What is Hostile or Warlike?: An in-depth look at the Merck war exclusion decision and its shortfalls

On January 13, 2022, the  Superior Court of New Jersey, Law Division, held in Merck & Co., Inc., et al. v. ACE Amer. Ins. Co., et al., No. UNN-L-2682-18, that the Hostile/Warlike Action Exclusion in various property policies did not prohibit coverage for the NotPetya cyberattack launched by the military arm of the Russian Federation government against the country of Ukraine. The basis of the court’s holding was not a lack of attribution – indeed, as detailed below; a lack of attribution is a weaker argument than many contend. Instead, the court concluded that because the attack by one nation state on another did not involve “traditional” warfare, the exclusion cannot apply.

We are not going to be coy about this – we think this decision is wrong. It inserts an undefined and unaddressed conception of “traditional” into the exclusion, relies upon an arbitrary conclusion as to the meaning of war in a vacuum of kinetic weaponry, and wholly ignores the meaning of “hostile” activities. Further, the decision relies upon case law rendered before the Internet existed and before “cyber” was a word. (We’re not joking.) The reasoning of this decision looks backward to a century past, and we believe it will not age well.

Nevertheless, the decision should serve as an alarm bell for carriers, their claims personnel, and their underwriters. The Merck decision’s logic declares in no uncertain terms that if the word “cyber” is not used in an exclusion, some courts will hold that it does not apply to a cyberattack. And, as unreasoned as a decision we believe Merck is, we cannot ignore it or say that it will be the last of its kind.

What was NotPetya?

The facts of the case are straightforward. Yet, to appreciate the decision’s context fully, it is important to revisit the NotPetya attack. On June 27, 2017, the eve of Ukraine’s “Constitution Day” – a day that commemorates approval of Ukraine’s Constitution following the country’s independence from the former Soviet Union – the malware NotPetya was unleashed. The cyberattack perhaps remains the most destructive of its kind, infecting computer systems worldwide and reportedly causing in excess of $1 billion in losses to three US organizations alone. The NotPetya malware was designed to masquerade as then existing ransomware known as Petya, the latter of which encrypted computer files until the victim paid a ransom in return for a decryption key. However, unlike ransomware, NotPetya did not have a decryption key – once data had been encrypted, it was irretrievably lost.[1]

Critically, and to fully understand the concerns raised by the Merck court’s decision, worldwide attribution for the attack was nearly unprecedented.

  • On January 12, 2018, The Washington Post reported that the CIA had attributed NotPetya to the Russian military.[2] According to the article, “[t]he attacks reflect Russia's mounting aggression in cyberspace as part of a larger ‘hybrid warfare’ doctrine that marries traditional military means with cyber-tools to achieve its goal of regional dominance” (emphasis added).
  • The White House, with a Russian-friendly administration, similarly laid blame for the attack with Russia for the “reckless and indiscriminate cyberattack.” Press Secretary Sarah Sanders stated that the attack “was part of the Kremlin’s ongoing effort to destabilize Ukraine and demonstrates ever more clearly Russia’s involvement in the ongoing conflict[.]”[3]
  • By mid-February, the Five Eyes Alliance attributed the attack to the Russian government.[4] Thereafter, Denmark, Latvia, Sweden and Finland each declared their support for this attribution in what has been described as a “coordinated diplomatic action.”[5]

On October 15, 2020, a federal grand jury in Pittsburgh returned an indictment against six Russian Federation nationals, all officers in Unit 74455 of the Russian Main Intelligence Directorate (GRU) - a military intelligence agency of the General Staff of the Armed Forces – in connection with the NotPetya attack and other attacks.[6] Other attacks for which defendants were indicted included interference and attempted destabilization of 2017 French elections, “broad cyber campaign against government and private sector entities in the country of Georgia­ including the Parliament of Georgia,” and attacks against the Organization for the Prohibition of Chemical Weapons (OPCW) after the organization assisted the UK in its investigation of the Mach 2018 poisoning of former GRU officer Sergei Skripal and his daughter in Salisbury, England.[7]

In announcing the charges, Assistant Attorney General John C. Demers stated:

No country has weaponized its cyber capabilities as maliciously or irresponsibly as Russia, wantonly causing unprecedented damage to pursue small tactical advantages and to satisfy fits of spite …. Today the department has charged these Russian officers with conducting the most disruptive and destructive series of computer attacks ever attributed to a single group, including by unleashing the NotPetya malware. No nation will recapture greatness while behaving in this way. [Emphasis added.][8]

