Pages

20 November 2023

Is the Fear of Cyberwar Worse Than Cyberwar Itself?

Tom Johansmeyer

Cyberwar is a scary concept. The thought of the grid going down, markets tanking, and mass riots is chilling. Popular media and entertainment accounts of cyberwar would have us believing we’re living right on the edge, with a few keystrokes enough to take the world to a dark place. This alarmism has found some purchase in more sophisticated circles, which seems to lend credence to the belief that cyberwar is right around the corner, if not upon us.

But this hyperbolic characterization of cyberwar is likely a bigger problem than the threat of cyberwar itself. The problem is one of economic security.

The global insurance market has a cyberwar problem. The industry doesn’t understand the associated risks well, which has caused it to seek to avoid involvement with cyberwar altogether. By excluding cyber risks, the insurance industry buys into the culture of fear that has formed around cyberwar. This culture of fear has led insurers to require that their cyber teams hold extra capital out of concern that a major cyber conflict could devastate their balance sheets. This has to change. By refining its understanding of cyber-war risk, the insurance industry will be able to provide more insurance protection and make it more cost-effective. In the end, that would mean more insurance being provided and, as a result, greater economic security for businesses and society as a whole.

Insurers’ Engagement With Cyber Risk

The global insurance market seeks to play a significant role in addressing cyber risk, although the industry’s engagement with cyber risk is still in its early stages. The cyber insurance sector is still small by broader insurance industry standards, with only about $13 billion in worldwide premium and roughly $400 billion in notional protection outstanding (the amount of insurance protection companies have purchased). Recent rapid growth in aggregate worldwide premium has outpaced notional limit outstanding, suggesting a disconnect between the growth of revenue to the industry and the attendant growth of cyber insurance protection available to society. Growth has come from charging more premium per dollar of protection, which is arguably reasonable after the recent “ransomware epidemic.”

The specific role the industry seeks to play as relates to economic security tends to be retrospective rather than preventive. Cyber insurance accelerates the return to normal—or at least functioning—following a cyberattack. This is because the consequences of a cyberattack tend mostly to involve economic damage to the companies affected, in the form of spending necessary to reverse the damage or lost opportunity to continue operations and generate earnings. In this regard, insurance is effective, particularly given the reversibility associated with cyber risk. The damage from such an attack is most easily reversed when supported by an injection of capital to finance remediation—from crisis counsel, to information technology forensics, to consumer notification (when relevant). In fact, this post-event infusion of capital (from an insurance claim) can help an affected company return to normal as quickly as possible while minimizing the need to divert funds from other sources to deal with the consequences of the attack.

Insurers have become quite adept at handling day-to-day cyber losses, such as isolated ransomware attacks and breaches, I learned through 10 interviews I conducted with cyber insurance executives to support my ongoing doctoral research. Known as attritional losses, these are the sorts of claims insurers encounter and handle routinely, similar to slip-and-fall claims in liability classes of business and fender benders in auto.

Systemic risk, by contrast, is more concerning. Also known as “cyber catastrophe” risk, it involves cyberattacks affecting a large number of companies at the same time, resulting in a significant and reasonably simultaneous aggregation of losses. Cyber catastrophe is analogous to hurricanes, earthquakes, and other natural disasters—in which many insureds (and insurers) are hit at the same time.

The reinsurance industry helps insurers address systemic risks outside of cyber, with more than $600 billion in capital allocated for reinsurance globally. This support has been slow to gain ground in the cyber insurance sector, though. Rather than purchase cyber reinsurance designed to hedge against the risk of systemic events, as insurance companies do for property catastrophes, insurers have been more inclined to use proportional structures, through which they effectively give a share of their portfolios to reinsurers. This means that they cede both attritional and systemic risk to reinsurers.

Among the largest and most concerning systemic scenarios for both insurers and reinsurers is cyberwar. There is a persistent fear that cyberwar is virtually uninsurable and needs to be excluded. Leading reinsurer Munich Re, which is also a leader in the cyber reinsurance market, says that cyberwar “risk transfer is not possible” because “its consequences are so large and wide-reaching that private industry simply is not able to bear such a ruinous risk.”

Distinguishing Between Cyber Risk and Cyberwar

Cyberwar is a subset of systemic cyber risk, within the broader category of cyber risk. Aside from war, systemic scenarios include, among others, cloud outages and attacks on centralized software vendors (Kaseya is an example). While the prospect of cyberwar has been heightened by the war in Ukraine, which involves a cyber power, the historical scholarship sees the risk as quite remote—with empirical evidence from the Russia-Ukraine conflict supporting this view.

