Attributions Have Consequences: The Danger of Calling Out Cyberattackers
Leonid Bershidsky reports:
The $100 million lawsuit that Mondelez, the maker of Oreos and Cadbury chocolate, has brought against Zurich Insurance Group shows that governments should be more careful about identifying the would-be culprits in putative cyberwars: Such claims can have unintended consequences, and can sometimes harm businesses.[…]
Mondelez claimed $100 million on its insurance policy because it believed the permanent damage to 1,700 of its servers and 24,000 laptops, inflicted by NotPetya, plus the theft of thousands of user credentials, unfulfilled customer orders and other losses fell under the provision of its insurance policy that covered “physical loss or damage to electronic data, programs, or software” caused by “the malicious introduction of a machine code or instruction.” In June 2018, Zurich countered that NotPetya fell under an exclusion in the policy covering “hostile or warlike action in time of peace or war,” which meant the insurer didn’t have to make good on the claim.
Read more on Bloomberg.