The unsealed indictment stated in part:

  • “At all times relevant to the indictment, from at least in and around November 2015 through in and around October 2019, the Russian Federation (‘Russia’) operated a military intelligence agency called the Main Intelligence Directorate of the General Staff of the Armed Forces (‘GRU’).”[9]
  • “Among the victims targeted by Military Unit 74455 were thousands of U.S. and international corporations, organizations … foreign governments … including” Merck.[10]
  • Defendants’ objective was to “was to deploy destructive malware and take other disruptive actions, for the strategic benefit of Russia, through unauthorized access (‘hacking’) of victim computers.”[11]

Why is all this relevant? Because the court’s decision is not about lack of attribution of one foreign government attack on another. Instead, the straw upon which the weight of the Merck court’s decision weighs depends upon an arbitrary differentiation between kinetic and cyber warfare. It is about the nature of the attack and the meaning of “war” as rendered in a pre-digital, Internet world.

The Court’s decision

Merck is the unnamed pharmaceutical company referenced to in the unsealed indictment. According to the court’s decision, the NotPetya malware spread to over 40,000 computers, causing $1.4 billion in damage.

After Merck sustained damage from the NotPetya malware, it sought coverage under various insurance policies, including $1.7 billion it has purchased in property insurance. (To be clear, the Merck lawsuit did not involve cyber lines insurance.) The carriers contended that the Hostile or Warlike Action Exclusion applied to prohibit coverage because malware had been an instrument of the Russian Federation and/or an agent of Russia as part of Russia’s ongoing hostilities against Ukraine. Merck argued that the exclusion did not apply because (1) the cyberattack was not “an official state action, but rather was a form of ransomware,” and/or (2) even if Russia had instigated the cyberattack Russia to harm Ukraine, the exclusion would still not apply because a cyberattack is not a hostile or warlike act in time of peace or war.

The exclusion, which was identical in most of the policies, stated:

i. Hostile/Warlike Action Exclusion Language

A. 1) Loss or damage caused by hostile or warlike action in time of peace or war, including action in hindering, combating, or defending against an actual, impending, or expected attack:

a) by any government or sovereign power (de jure or de facto) or by any authority maintaining or using military, naval or air forces;

b) or by military, naval, or air forces;

c) or by an agent of such government, power, authority or forces;

This policy does not insure against loss or damage caused by or resulting from Exclusions A., B., or C., regardless of any other cause or event contributing concurrently or in any other sequence to the loss.

The court gave little analysis toward attribution – that is, whether Russia or an agent of the Russian government instigated the NotPetya attack. Given the known nature of the NotPetya attack, this should not be surprising. Instead, the court focused on Merck’s argument that the exclusion could not apply because “warlike can only be interpreted as ‘like war,’” and thus Merck’s “reasonable understanding of the exclusion involved the use of armed forces, and all of the caselaw [sic] on the war exclusion supports this interpretation.” Concluding that the insurance were contracts of adhesion (despite Merck’s global market power), the court agreed with Merck’s argument. Citing case law, the court agreed that the NotPetya attack launched by the Russian GRU was not a “hostile or warlike action” because it did not involve traditional warfare.

There are many problems with this reasoning, the first being that, except for one case, the court relied upon case law decided before the Internet or even the word “cyber” existed. The Merck decision cites a 1953 trial court decision examining the word “war” in the context of the death of a military serviceman in Korea, a 1973 trial court decision involving an airplane hijacking by a terrorist group, a 1970 trial court decision involving a flare dropped on a warehouse in a warzone by an unidentified airplane, and a 1922 appellate court decision involving two ships that collided in the open sea during World War I.[12] The lone exception, a 2019 Ninth Circuit decision, involved the relocation of operations because Hamas – categorically not a foreign government or an agent of one – was firing rockets into the area.[13] Apology for stating the glaring obvious – but none of these cases involved an electronic attack launched against a nation state to destabilize it to advance the interests of another nation state. None involved known attribution of an enemy nation state.    

