NotPetya malware attack: Chaos but not cyber warfare

While the Russian military-run cyber attack was economically damaging, it doesn't cross the threshold into warfare, claims report by Marsh.
Written by Danny Palmer, Senior Writer

The impact of last year's NotPetya cyber attack was felt around the world, bringing several large organisations grinding to a halt and costing billions of dollars in damage and lost revenue -- but the attack said to be the work of the Russian military still doesn't cross the threshold for being classed as cyber warfare, according to one new analysis.

A new paper published by global cyber insurance and risk-management firm Marsh suggests that NotPetya doesn't meet the requirements to be classed as cyber warfare because the main impacts were only economic, focused on civilian infrastructure and that the goal of the attack wasn't "coercion or conquest".

Despite economic damage and the UK and US governments attributing the attack to the Russian military, "these two factors alone are not enough to escalate this non-physical cyber attack to the category of war or 'hostile and warlike' activity," said Matthew McCabe, assistant general counsel for cyber policy at Marsh.

While the economic effects have cost individual companies hundreds of millions and have cumulatively reached billions of dollars, the paper argues that for an attack to be classed as an act of war, it must go beyond economic damage -- even if that that damage is large.

The report points comments made by then-US President Barack Obama in 2014 in which he described the Sony Pictures attack -- attributed to North Korea -- as "cyber vandalism." Like NotPetya, no physical damage was done, and the attack had costly consequences for Sony but McCabe argues this isn't enough to class it as an act of war.

"For a cyber attack to fall within the scope of the war exclusion, there should be a comparable outcome, tantamount to a military use of force," he said.

See also: Cyberwar: A guide to the frightening future of online conflict

A second reason Marsh doesn't see NotPetya as an act of warfare is because the attack didn't serve any military purpose: the most prominent victims were in civilian areas like logistics and pharmaceuticals.

These are are what McCabe describes as "places far removed from the locale or the subject of any warfare" and mean that NotPetya can't be described as an act of war.

Thirdly, the NotPetya campaign wasn't backed up by a military use of physical force against targets.

"The resulting chaos caused by NotPetya bore greater resemblance to a propaganda effort rather than a military action intended for 'coercion or conquest,' which the war exclusion was intended to address," said McCabe.

What this ultimately means, the report claims, is that under the current definitions of warfare, NotPetya wouldn't come under the category of damage caused by warfare and cyber insurance companies and therefore wouldn't be forced to pay out for losses relating to war damages.

However, the report points out that the definition of warlike activity is one hundred years old which suggests it may need to be updated for the realities of the 21st century.


Editorial standards