Thomas Rid, political scientist at Johns Hopkins, offers the classic starting point for contextual discussions regarding the risk of cyberwar, famously declaring it likely impossible as far back as 2012, as it lacked the violence required by the Clausewitzian tradition. Although some of Rid’s claims have not stood the test of time, what may seem like holes in his argument are really more akin to pinpricks. For example, he says, “No cyber attack has ever damaged a building,” to explain that cyber cannot cause physical damage. The production problems at Norsk Hydro resulting from LockerGoga stand in contrast, but the lack of scale suggests that Rid remains substantially correct—with the same holding true for loss of life.

The first sentence of a response to Rid’s article from John Stone, political scientist at King’s College, London, reads, “Cyber war will take place!” But that sentence is followed quickly by “perhaps not, but my purpose here is to demonstrate that cyber war could take place.” That one word, italicized in the original text, effectively defangs the argument. Stone’s potentiality and the alarmism that also characterizes the work of Joe Reeder and Tommy Hall, who make the heavily qualified claim that there are “some accounts” that “literally millions of ransomware attacks go unreported,” fail to add up to the imminence of cyber-war risk. Such claims, though, support the hyperbole that has pushed its way into the public consciousness. Jon Lindsay, professor of international affairs and public policy at Georgia Tech, notes media accounts that likened Stuxnet to the “‘cyber equivalent of the dropping of the atom bomb,’” a position he identifies as a colorful characterization that could only serve to increase confusion over cyber capabilities and their potential impact. And it’s that sort of characterization that keeps the prospect of cyberwar top of mind, despite the fact that cyber operations have yet to play a significant role in a major armed conflict.

The natural starting point in examining a possible major role for cyber operations in armed conflict is the ongoing Russia-Ukraine conflict, given that it is recent and involves a global cyber power. The other wars fought over the past two decades or so have generally involved states without significant cyber capabilities—Afghanistan and Iraq come to mind. Throughout the conflict in Ukraine so far, cyber operations have had a limited impact. Several high-profile attempts have been attempted by both sides, yet they have not amounted to any significant strategic gains.

Cyber has played minor roles in smaller conflicts, with cyber operations in the 2008 conflict in Georgia and the 2014 invasion of Ukraine serving as relevant examples. Russia’s cyber campaign during its war with Georgia consisted of attacks on “fifty-four news, government, and financial websites,” as part of an overall war effort described by U.S. Army Capt. Sarah White as “remarkable for its inclusion of a series of large-scale, overt cyberspace attacks that were relatively well synchronized with conventional military operations.” Yet the impact was still minimal, with “little effect on conventional forces.” White also noted that the attacks were “not decisive to the outcome of the conflict” and that the average denial of service lasted two hours and 15 minutes—with the longest lasting six hours. With outage as a point of comparison, cyberattacks on the Ukrainian power grid in 2015 left over 230,000 people without power for as long as six hours. Like the 2008 denials in Georgia, the impact can only be described as underwhelming.

Although the fact that these outages came from hostile acts should not be downplayed, the consequences fail to reach thresholds routinely experienced from other causes, such as natural events. Hurricane Ida left approximately 430,000 households in Louisiana without power for more than a week. Superstorm Sandy kept much of Hoboken (including me) without power for five days and caused 8.5 million power outages spanning 21 states. The comparatively rapid restoration of power to more than 1 million people after Hurricane Ian in 2022 was still measured in days rather than hours, with a similar outcome after Hurricane Irma in 2017. War requires some amount of scale, as Rid and others have observed, and it appears the cyberattacks sometimes considered “war” fall far short of the large-scale outages we experience regularly.

The measures of the scale of cyberattacks described above should signal to reinsurers that the threat of cyberwar is relatively limited. After all, reinsurers have decades of experience with property-catastrophe risks, over which they have absorbed far more loss than cyber has generated. In fact, insured losses from natural catastrophes reached $120 billion in 2022, according to Munich Re. That’s nearly 10 times the cyber insurance sector’s aggregate premium this year and approximately 30 percent of all cyber insurance that is outstanding worldwide. The fears of cyberwar are generally unfounded, but they persist. While many reinsurers have sought to exclude cyber-war risk, as discussed above, efforts to do so are uncertain due to questions about the consistency and reliability of the definitions they use: Some have indicated that the definitions of terms like “war” may be ambiguous. Further, such exclusions have yet to be meaningfully tested.