Nevertheless, according to the Merck court, “[g]iven the plain meaning of the language in the exclusion, together with the foregoing examination of the applicable caselaw [sic], the court unhesitatingly finds that the exclusion does not apply.” (Emphasis added.) Yet, the court set the language’s plain meaning based on the experiences of 70-100 years ago, and not the plain meaning of the word “warlike” in the context of today. As added measure, the court added “[a]s Plaintiff correctly notes in its' brief, no court has applied a war (or hostile acts) exclusion to anything remotely close to the facts herein.” Well yeah – especially when relying on early and mid-twentieth-century decisions in the context of an unprecedented, state-of-the-art twenty-first century attack.

The court’s conclusion also ignores the word “hostile” in the exclusion. The court itself defined the term earlier in its opinion as “of, pertaining to, or characteristic of an enemy; pertaining to or engaged in actual hostilities” (citing The Oxford English Dictionary). How the cyberattack did not pertain to an enemy engaging in hostilities, the court never event hints.  

Perhaps most troubling was the court’s reasoning – that the Warlike or Hostile Acts exclusion did not apply because it has remained the same “for many years” despite insurers knowing about cyberattacks:

The evidence suggests that the language used in these policies has been virtually the same for many years. It is also self-evident, of course, that both parties to this contract are aware that cyber attacks [sic] of various forms, sometimes from private sources and sometimes from nation-states have become more common. Despite this, Insurers did nothing to change the language of the exemption to reasonably put this insured on notice that it intended to exclude cyber attacks [sic].

The observation presupposes and depends upon the court’s subsequent conclusion – that cyberattacks are not warlike or hostile acts. If they qualify as warlike or hostile acts, and they do, there is no need to specify them. As a side note, the exclusion also does not list bombs, airplanes, or rockets – would these forms of weaponry also fall outside the exclusion if used by a nation state against another? See the problem?

Finally, we can go into a discussion of about how cyberattacks and cyber warfare do involve hostilities, warlike acts, and forms of war. The Economist recognized cyberattacks as a form of warfare on July 3, 2010.[14]

www.economist.com

Moreover, a component of the US Department of Defense includes the US Cyber Command.[15] Even the Merck opinion’s closing appears to accept that:

[The insurers] [h]aving failed to change the policy language, Merck had every right to anticipate that the exclusion applied only to traditional forms of warfare. [Emphasis added.]

This last line is revealing. It implicitly accepts that cyberattacks in general, and the NotPetya attack in particular, do involve forms of warfare, just not “traditional” forms of warfare – whatever that means in the twenty-first century. However, where the court reads the words “traditional” in the exclusion’s language, the court never reveals. That is the most troubling of all.  

What This Case Means for Insurers

Certain events – like global pandemics and cyber war – are not susceptible to risk modeling and quantification methodologies needed to appropriately underwrite and insure such risks. It is beyond dispute that a cyber war event could lead to catastrophic aggregated losses that could imperil the sustainability of the cyber insurer market. It also seems difficult to define successfully the scope of a provision in the world of today’s technology when a court will look to the technology of the last century to determine the provision’s meaning.

Given the rise of suspected nation-state sponsored cyber-attacks as well as recent unfavorable silent cyber court decisions finding coverage for cyber and privacy claims under a variety of traditional policy forms, insurers should carefully consider including comprehensive cyber exclusions in all non-cyber policies. Insurers also should endeavor to understand the full extent of potential cyber coverage under cyber policies and non-cyber policies that offer limited cyber coverage. Potential exposure to catastrophic aggregated events in particular, including those arising in the context of cyber war, should be closely analyzed and accounted for in the underwriting process.

The London Market Association’s Answer?

In November 2021, the Lloyd’s Market Association (LMA) introduced four model exclusions addressing War, Cyber War, and Cyber Operations for standalone cyber insurance policies. Generally, the exclusions provide underwriters with a good deal of flexibility with regard to the exclusion of cyber war losses, ranging from a complete exclusion of coverage for any losses directly or indirectly arising from a war or cyber operation attributed to a nation state to exempting from exclusion losses to specified cyber assets impacted by certain cyber operations. (The full terms of the four LMA exclusions are reproduced below.) 

All four exclusions explicitly state that the insurer has the burden to prove that the exclusion applies. They also contain the same provision concerning attribution of a cyber operation to a state:

The primary but not exclusive factor in determining attribution of a cyber operation shall be whether the government of the state (including its intelligence and security services) in which the computer system affected by the cyber operation is physically located attributes the cyber operation to another state or those acting on its behalf.

