Skip to main content
Top Button
Cyberwar at Home: Nation-State Threats to the Private Sector Cyberwar at Home: Nation-State Threats to the Private Sector

Cyberwar at Home: Nation-State Threats to the Private Sector

The myriad warnings issued by the U.S. Government in the past weeks about potential cyber-attacks from Iran in response to the U.S. strike that killed Iranian General Qassem Soleimani, underscore the uncertainty of the dynamic threat that many companies face as today’s battlefields spill over into the digital economy. According to the Washington Post’s recently released Cybersecurity 202 report, 85 percent of the cybersecurity experts polled said they expect an increase in cyber-attacks from Iran in the next few months.[1] While the immediate repercussions of the Iranian threats are still unclear and may take time to discern, the episode is a useful reminder for companies to review their cybersecurity posture. 
 
Immediately after the U.S. strike, the Department of Homeland Security (DHS) warned of elevated Iranian efforts to target U.S. interests through disruptive and destructive cyber-attacks on industrial and government networks.
 

Iran maintains a robust cyber program and can execute cyber-attacks against the United States. Iran is capable, at a minimum, of carrying out attacks with temporary disruptive effects against critical infrastructure in the United States.[2]

Iran and its proxies have demonstrated a robust capability and intent to attack private cyber infrastructure. According to a recent FBI warning, “The FBI assesses [Iranian cyber] targeting, which has occurred since late 2019, is broadly scoped and has affected numerous sectors in the United States and other countries.[3]" Companies have experienced disruptive cyber-attacks such as ransomware and the use of “wiper” malware. 
 
  • Ransomware encrypts key system and data files and requires payment to access the decryption keys. Ransomware can be very disruptive and, in many instances, leaves the victim company unable to conduct business and in extreme, albeit common cases, may cause small businesses to shutter as the recovery costs exceed their resources.
 
  • Wiper malware, which electronically disables or destroys key components of a computer or system to render it useless, can be highly destructive and often relies on vectors similar to ransomware to attack a system – in fact, a ransomware attack that cannot be resolved through decryption leaves a company in much the same situation as wiper attacks. Like ransomware and data ransoms, wiper attacks typically start with phishing or business email compromises (BEC) where an attacker tricks targeted victims into opening a link or providing network access. Iran has employed wiper attacks against several energy companies for example, including a massive attack against Saudi Arabia that irreparably damaged 30,000 or more computers.
 
Preventative and Mitigating Measures
 
While many companies may view these threats as beyond the scope of a commercially viable defensive and preventive program, in fact, adopting and reinforcing basic security protocols can be as effective against Iranian hackers as it is against cyber criminals. 
 
Cyber hygiene practices such as using multi-factor authentication by adding an additional step for accessing accounts, ensuring data backups are being carried out and being tested, limiting access to sensitive data on a “need to know” principle, and having a practiced and current incident response capability are all key. Once implemented, employees need to be made aware of their role as the first and last line of defense through effective cybersecurity training that relies on scenarios and is tailored to the company and its systems. Providing employees with real life training to identify phishing or BEC emails – by indicators such as syntax errors in emails, imposition of urgency, irregular email addresses, etc. – is critical to reducing the risk. 
 
Recovery & Insurance
 
Many of the areas of risk we see in cyber unfortunately cannot be mitigated easily or at a cost that makes sense for each company. In those cases, which require some thoughtful analysis, companies can use insurance to transfer risks of disruptive and destructive cyber-attacks. Cyber coverage is rapidly evolving in the face of the velocity and change in the threats, and unlike other standard policies – such as homeowners insurance, commercial general liability insurance, and automobile insurance – coverage for cyber threats throughout the insurance industry is not standardized.
 
However, most cyber insurance policies cover costs related to responding to cyber-attacks. Typically, these policies offer coverage for data restoration costs caused by security failures, losses arising out of cyber extortion, and breach response costs such as breach investigation and notification expenses. Some offer immediate and extended revenue loss coverage. Additionally, attorney assistance for liabilities resulting from cyber-attacks can be critical. Most cyber policies cover legal defense costs when applicable.
 
Nevertheless, many insurers limit coverage related to cyber-attacks by nation states like Iran. Most primarily, regardless of the policy type, virtually all will exclude coverage for losses resulting from acts of war or warlike activity. Generally, insurers will not cover losses under the war exclusion if they result from (1) “operations of such a general kind or character as belligerents have recourse to in war” and (2) that such operations be carried out by the military forces of a sovereign or quasi-sovereign government.[4] While courts and the market tend to agree that the exclusion applies to conventional acts of war committed by nation-states, some disagreement exists over whether the exclusion applies to cyber-attacks that do not cause physical damage or cyber-attacks conducted by unknown actors who some allege to be connected to a nation-state.[5] We would expect an attack that appeared to emanate from Iran and involved destruction of company property through a wiper attack would likely lead to an effort to trigger the war exclusion in many policies. However, not all such exclusions are the same. As such, recent events may warrant a re-reading of your cyber insurance policy.
 
Conclusion
 
As risks of cyber-attacks from nation-states like Iran increase, companies should be proactive and consider taking preventative measures such as instituting company incident response plans. Similarly, companies should ensure they are properly insured to mitigate cyber risks by understanding their existing policies and considering what gaps in coverage, if any, they should pursue. For additional information, please contact Guillermo Christensen, Nick Reuhs, or Christian Robertson. Guillermo, a former CIA intelligence officer and a diplomat with the U.S. Department of State, is a partner in Ice Miller’s Data Security and Privacy and White Collar Defense Practices. Nick is a partner in Ice Miller’s Litigation Group where he concentrates his practice on insurance coverage disputes and risk management. Christian is an associate in Ice Miller’s Data Security and Privacy and White Collar Defense Practices.
 
This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.
 
[1] Joseph Marks, The Cybersecurity 202: Get ready for serious cyber-attacks from Iran, experts say, Washington Post (Jan. 13, 2020), available at: https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-202/2020/01/13/the-cybersecurity-202-get-ready-for-serious-cyberattacks-from-iran-experts-say/5e1b7ef288e0fa2262dcbc70/.
[3] Sean Lyngaas, FBI says Iranian hackers have stepped up reconnaissance since Soleimani killing, CyberScoop (Jan. 10, 2020), available at: https://www.cyberscoop.com/fbi-iran-soleimani-cyber/.
[4] See Pan Am World Airways, Inc. v. Aetna Cas. & Sur. Co., 368 F. Supp. 1098, 1130 (S.D.N.Y. 1973).
[5] Guillermo Christensen & Rachel Spiker, What Happens When North Korea Attacks Your Company? Will Your Cyber-Insurance Cover You? A Perspective on the Zurich-Mondelez Dispute, (Mar. 20, 2019) available at: https://www.icemiller.com/ice-on-fire-insights/publications/what-happens-when-north-korea-attacks-your-company/.
View Full Site View Mobile Optimized