. Traditional powers, including the United States, China, and Russia, had participated in the effort,  but negotiations were ultimately frustrated, as divisions along old “Cold War” lines prevented agreement on key terms.  In light of this development, cyberspace appears likely to remain an international “Wild West,” with no established legal framework to address cyber attacks carried out or otherwise supported by nation-states.
This is important to U.S. companies because recent history — including the indictment last month of nine Iranian nationals in a “massive cyber theft” and 2017’s WannaCry and NotPetya destructionware attacks, which have been attributed to North Korea and Russia, respectively — shows that attacks by nation-states, even when they are not directed at U.S. businesses, may have substantial adverse effects on those companies. Accordingly, U.S. companies need to understand their potential vulnerability to nation-state cyber attacks and the possibility of using their insurance to manage those risks.  This article explores the development and ultimate collapse of the UN cyber talks, the implications for U.S. businesses, and insurance considerations in light of the ongoing threats.
The UN talks on international norms for cyberspace
In 1999, the UN General Assembly recognized the “scientific and technological” value that cyberspace represented and the need to protect its civilian uses.  The General Assembly concluded that it was “necessary to prevent the misuse or exploitation of information resources” and that member states should work toward considering the “[a]dvisability of developing international principles that would enhance the security of global information and telecommunications systems and help to combat information terrorism and criminality.”  The GGE officially began its work in 2004 and, over the years, seemed to make advancements toward an international legal framework.
The GGE recognized the impact that the development of information and communications technologies (“ICTs”) could have on matters of national security. In 2009, the group alerted states that the growing use of ICTs would create “new vulnerabilities and opportunities for disruption.”  Indeed, the GGE pointed out that “the same technologies that support robust e-commerce can also be used to threaten international peace and national security.”  The GGE recommended, among other things:
- Increasing dialogue among states to discuss norms concerning ICTs, in order to protect critical national and international infrastructure;
- Creating information exchanges regarding national ICT legislation; and
- Identifying measures to support capacity building in less-developed countries. 
In 2013, the GGE acknowledged the importance of maintaining an international legal framework that could preserve peace in cyberspace. The group’s recommendations stated, “the application of norms derived from existing international law . . . is essential to reduce risks to international peace, security and stability.”  Furthermore, “States must not use proxies to commit internationally wrongful acts” and should seek to ensure “that their territories are not used by non-State actors for unlawful use of ICTs.” 
In 2015, the GGE noted “[t]he diversity of malicious non-State actors, including criminal groups,” which could create misperception of state action and the “possibility of harm to their citizens, property and economy.”  The GGE called again for increased cooperation between nations and the use of ICTs in a way consistent with preserving “global connectivity and the free and secure flow of information.” 
Despite such indications of progress, 2017 brought the breakdown of the GGE’s talks. The failure of the negotiations was ultimately driven, in part, by what media described as divisions along Cold War lines.  On one side, U.S. expert to the GGE, Michele Markoff, argued that the GGE was misguided in not seriously considering the inclusion of the member states’ right to self-defense against foreign-state attacks.  The right to self-defense, in its broad sense and as memorialized in Article 51 of the UN Charter, refers to a state’s right to respond to an “armed attack” against it.  Markoff argued that the recognition of the right to self-defense in the cyber context would “help reduce the risk of conflict by creating stable expectations of how states may and may not respond to cyber incidents they face.”  On the other side, Cuba opposed recognizing a right to self-defense, arguing that such a regime would “convert cyberspace into a theater of military operations and . . . legitimize, in that context, unilateral punitive force actions, including the application of sanctions and even military action by States claiming to be victims of illicit uses of ICTs.”  Having reached an impasse, the GGE officially dissolved in 2017. 
Foreign-government cyber attacks are likely to hit U.S. businesses
The practical implications of the failure of the GGE talks come into greater focus against the backdrop of near-daily news of globally significant cyber incidents. Contrary to a previously popular depiction of hackers as rogue, individual actors, governments and experts have come to understand that many cyber attacks, including those targeting businesses, are carried out or supported by foreign governments.