Pending  attribution  by  the  government  of  the  state  (including  its  intelligence  and  security services) in which the computer system affected by the cyber operation is physically located, the insurer may rely upon an inference which is objectively reasonable as to attribution of the cyber operation to another state or those acting on its behalf. It is agreed that during this period no loss shall be paid.

In the event that the government of the state (including its intelligence and security services) in which the computer system affected by the cyber operation is physically located either:

  1. takes an unreasonable length of time to, or
  2. does not, or
  3. declares it is unable to attribute the cyber operation to another state or those acting on its behalf, it shall be for the insurer to prove attribution by reference to such other evidence as is available.

Exclusion 1 (LMA5564), the broadest of the exclusions, precludes coverage for “any loss, damage, liability, cost or expense of any kind (together ‘loss’) directly or indirectly occasioned by, happening through or in consequence of war or a cyber operation.”

Exclusion 2 (LMA5565) excludes coverage for loss from “war or a cyber operation that is carried out in the course of war; and/or retaliatory cyber operations between specified states; and or a cyber operation that has a major detrimental impact on: the functioning of a state due to the direct or indirect effect of the cyber operation on the availability, integrity or delivery of an essential service in that state; and/or the security or defence of a state.” Specified states is defined as China, France, Germany, Japan, Russia, UK or USA. Exclusion 2 sets forth specified limits applicable to non-excluded cyber operations.

Exclusion 3 (LMA 5566) contains the same exclusionary provision as Exclusion 2, but does not specify applicable limits.

Exclusion 4 (LMA5567) contains an exception to the exclusion for cyber operations set forth in Exclusions 2 and 3 for “the direct or indirect effect of a cyber operation on a bystanding cyber asset.”  Bystanding cyber asset is defined as “a computer system used by the insured or its third party service providers that is not physically located in an impacted state but is affected by a cyber operation.”

Appendices of LMA War, Cyber War, and Cyber Operation Exclusions

Exclusion 1 - LMA5564

War, Cyber War and Cyber Operation Exclusion No. 1

(For use on commercial cyber insurance contracts)

  1. Notwithstanding any provision to the contrary in this insurance, this insurance does not cover any loss, damage, liability, cost or expense of any kind (together “loss”) directly or indirectly occasioned by, happening through or in consequence of war or a cyber operation.
  2. The insurer shall have the burden of proving that this exclusion applies.

Attribution of a cyber operation to a state

  1. The primary but not exclusive factor in determining attribution of a cyber operation shall be whether the government of the state (including its intelligence and security services) in which the computer system affected by the cyber operation is physically located attributes the cyber operation to another state or those acting on its behalf.
  2. Pending attribution  by  the  government  of  the  state  (including  its  intelligence  and  security services) in which the computer system affected by the cyber operation is physically located, the insurer may rely upon an inference which is objectively reasonable as to attribution of the cyber operation to another state or those acting on its beha It is agreed that during this period no loss shall be paid.
  3. In the event that the government of the state (including its intelligence and security services) in which the computer system affected by the cyber operation is physically located either:

5.1.    takes an unreasonable length of time to, or

5.2.    does not, or

5.3.    declares it is unable to

attribute the cyber operation to another state or those acting on its behalf, it shall be for the insurer to prove attribution by reference to such other evidence as is available.

Definitions

  1. Computer system  means  any  computer,  hardware,  software,  communications  system, electronic device (including but not limited to, smart phone, laptop, tablet, wearable device), server, cloud infrastructure or microcontroller including any similar system or any configuration of the aforementioned and including any associated input, output, data storage device, networking equipment or back up facilit
  2. Cyber operation means the use of a computer system by or on behalf of a state to disrupt, deny, degrade, manipulate or destroy information in a computer system of or in another state.
  3. State means sovereign stat
  4. War means:

9.1.    the use of physical force by a state against another state or as part of a civil war, rebellion, revolution, insurrection, and/or

9.2.    military or usurped power or confiscation or nationalisation or requisition or destruction of or damage to property by or under the order of any government or public or local authority,

whether war be declared or  not.

