Cyber Terrorism: Assessment Of The Threat to Insurance

Nov 1, 2017 | Cyber Terrorism

Introduction – Changing tactics of terrorism

Terrorism – the application of politically-motivated violence to resist or influence the policies of governing regimes – has been a spectre of organised governments for millennia. Almost by definition, terrorism is “asymmetrical”: the state is always more powerful than the antagonists seeking to undermine it. In employing a technique of changing violent tactics, a less well-resourced terror group can use the element of surprise to achieve success against a less agile state security apparatus.

Terror tactics have changed over time as the genus of groups perpetrating the violence and the security measures in place to prevent them has advanced and evolved. As known targets are hardened and securitised, terrorist groups typically shift to softer, more vulnerable targets. This praxis is shown in the changing terrorist practices of the last hundred years, from political assassination in the early 20th century, to plane hijacking and hostage taking by Middle Eastern terrorist groups in 1970s, attacks on police and army units and mainland car bombs preceded by warnings by the IRA in 1990s, and a shift toward maximising civilian casualties with suicide attacks by jihadists in the past 15 years. Perhaps the most radical innovation in terror tactics in the 21st century to date has been the weaponisation of passenger aircraft by al-Qaeda in 2001.

Could cyber terrorism be the next tactical shift?

With this history of advancing tactical techniques, commentators have speculated on myriad futures for global terrorism, including terrorist acquisition of weapons of mass destruction through to all-out economic and psychological warfare, or the repeated use of insurgency tactics to undermine the political tolerance of Western populations.

The spectre of cyber terrorism looms large over such speculation. Practices and predictions of terrorists acquiring destructive cyber capabilities date back many years. The National Academy of Sciences first warned of a “digital Pearl Harbor” as early as 1990. The imminent acquisition of cyber capabilities by terrorist groups has been long expected but has so far failed to materialise and there have been no known terrorist attacks using cyber means to trigger physical damage and destruction. However, concerns over the potential movement of terrorism into the cyber sphere endure, and, with the broadening of attack surfaces and growing technical capabilities of threat actors, the arrival of cyber terrorism seems ever more likely.

This report examines the possibility of this emergent threat and the potential risks it poses for the UK property insurance market over the next three years, using an analysis of the state of global terrorism and technological vulnerability at the close of 2017.

Cyber and insurance

The possibility of cyber crime developing the potential to cause physical damage is a major concern for the insurance industry. Property insurance and many other types of policies in use today were developed to protect insureds against traditional perils and causes of loss that are understood, priced, and underwritten on the basis of historical claims experience. If new losses were to occur resulting from cyber attacks – whether perpetrated by terrorists or other individuals – then this would add the new dimension of a nascent risk, which is difficult to measure and quantify, to pre-existing coverage. Some policy terms and conditions now explicitly exclude cyber as a cause of loss, particularly as a cause of legal liabilities and compensation for loss of privacy or data, in order to side-step this complication. There is a growing industry of “affirmative” cyber insurance which provides corporate coverage for breaches of IT security but, at this time, there are only a handful of insurance products that offer protection for physical damage or human injury resulting from cyber attacks.

The potential scope of physical damage that may result from a cyber attack is difficult to estimate, as most cyber criminal attacks to date are motivated by theft or information compromise, which may be financially or politically beneficial for the attacker. If physical damage were to result from a cyber attack, there is uncertainty in many insurance policy standard terms and conditions about whether such a loss would be covered. This ambiguous “silent” potential exposure is an area of significant concern for the industry in light of the high profile of cyber threats. In the London market, Lloyd’s regulators now require greater clarity of cyber coverage. Insurance markets elsewhere, notably in the United States and Europe, are in a similar process of attempting to clarify cyber coverages and exposure in their insurance policy terms.

Cyber terrorism and insurance

Difficulty in attributing cyber attacks adds a degree of complexity to expanding insurance policies to cover losses caused by them. It can take a long time for forensic investigators to determine how a cyber attack was carried out, and some never confidently establish the identity of the perpetrators. Physically destructive cyber attacks could be difficult to trace and identify as an act of terrorism. It may be evident from the nature of the act that it has been carried out as an act of terrorism, but there is potential for considerable ambiguity. These issues are important to consider in understanding the potential exposure to insurers from cyber terrorism. 

Perceived increased threat of cyber terrorism

The recent growth in the sophistication of cyber crimes and the advent of cyber attack causing physical damage means that insurers are expressing greater concern about the future appearance and rise of cyber terrorism. Several are using accumulation scenarios of hypothetical destructive cyber attacks, including those developed by Cambridge Centre for Risk Studies, as potential scenarios of cyber terrorism. Active  terrorist  groups  make  periodic public announcements about their own advances in cyber capability and their increasing focus on developing these capabilities, which, if taken at face value, is a cause of concern for insurers.

