I worked at Merck for three years as a scientist and only left a week before this went down. My former colleagues said they stood around and did absolutely nothing for days and then struggled to get the tiniest amount of work done for weeks.<p>The article chooses not to get into stunning mistakes by Merck's IT that allowed this to happen in the first place. The patches for the EternalBlue exploit were released by Microsoft on March 14, but Merck's IT chose to sit on it for over three months. (Like many large companies, they disable Windows update, choosing to release patches on their own schedule.) Even after the WannaCry attack crippled computers around the world on May 12, they still had a month before NotPetya brought them to their knees on June 27.
It's up for the attacked (the US) to decide when the line is crossed and how to respond. Russian strategy is to confuse as mush as possible possible. They do cyber attacks, assassinations and political operations in the western countries.<p>Obama used covert action against Russia in response to election meddling. "Obama used covert retaliation in response to Russian election meddling." <a href="https://www.washingtonpost.com/news/monkey-cage/wp/2017/06/29/obama-used-covert-retaliation-in-response-to-russian-election-meddling-heres-why/" rel="nofollow">https://www.washingtonpost.com/news/monkey-cage/wp/2017/06/2...</a> Trump is not responding.<p>Is hybrid warfare a warfare until it includes conventional warfare in the mix?<p><a href="https://en.wikipedia.org/wiki/Hybrid_warfare" rel="nofollow">https://en.wikipedia.org/wiki/Hybrid_warfare</a><p>> Hybrid warfare is a military strategy which employs political warfare and blends conventional warfare, irregular warfare and cyberwarfare[1] with other influencing methods, such as fake news,[2] diplomacy, lawfare and foreign electoral intervention.<p>> The U.S. Army Chief of Staff defined a hybrid threat in 2008 as an adversary that incorporates "diverse and dynamic combinations of conventional, irregular, terrorist and criminal capabilities".[9] The United States Joint Forces Command defines a hybrid threat as, “any adversary that simultaneously and adaptively employs a tailored mix of conventional, irregular, terrorism and criminal means or activities in the operational battle space. Rather than a single entity, a hybrid threat or challenger may be a combination of state and nonstate actors".[9] The U.S. Army defined a hybrid threat in 2011 as "the diverse and dynamic combination of regular forces, irregular forces, criminal elements, or a combination of these forces and elements all unified to achieve mutually benefiting effects".[9] NATO uses the term to describe "adversaries with the ability to simultaneously employ conventional and non-conventional means adaptively in pursuit of their objectives"
I really enjoyed this despite insurance usually being billed as dull. A few points I don't see anyone else making:<p>* Act of war is poorly defined (and gets more poorly defined by the year). Since insurers use this term and (I assume) wrote the contracts, any reasonable question over its definition should be interpreted in the insured favour. That's how most contract law works since otherwise the contract writer has a perverse incentive to make their contract language unclear and then argue definitions and technicalities. That's not just dishonest, it creates unnecessary uncertainty and excess court cases and those cost everyone.<p>* I was sort of amazed by mention of the presidents pronouncements as if they mattered. Do they matter legally? They shouldn't: presidents are in no way a reliable source of information on geopolitical matters. Quite the opposite, they have the most motive to lie and its literally often illegal to expose that (if an NSA employee leaked classified proof it was NOT the Russians, they'd be imprisoned under the espionage act). Leaving aside the current presidents reliability, Obama pronounced on the Sony hack, blaming North Korea. Almost 5 years later and no evidence has been produced and plenty of people doubt that. Its also worth noting that no president should be empowered to effectively decide billion (trillion?) dollar lawsuits without oversight or scrutiny, they're not kings after all.<p>* Finally I thought how adult and reasonable Lloyds' response was. Both in settling the claim (assuming they did so for a reasonable fraction of what was owed) and requiring explicit cyber policies going forwards. That's the act of a group that is reasonable and wishes to take a long term, useful, role in the economy. Any bozo can sell "insurance" policies and then quibble over ever claim, the result is people stop buying. But honouring your commitments and correcting yourself going forwards is exactly what we need in insurers. I wonder what can be done to get US Corporate structures to follow a similar model?