Exclusion 2 LMA5565

War, Cyber War and Cyber Operation Exclusion No. 2

(For use on commercial cyber insurance contracts)

  1. Notwithstanding any provision to the contrary in this insurance, this insurance does not cover any loss, damage, liability, cost or expense of any kind (together “loss”) directly or indirectly occasioned by, happening through or in consequence of:

1.1.    war or a cyber operation that is carried out in the course of war; and/or

1.2.    retaliatory cyber operations between any specified states; and/or

1.3.    a cyber operation that has a major detrimental impact on:

1.3.1.      the functioning of a state due to the direct or indirect effect of the cyber operation on the availability, integrity or delivery of an essential service in that state; and/or

1.3.2.      the security or defence of a state.

  1. The insurer shall have the burden of proving that this exclusion appli
  2. Subject to the exclusions above and the other terms, conditions and exclusions contained in this insurance, the following limits shall apply to any other cyber operation(s):

3.1.    {response} for any cover in relation to all loss arising out of one cyber operation;

3.2.    {response} in the aggregate for the period of insurance.

These limits shall apply within the full policy limit and not in addition thereto.

Unless an amount is specified in 3.1 and 3.2, there shall be no coverage for any cyber operation(s).

Attribution of a cyber operation to a state

  1. The primary but not exclusive factor in determining attribution of a cyber operation shall be whether the government of the state (including its intelligence and security services) in which the computer system affected by the cyber operation is physically located attributes the cyber operation to another state or those acting on its behalf.
  2. Pending attribution  by  the  government  of  the  state  (including  its  intelligence  and  security services) in which the computer system affected by the cyber operation is physically located, the insurer may rely upon an inference which is objectively reasonable as to attribution of the cyber operation to another state or those acting on its beha It is agreed that during this period no loss shall be paid.
  3. In the event that the government of the state (including its intelligence and security services) in which the computer system affected by the cyber operation is physically located either:

6.1.    takes an unreasonable length of time to, or

6.2.    does not, or

6.3.    declares it is unable to

attribute the cyber operation to another state or those acting on its behalf, it shall be for the insurer to prove attribution by reference to such other evidence as is available.

Definitions

  1. Computer system  means  any  computer,  hardware,  software,  communications  system, electronic device (including but not limited to, smart phone, laptop, tablet, wearable device), server, cloud infrastructure or microcontroller including any similar system or any configuration of  the  aforementioned  and  including  any  associated  input,  output,  data  storage  device, networking equipment or back up facility.
  2. Cyber operation means the use of a computer system by or on behalf of a state to disrupt, deny, degrade, manipulate or destroy information in a computer system of or in another state.
  3. Essential service, for the purposes of this exclusion, means a service that is essential for the maintenance of vital functions of a state including without limitation: financial institutions and associated financial market infrastructure, health services or utility servi
  4. Specified states means China, France, Germany, Japan, Russia, UK or USA.
  5. State means sovereign state.
  6. War means:

12.1.  the use of physical force by a state against another state or as part of a civil war, rebellion, revolution, insurrection, and/or

12.2.  military or usurped power or confiscation or nationalisation or requisition or destruction of or damage to property by or under the order of any government or public or local authority,

whether war be declared or not.

Exclusion 3 - LMA5566

War, Cyber War and Cyber Operation Exclusion No. 3

(For use on commercial cyber insurance contracts)

  1. Notwithstanding any provision to the contrary in this insurance, this insurance does not cover any loss, damage, liability, cost or expense of any kind (together “loss”) directly or indirectly occasioned by, happening through or in consequence of:

1.1.    war or a cyber operation that is carried out in the course of war; and/or

1.2.    retaliatory cyber operations between any specified states; and/or

1.3.    a cyber operation that has a major detrimental impact on:

1.3.1.      the functioning of a state due to the direct or indirect effect of the cyber operation on the availability, integrity or delivery of an essential service in that state; and/or

1.3.2.      the security or defence of a state.

  1. The insurer shall have the burden of proving that this exclusion appli

Attribution of a cyber operation to a state

  1. The primary but not exclusive factor in determining attribution of a cyber operation shall be whether the government of the state (including its intelligence and security services) in which the computer system affected by the cyber operation is physically located attributes the cyber operation to another state or those acting on its behalf.
  2. Pending attribution  by  the  government  of  the  state  (including  its  intelligence  and  security services) in which the computer system affected by the cyber operation is physically located, the insurer may rely upon an inference which is objectively reasonable as to attribution of the cyber operation to another state or those acting on its beha It is agreed that during this period no loss shall be paid.
  3. In the event that the government of the state (including its intelligence and security services) in which the computer system affected by the cyber operation is physically located either:

5.1.    takes an unreasonable length of time to, or

5.2.    does not, or

5.3.    declares it is unable to

attribute the cyber operation to another state or those acting on its behalf, it shall be for the insurer to prove attribution by reference to such other evidence as is available.

