The overarching question imparting urgency to this exploration is: Can U.S.-Russian contention in cyberspace cause the two nuclear superpowers to stumble into war? In considering this question we were constantly reminded of recent comments by a prominent U.S. arms control expert: At least as dangerous as the risk of an actual cyberattack, he observed, is cyber operations’ “blurring of the line between peace and war.” Or, as Nye wrote, “in the cyber realm, the difference between a weapon and a non-weapon may come down to a single line of code, or simply the intent of a computer program’s user.”
NotPetya was described by the White House as "the most destructive and costly cyber-attack in history" and five years later, many of the companies hit by the Russian cyber attack are still sorting out who will pay for the damages and, in particular, what portion their insurance will cover. Several insurers have denied NotPetya-related claims on the grounds that the cyber attack was a "warlike action" because it was perpetrated by the Russian government and therefore excluded from most standard insurance policies. This has led to a series of legal disputes about what constitutes cyberwar and when cyberinsurance carriers are obligated to pay for damages linked to state-sponsored attacks. This talk will examine these disputes through the lens of the history of cyberinsurance, tracing the emergence and continuing growth of the cyberinsurance industry and describing how it has evolved in the first twenty years of its existence, where it is headed, why online threats have been particularly challenging for many insurers to model, and what role policy-makers can and should play in helping the market stabilize and grow. It will also consider how carriers and policyholders are responding to the disputes over NotPetya in light of the current war between Russia and Ukraine and the uncertainty around whether insurance coverage would apply to state-sponsored cyber attacks that occurred in the context of a war involving the use of physical force.
Josephine Wolff is an associate professor of cybersecurity policy at The Fletcher School at Tufts University. Her research interests include liability for cybersecurity incidents, international Internet governance, cyber-insurance, cybersecurity workforce development, and the economics of information security. Her first book, You'll See This Message When It Is Too Late: The Legal and Economic Aftermath of Cybersecurity Breaches, was published by MIT Press in 2018 and her second book, Cyberinsurance Policy: Rethinking Risk in an Age of Ransomware, Computer Fraud, Data Breaches, and Cyberattacks, came out from MIT Press in 2022. Her writing on cybersecurity has also appeared in Slate, the New York Times, the Wall Street Journal, the Financial Times,The Washington Post, The Atlantic, and Wired.