For example, in March 2018, the Department of Justice announced charges against nine Iranian nationals for their alleged participation in a massive cyber theft affecting 30 U.S. companies, five governmental agencies, and 176 universities across the globe.  Deputy Attorney General Rod J. Rosenstein stated that these individuals “acted at the behest of the Iranian government, and specifically, the Iranian Revolutionary Guard Corps.”  The Iranian Revolutionary Guard Corps, better known as the Islamic Revolutionary Guard Corps, is classified as a terrorist organization by the Department of Treasury for providing assistance to the Iranian military and for its involvement in the Syrian civil war. 
Similarly, two recent “ransomware” attacks, which in fact only masqueraded as ransomware attacks but were actually destructionware attacks — WannaCry and NotPetya — have been attributed to foreign governments by the United States. These two attacks illustrate the disruption and enormous costs that nation-state cyber attacks can inflict on businesses. Starting in March 2017, WannaCry — which the United States (and United Kingdom) have attributed to North Korea  — wreaked havoc in many parts of the business world by virtually holding hostage hundreds of thousands of computers.  WannaCry crossed international borders, hitting businesses across many industries,  including banks, car manufacturers, and hospitals.  Then, in June 2017, NotPetya — which the United States has attributed to Russia  — brought another wave of cyber-chaos across borders and industries.  Some sources estimate that these attacks caused almost $5 billion in global financial losses.  Importantly, neither of these attacks specifically targeted U.S. companies, but they nevertheless quickly crossed borders through cyberspace, resulting in widespread damage to U.S. companies.
Of course, the threat of nation-state cyberattacks against businesses and other entities is not limited to ransomware schemes. Several other high-profile cyber attacks have been attributed to governments, including:
- Stuxnet, the computer worm that in 2011 attacked and effectively halted Iran’s nuclear program. The worm was widely attributed by the media to a joint American and Israeli effort. 
- The 2016 cyber theft of $81 million of Bangladeshi funds from the New York Federal Reserve, which has been attributed by the media to North Korea. 
- The hacking of the Democratic National Committee’s servers in 2016, which U.S. investigators suspect was supported by the Russian government,  and the February 2018 indictment by the Special Counsel’s Office of 13 Russian individuals for their alleged involvement in online “information warfare” related to the 2016 election. 
- The hacking of HBO in May of 2017, which led to a $6 million extortion scheme against HBO and a leak of “Game of Thrones,” attributed by the Department of Justice to an Iranian national who had previously assisted the Iranian military in their cyber attacks. 
- The attack on Ukraine’s electrical grid in December of 2015, which caused more than 200,000 consumers to lose power and has been attributed by the media to Russian groups. 
- The attack on Saudi Arabia’s state oil company in 2012 through the use of “Shamoon,” a virus designed to wipe target hard drives clean of data.  The U.S. Department of Homeland Security attributed the attack to Iran. 
- The cyber attack against the World Anti-Doping Agency (“WADA”) in the summer of 2016, causing the leak of athletes’ confidential medical data, which WADA attributed to a Russian cyber-espionage unit named “Fancy Bear.” 
- The alleged cyber espionage against several major U.S. companies by members of the People’s Liberation Army of China between 2006 and 2014, which resulted in federal indictments of five alleged Chinese military hackers. 
- A series of cyberattacks in 2012 and 2013 against several U.S. financial institutions, which disrupted operations through the use of Denial-of-Service attacks.  The U.S. Department of Justice attributed these attacks to a group of Iranian individuals acting on behalf of the Iranian Revolutionary Guard Corps. 
A clear lesson from these examples is that nation-state cyberattacks represent a serious risk to all businesses and organizations that do business in cyberspace. Indeed, the Council of Economic Advisers warns that nation-states may attack businesses “potentially as a retaliation against sanctions or other actions taken by the international community.”  Many cyber incidents cannot properly be understood like some “traditional” risks — for example, the sinking of a ship or a fire in a factory — which might be viewed as one-off events that affect a particular business in a particular industry. Rather, nation-state cyberattacks frequently cast an extremely wide net, and a single attack might spread to affect hundreds of organizations or more while it runs its course over a period of weeks or months. Particularly given the failure of the UN GGE discussions, there is every reason to expect that nation-states might continue or expand their use of cyberspace to pursue their geopolitical goals. As the President’s National Infrastructure Advisory Council stated in a draft report: “Cyber is the sole arena where private companies are the front line of defense in a nation-state attack on U.S. infrastructure.” 