Definitions

  1. Computer system  means  any  computer,  hardware,  software,  communications  system, electronic device (including but not limited to, smart phone, laptop, tablet, wearable device), server, cloud infrastructure or microcontroller including any similar system or any configuration of the aforementioned and including any associated input, output, data storage device, networking equipment or back up facilit
  2. Cyber operation means the use of a computer system by or on behalf of a state to disrupt, deny, degrade, manipulate or destroy information in a computer system of or in another state.
  3. Essential service, for the purposes of this exclusion, means a service that is essential for the maintenance of vital functions of a state including without limitation: financial institutions and associated financial market infrastructure, health services or utility services.
  4. Specified states means China, France, Germany, Japan, Russia, UK or USA.
  5. State means sovereign state.
  6. War means:

11.1.  the use of physical force by a state against another state or as part of a civil war, rebellion, revolution, insurrection, and/or

11.2.  military or usurped power or confiscation or nationalisation or requisition or destruction of or damage to property by or under the order of any government or public or local authority, whether war be declared or not.

 

Exclusion 4 - LMA5567

War, Cyber War and Cyber Operation Exclusion No. 4

(For use on commercial cyber insurance contracts)

 

  1. Notwithstanding any provision to the contrary in this insurance, this insurance does not cover any loss, damage, liability, cost or expense of any kind (together “loss”) directly or indirectly occasioned by, happening through or in consequence of:

1.1.    war or a cyber operation that is carried out in the course of war; and/or

1.2.    retaliatory cyber operations  between any specified states leading to two or more specified states becoming impacted states; and/or

1.3.    a cyber operation that has a major detrimental impact on:

1.3.1.      the functioning of a state due to the direct or indirect effect of the cyber operation on the availability, integrity or delivery of an essential service in that state; and/or

1.3.2.      the security or defence of a state.

  1. Paragraph  1.3  shall  not  apply  to  the  direct  or  indirect  effect  of  a  cyber  operation on a bystanding cyber asset.
  2. The insurer shall have the burden of proving that this exclusion applies.

Attribution of a cyber operation to a state

  1. The primary but not exclusive factor in determining attribution of a cyber operation shall be whether the government of the state (including its intelligence and security services) in which the computer system affected by the cyber operation is physically located attributes the cyber operation to another state or those acting on its behal
  2. Pending attribution  by  the  government  of  the  state  (including  its  intelligence  and  security services) in which the computer system affected by the cyber operation is physically located, the insurer may rely upon an inference which is objectively reasonable as to attribution of the cyber operation to another state or those acting on its beha It is agreed that during this period no loss shall be paid.
  3. In the event that the government of the state (including its intelligence and security services) in which the computer system affected by the cyber operation is physically located either:

6.1.    takes an unreasonable length of time to, or

6.2.    does not, or

6.3.    declares it is unable to

attribute the cyber operation to another state or those acting on its behalf, it shall be for the insurer to prove attribution by reference to such other evidence as is available.

Definitions

  1. Bystanding cyber asset means a computer system used by the insured or its third party service providers that is not physically located in an impacted state but is affected by a cyber operation.
  2. Computer system  means  any  computer,  hardware,  software,  communications  system, electronic device (including but not limited to, smart phone, laptop, tablet, wearable device), server, cloud infrastructure or microcontroller including any similar system or any configuration of the aforementioned and including any associated input, output, data storage device, networking equipment or back up facilit
  3. Cyber operation means the use of a computer system by or on behalf of a state to disrupt, deny, degrade, manipulate or destroy information in a computer system of or in another state.
  4. Essential service, for the purposes of this exclusion, means a service that is essential for the maintenance of vital functions of a state including without limitation: financial institutions and associated financial market infrastructure, health services or utility servi
  5. Impacted state means any state where a cyber operation has had a major detrimental impact on:

11.1.  the functioning of that state due to the direct or indirect effect of the cyber operation on the availability, integrity or delivery of an essential service in that state; and/or

11.2.  the security or defence of that state.