The 2015 decision by UK Government to announce the National Cyber Security Programme was a major initiative to protect national systems against cyber attacks and officials cited the threat of destructive cyber attacks by terrorist groups as a key justification for this. The then Chancellor George Osborne claimed at the time that the so-called Islamic State’s “murderous brutality has a strong digital element” our electricity supply, or our air traffic control, or our hospitals were successfully attacked online, the impact could be measured not just in terms of economic  damage  but  of  lives  lost.    In  November 2016, the government laid out plans for a five-year National Cyber Security Strategy, aiming to build UK cyber resilience and security through to 2021.

Aims of the research

This report assesses the threat of cyber terrorism to the UK at the time of publication and examines how such a threat may develop over the next three years. The report proposes a variety of cyber terrorism attack scenarios which could affect vulnerable UK industry sectors which comprise the exposure of the Pool Re membership. It provides qualitative insight into the likelihood, possibility and potential direct and indirect impacts of each scenario type. It presents a review of evidence for the operational capabilities of active terrorist groups who might potentially pose a threat of cyber terrorism to UK, and proposes a structured scale of “cyber capability” against which to map and monitor the evidence of capability.

Above all, the report seeks to both educate and advise on the realities of cyber terrorism and the industry’s exposure to the threat.

Defining cyber terrorism

For the purposes of this report, we define “cyber terrorism” as an act of politically-motivated violence involving physical damage or personal injury caused by a remote digital interference with technology systems. We do not seek to suppose the political motivations for such actions as the official certification of terrorism for the purposes of Pool Re’s coverage would be a matter of government intelligence and sanction.

Report structure

This report sets out to provide useful insight on the developing threat of cyber terrorism as it pertains to the interests of the broader (re)insurance industry. It presents a series of unlikely but plausible cyber terrorism scenarios which may impact insurance portfolios, organised by exposure categories, in order to create an informed view of the scope of possible risk as of Q3 2017. Per publication of the report, the details of these scenarios have been removed and are discussed at a distance.

The report then presents an analysis of modern terrorist groups and their current cyber capabilities. The historical pattern of extremism in the Middle East would suggest that the groups which currently pose the greatest threat to the security of the UK Mainland (namely, the Islamic State, also referred to as Daesh), will likely retain some power and influence in the region for the foreseeable future. For the purposes of this report, therefore, we consider that extremist groups operating presently will be the main threat actors responsible in any cyber terrorist development in the next three years.

Following this, the report focuses on the susceptibility of the UK Mainland to future cyber terrorist activity and the defences available. While active plots to compromise UK cyberspace may not come into fruition in the next three years, this does not negate the inherent vulnerabilities in national infrastructure and industry. Identifying at-risk systems, high profile targets and indicators for increased cyber vulnerability is crucial to the responsible provision of cyber terrorism cover in the future.

Various real-world case studies are presented throughout the report. Although none of these scenarios represent examples of known destructive cyber terrorism, these case studies provide further insight into susceptible facilities and the insurance losses associated with significant industrial accidents that could be ultimately engineered by cyber terrorists or actors in cyber warfare.

The report also includes a summary of the Cambridge Centre for Risk Studies’ 2016 analysis of a hypothetical blackout catastrophe in the United Kingdom caused directly by a nation-state cyber assault on South Eastern substation networks in Appendix 1: UK Cyber Blackout Scenario. Appendix 2: Major ICS cyber events to 2017 presents a catalogue of notable industrial control systems (ICS) cyber events that have occurred since 1999 and provides information on their attackers, attack methods and motivation.

Conclusions

The key conclusion of this report is that, while various types of cyber attack are becoming more commonplace, the most relevant cyber terrorist actors currently pose a low likelihood of inflicting severe physical destruction through digital means before 2020. At present, the major terrorist groups posing a threat to the West are motivated by mass casualty attacks; the cyber tools available to these actors currently provide far less chance of major injury than a traditional explosive, knife or vehicle attack.

The onus of developing an informed and well-funded hacking team or otherwise acquiring a sophisticated cyber weapon capable of achieving success in physically destructive and damaging cyber attacks requires a significant investment of both time and money for terrorist groups, who are simultaneously combating international counterterrorism efforts and pursuing options for immediate political returns on traditional acts of terror in the face of significant territory loss.

This conclusion must be tempered by recognition that cyber terrorism, and cyber crime in general, remains an emerging threat. The number of vulnerabilities embedded within digital devices ubiquitous to Western society is constantly growing, and the added development of the “Internet of Things” adds layers of additional vulnerability to many existing physical systems, from manufacturing and other industrial facilities to biological security systems. The protean nature of the digital economy provides ample attack surfaces for any agents of cyber terrorism or cyber war that may appear. While monitoring the cast of potential threat actors, this attack surface also requires constant evaluation and continuing securing on behalf of businesses and governments. The development and provision of cyber terrorism insurance policies may form a part of this security effort.

The full report can be downloaded here.