Magnitude of the risk and some insurance considerations
The potential losses associated with a cyberattack include, but are not limited to, stolen or corrupted data; business interruption and extra expense losses; damage to reputation and brand; and various response costs in the form of fees for forensic investigators, notification of affected consumers or vendors, and establishment of call centers and credit monitoring. Indeed, it is the ability of a cyber attack to significantly disrupt vital processes that may make international cyberattacks an appealing option for nation-states. 
Given the immense threat posed by international cyber attacks and the apparent failure of the international community to develop a legal framework to deter nation-state cyber attacks, there is no time like the present for policyholders to understand potential insurance coverage for this type of risk. “Traditional” insurance may provide coverage for certain Internet-related losses and liabilities. Such “traditional” coverages include commercial property policies, commercial general liability insurance, and errors and omissions (or professional liability) insurance policies. Policyholders will want to review carefully whether any “cyber” exclusions that may limit or divest the policyholder of coverage have been included in those policies. Depending on policy wordings, insurers may assert that certain cyber risks are not covered by such “traditional” insurance.
In recent years, the number and variety of specialty cyber-insurance coverages has grown significantly, with approximately 70 insurers currently offering some form of cyber coverage. Cyber policies may differ widely in the types of coverages provided and the scope of coverage that would be provided in the event of a cyber attack.
Because of the nature of these attacks, business interruption coverages are likely to be implicated. With cyber attacks like WannaCry and NotPetya, a victim’s entire computer network may become unusable for a period of time. Such downtime may translate into significant costs, including lost profits and the extra expenses of mitigating such losses. Policyholders may wish to consider whether their current policy contains coverage for business interruption and whether there are any relevant policy exclusions for attacks allegedly or actually initiated by nation-states.
For example, some insurance policies contain exclusions related to “war,” “warlike action,” “terrorism,” “hostilities,” and “hostile acts,” which an insurer might invoke in an attempt to avoid coverage. Policyholders should not assume that such an exclusion necessarily bars coverage for a particular cyberattack. The precise wording of each exclusion, which may vary substantially among policies issued by different insurers, should be applied carefully and narrowly. For example, depending on the wording of the exclusion, it may be very difficult for an insurer to establish that a particular cyber attack rises to the level of, for example, “war” or “warlike action.” Similarly, the undefined term “hostilities” (for example) is very vague and ambiguous. Where an ambiguous term like “hostilities” appears in a list with other excluded events such as “war” and “warlike action,” the doctrine of ejusdem generis holds that the meaning of the ambiguous term should be restricted to something similar to “war” or “warlike action.” Also, the origin of a cyber attack is often unclear and subject to dispute, even years after the attack occurred. It may be inappropriate for an insurer (who generally bears the burden of proving that an exclusion applies) to invoke an exclusion where there exists any uncertainty as to a cyber attack’s origin, even if government or media sources have attributed the attack to a government or military entity.
Most cyber policies also contain exclusions for property damage and bodily injury. Cyber-physical attacks are real, and are no longer just the product of speculation. For example, a cyber attack may affect monitoring software meant to keep processes under control, like electronic gauges, GPS systems utilized in transportation environments, and even vital cooling systems for valuable computer networks. A careful analysis of how property damage and bodily injury exclusions might apply may be very useful in assessing the responsiveness of a cyber policy to such a cyber-physical attack.
As the foregoing suggests, it is in a policyholder’s interest to carefully review, in consultation with insurance coverage counsel, the wording of any cyber insurance that the company currently has in effect or is considering purchasing. Policyholders and their counsel may be able to negotiate with insurers during the placement or renewal of an insurance program to obtain more favorable wording than the “off-the-shelf” language might provide (including with respect to “war” exclusions and other exclusions).
Likewise, in the event that an organization finds itself in the unfortunate position of being a victim of a cyber attack, coverage counsel can assist with a prompt, careful review of any potentially applicable insurance policies and analyze the necessary steps to pursuing potential insurance coverage (including the timely provision of notice to relevant insurers).