  1. Specified states means China, France, Germany, Japan, Russia, UK or USA.
  2. State means sovereign state.
  3. War means:

14.1.  the use of physical force by a state against another state or as part of a civil war, rebellion, revolution, insurrection, and/or

14.2.  military or usurped power or confiscation or nationalisation or requisition or destruction of or damage to property by or under the order of any government or public or local authority, whether war be declared or not.

 

 

[1] DOJ Indictment (Unsealed) of Yuriy Sergeyevich Andrienko, Sergey Vladomirovich Detistov, Pavel Valeryevich Frolov, Anatoliy Sergeyevich Kovalev, Artem Valerevich Ochichenko, and Petr Nikolayevich Pliskin, dated 10/19/20, at ¶ 33 (“DOJ Indictment of GRU”).

[2] Ellen Nakashima, “Russian military was behind ‘NotPetya’ cyberattack in Ukraine, CIA concludes,” The Washington Post, Jan. 12, 2018, available at <<https://www.washingtonpost.com/world/national-security/russian-military-was-behind-notpetya-cyberattack-in-ukraine-cia-concludes/2018/01/12/048d8506-f7ca-11e7-b34a-b85626af34ef_story.html.>>

[3] Dustin Volz, et al., “White House blames Russian for ‘reckless’ NotPetya cyberattack, Reuters, Feb. 15, 2018, available at << https://www.reuters.com/article/us-britain-russia-cyber-usa/white-house-blames-russia-for-reckless-notpetya-cyber-attack-idUSKCN1FZ2UJ>>.

[4] See Paul Ivan, “Responding to Cyberattacks: Prospects for the EU Cyber Diplomacy Toolbox,” March 2019, available at <<https://www.epc.eu/content/PDF/2019/pub_9081_responding_cyberattacks.pdf>>; Francesco Bussoletti, “All Five Eyes countries have blamed Russia for the NotPetya cyberattack”, February   2018, available at <<https://www.difesaesicurezza.com/en/cyber-en/all-five-eyes-countries-have-blamed-russia-for-the-notpetya-cyber-attack/>>; see also Annegret Bendiek, et al., “Attribution: A Major Challenge for EU Cyber Sanctions, SWP, December 2021, available at <https://www.swp-berlin.org/en/publication/attribution-a-major-challenge-for-eu-cyber-sanctions#en-d48269e2470>>. Five Eyes Alliance is an intelligence alliance comprising of Australia, Canada, New Zealand, the UK, and the US.

[5] See “Blaming Russia for NotPetya was coordinated diplomatic action,” ZDNET, April 11, 2018, available at <<https://www.zdnet.com/article/blaming-russia-for-notpetya-was-coordinated-diplomatic-action/>>.

[6] Justice News, “Six Russian Officers Charged in Connection with Worldwide Deployment of Malware and Other Disruptive Actions in Cyberspace,” (“DOJ Press Release”) available at <<https://www.justice.gov/opa/pr/six-russian-gru-officers-charged-connection-worldwide-deployment-destructive-malware-and.>>

[7] DOJ Indictment of GRU, ¶¶ 27-29, 64, 68.

[8] DOJ Press Release.

[9] DOJ Indictment of GRU, dated 10/19/20, at ¶ 1.

[10] Id. ¶ 3.

[11] Id. ¶ 10, 76.

[12] Stanbery v. Aetna Life Ins. CO., 26 N.J. Super 498 (Law Div. 1953), Pan Amer. World Airways, Inc. v. Aetna Cas. & Sur., 368 F. Supp. 1098 (S.D.N.Y. 1973), Int’l Dairy Engineering Co. fo Asia v. Amer. Home Assur. Co., 352 F. Supp. 827 (N.D. Cal. 1970); Queens Ins. Co. v. Globe & Rutgers Fire Ins. Co., 282 F. 976 (2d Cir. 1922) (citing British Steamship v. The King, 1 A.C. 99 (1921)).

[13] Universal Cable Prods., LLC v. Atlantic Specialty Ins. CO., 929 F.3d 1143 (9th Cir. 2019).

[14] “Cyberwar: It is time for countries to start talking about arms control on the internet,” The Economist at 9 (July 3, 2010).

[15] E.g., https://www.cybercom.mil/About/History/