So what does this mean for company cybersecurity? Will companies be motivated to secure their networks by higher insurance rates? Will insurers hire infosec auditors? Will insurers stop offering coverage, and leave companies to consider hacks as Black Swan events?
> One researcher told a colleague she’d lost 15 years of work.<p>You're telling me that you had never backed up anything in the span of 15 years?
If the attacker doesn't declare war and the defender doesn't respond by going to war then the blunt answer seems like it'd have to be a no.
Yeah sure, just like sanctions and tariffs are a economic way of doing war. But how do you response with counter cyber attacks or sanctions and tariffs.
The main problem with allowing cyberattacks into the "declaration of war" category against all known diplomatic norms, is that attribution is extremely questionable. History is full of false flags done in the physical realm. Cyberattacks will be no different, other than easier to perform.
Speaking of war. Just to show how effed is the definition, here is the article where they try to decipher between war, armed conflict, whatever else they've come up with: <a href="https://www.washingtonpost.com/world/national-security/is-it-a-war-an-armed-conflict-why-words-matter-in-the-us-fight-vs-the-islamic-state/2014/10/06/f4528a6c-49a1-11e4-891d-713f052086a0_story.html" rel="nofollow">https://www.washingtonpost.com/world/national-security/is-it...</a>
Considering it hit the company by accident via a server in Ukraine the whole act of war thing is really questionable.<p>It’s completely reckless use of malware and there should be consequences for Russia not taking care of their offensive weapons and causing serious damage.<p>But phrases like “act of war” shouldn’t be thrown around like that. I highly doubt that was Russia’s intention, which I think should matter, even if we still find them at fault.
If a country funds a bunch of script kiddies to attack something somewhere does that make the attack a state action? If the state takes measures to conceal the source of that funding then is it still a state action? If a group of script kiddies takes action due to a general suggestion from a state actor? If a group of script kiddies with political aims congruent with one or more state actors takes action all on their own?<p>This stuff is fundamentally different than the case where a group of people end up with guns and engage in politically motivated violence. It is really a form of advanced trolling. The fact that absolutely anyone can do with with no fear for their life or freedom makes it politically meaningless.<p>There is no such thing as cyberwar...<p>So insurance is really just about insuring against security lapses. It should be priced appropriately and should come with requirements.
Act of war against .... Merck, a company? I've heard of some circuitous logic to deny insurance claims, but this was not an act of war against Merck, which BTW isn't a country, so by definition, one can't go to war with it? Well, maybe hyperbolically a competitor might, but unlike real war, they're bound by the rules and laws of civil society<p>This is the very definition of an accident, if the article is to be believed, with Merck not even being the target. Pay up insurers, this is why you exist.<p>Further, what is the point of insurance, especially for sensitive IP laden companies like pharma research, if there's no protection against nationa-state attacks, which isn't outside the realm of possibility for such companies.
No. Not an act of war: an act of embarrassment. Merck should be shamed.<p>Can we stop calling these things "cyber attacks" or "hacks"? I think "gross negligence on applying even basic information security" and "a focus on security theatrics" fit much better.
It's really an act of not being prepared.<p>$1.7B? They should be able to destroy and rebuild their entire infrastructure in less than a day.<p>Have tested backup and restore processes. Ideally have all users in VMs.<p>I don't see how this isn't entirely Merck's fault.
I don't believe it, NotPetya was generic ransomware that spread to a lot of organizations including the NHS in England. This fiction, yet another example of the neocons attempting to demonize the Russian Federation, no doubt to distract from problems at home.
Something like a missile attack on a Samsung factory is so easy to investigate and get conclusive evidence about what happened. Within hours or days we would know with almost certainty if it was an act of war or something else (accidental firing by the South Korea military or something...).<p>Consider something like Stuxnet, it took years before it was truly discovered and attribution could be made, at least in way which would hold up in a lawsuit about insurance claims.
The ransomware wanted $300 in Bitcoin per computer encrypted.<p>This is a commercial extortion attempt, not an act of war. The insurers, as is their wont don't want to pay out.