Closing the Cyber Gap

There is a sense across the reinsurance industry that cyber is somehow different. Reasons given to me in both research and informal conversations have ranged from the standard “everything is interconnected” and “what happens if the internet goes down around the world, even for just a day?” to simply assuming the worst imaginable because there’s no precedent at hand and basic career risk (nobody gets fired for being afraid of cyber risk). The most honest reason I heard for thinking that cyber is somehow different from other forms of risk—with clear ties to the risk of cyberwar—was simply: “My opinion comes from probably watching too many movies.” Or as one of my formal research subjects put it: “There’s also the perception of the great unknown … there’s only so far it can go until it turns into a war-like situation.”

The problem may result from several factors, including a taste for fiction. There is a belief that the worst consequences of cyber risks are harder to envision than what society has experienced already. It’s a new domain, unlike natural disasters, for example, which are presumably as old as the planet itself. It’s easy to find natural disasters impacting human society from hundreds of years ago. Without a common reference point in the form of historical experience and attendant quantification, there is more room for imagination, making the unrealistic somehow more imminent. Because of this, a clear disconnect between the actual risk of cyberwar—as clearly expressed by scholars and practitioners for over a decade—and the fears that have driven the decisions made by some of the reinsurance industry’s largest and most influential companies has been able to emerge. And it’s this fundamental misalignment that introduces the most risk.

The focus on cyberwar exclusions not only limits coverage for cyberwar but also perpetuates the belief that cyberwar is an imminent, realistic, and potentially massive and destructive risk. This in itself casts a shadow on cyber risk in general, pushing reinsurers into the position of unspecified uncertainty.

The general fear of cyberwar, along with other unprecedented systemic cyber risks, has without a doubt given many insurers pause when thinking about writing more cyber insurance, a decision that impedes the growth of the insurance market. Constraints on growth translate directly to economic security vulnerability. Insurance is an effective economic security tool within the context of cyber risk, and limiting market penetration thus exacerbates risk. If reinsurers had a more realistic view of cyberwar, they would be able to provide significantly more reinsurance protection to their existing and prospective customers, which itself would make cyberattacks more easily reversed and thus less impactful.

There’s an additional, more nuts-and-bolts problem. Unrealistic fears of cyberwar influence the capital requirements that reinsurers have with regard to cyber-war risk. With fears of the risk inflated, the expectation of how much capital reinsurers would have to hold to ensure they would meet their obligations in the event of a cyberwar increases. These high capital requirements limit the amount of cyber risk that reinsurers can assume, acting as a further constraint on their ability to write more cyber insurance—which effectively limits the overall amount of cyber insurance that can be offered. Correcting this misperception and the policies that follow from it provide a straight line toward economic security.

Fortunately, there are potential solutions, and they aren’t so difficult to implement. Reinsurers need to understand the nature of the cyberwar risk. That begins with reviewing the scholarship that has analyzed the history and character of cyberwar (which has been neglected) and balancing the need for war exclusions with the potential impact of cyberwar itself. Recent history suggests that cyberwar is not the menacing systemic threat implied by all the hours invested in developing exclusions. I asked a cyberwar panel at the recent ASTIN Cyber Workshop in London how much insured loss cyberwar exclusions have likely prevented. The answer: “Likely none.” I’ve found that the Russia-Ukraine conflict may be responsible for $200-300 million in cyber insurance exposed to war exclusions, through informal conversations and research in my prior role as head of the insurance data and analytics team at PCS, but that’s a lot closer to “none” than it is to the forecasted insurance industry-wide insured loss of $26 billion.

A healthy appreciation for the likelihood and potential impact of cyberwar could help improve how insurers and reinsurers model and price this risk, particularly as part of an effort to include coverage for cyberwar rather than exclude it. The industry’s actuarial capabilities are robust; they just need to be deployed to better effect with regard to cyberwar risk. Using refined assumptions with lessons from the conflict in Ukraine could help insurers and reinsurers pair their actuarial models with a narrative of the events being analyzed. If they want to hedge against a $20 billion industry-wide insured loss from cyberwar, they should be able to explain the nature of the risk and how such a loss could arise. Essentially, actuaries should be given the chance to be actuaries, rather than see the risk dismissed by timid executives long before the models are built.

Finally, reinsurers need to translate that accumulated knowledge and understanding into underwriting, pricing, and reserving (determining how much capital to hold for future losses) practices. Rather than succumb to fear, reinsurers should equip their professionals with the historical thinking, context, and data available—all of which exists, sometimes to the point of abundance. Done properly, irrational impediments to the flow of capital will fall aside, and the reinsurance market will be able to respond to the nature of the risk rather than to the popular portrayal of it. The natural consequence of this improvement in the treatment of cyberwar should meaningfully fortify global economic security. The United States has made an important bet on cyber insurance by making it a material economic component of the nation’s cyber security strategy. If that bet is any guide, then it’s clear that an improved flow of capital could be a powerful force in global cyber security.

No comments:

Post a Comment