[throwGuardian]

Act of war against .... Merck, a company? I've heard of some circuitous logic to deny insurance claims, but this was not an act of war against Merck, which BTW isn't a country, so by definition, one can't go to war with it? Well, maybe hyperbolically a competitor might, but unlike real war, they're bound by the rules and laws of civil society

This is the very definition of an accident, if the article is to be believed, with Merck not even being the target. Pay up insurers, this is why you exist.

Further, what is the point of insurance, especially for sensitive IP laden companies like pharma research, if there's no protection against nationa-state attacks, which isn't outside the realm of possibility for such companies.

[blagie]

That argument doesn't hold water. You don't need to be an intended target or a country for something to be an act of war.

If North Korea drops a nuclear bomb on China, and the nuclear cloud does collateral damage in India, that's still damage from an act of war.

Acts of war are excluded since insurance is designed to spread cost for isolated events. If my house burns down, everyone chips in to rebuild it. You can't reasonably insure widespread events. If an entire country is demolished, whether by war, flood, or other large-scale natural disaster, insurance would just go under.

Things are murky here. But not for those reasons. We can start with there not being a war, continue into covert ops not really being the same as war, and keep going for a while. I do think insurance SHOULD pay for this one. But it's not that simple.

[marvin]

While I’m opposed to using legal terms to weasel out of an insurance claim, it’s an interesting question. If Russia deliberately dropped a bomb on Merck’s factory, it would unquestionably be an act of war. Likewise if they dropped a bomb on a neighboring plant and also accidentally destroyed Merck’s plant.

But dropping a bomb on a facility in Ukraine, with equally destructive shrapnel destroying facilities all over the world? Knowing that using this weapon can easily cause such collateral damage?

We barely have the terminology for discussing this type of warfare. The initial attack was an act of war, certainly. Beyond that, we have to come up with definitions and reactions. At the very least, it’s a subject for diplomatic channels, maybe even sanctions.

[gchamonlive]

Dropping a bomb is not an act of war because of the target itself. It is because to do it you have to violate the country's whole security system and cause damage to the country's real state, which is an act of war, whereas to invade a company's cluster of computers you don't have to compromise the country's whole cybernetwork.

It is interesting though to think about aftermath. If it is not an act of war, one can compromise a country's economy without going directly against the country itself.

[dsfyu404ed]

>Dropping a bomb is not an act of war because of the target itself. It is because to do it you have to violate the country's whole security system and cause damage to the country's real state, which is an act of war, whereas to invade a company's cluster of computers you don't have to compromise the country's whole cybernetwork.

I would counter that you don't need to violate all of the US's defense to bomb Hawaii and we all know how that was received. So yes, a state sending assets to go destroy some other state's property within the borders of said state is generally considered an act of war. That said, details matter a lot and these situations are basically handled on a case by case basis.

[marvin]

Deliberate attacks against a country’s economy would probably be handled on a case by case basis through diplomatic channels.

E.g. I’d argue that if China announced it would not repay its massive Treasury debts to the US, that would basically be an act of war even if no aggression was used, just due to the extreme destructive effects. And the reaction would be similarly upsetting, although not quite on the level of an unprovoked, large-scale military action.

But it quickly becomes a discussion of semantics at that point ;)

[robocat]

> E.g. I’d argue that if China announced it would not repay its massive Treasury debts to the US

Other way round: US has “borrowed” money from China

[marvin]

Ah, I had a suspicion I had my signs mixed up. Thanks for pointing that out. Point stands though :)

[randcraw]

Yeah, this act was wildly indiscriminate. Russia could easily have limited the propagation of NotPetya to Ukraine only, but chose not to. That makes the act irresponsible and comparable to distributing an infectious biological agent via randomly addressed mail bombs that were posted in Kiev.

An appropriate response needs to arise from a cooperative authority like the UN or Interpol, and needs a policy suited to address future events before they arise.

[boomboomsubban]

>If Russia deliberately dropped a bomb on Merck’s factory, it would unquestionably be an act of war.

The US does this all the time and it is not labeled an act of war. The most famous incident is the Al-Shifa medical facility, but this is common practice in the "war on terror."

[occamrazor]

In insurance context any bombing by military airplanes falls under war exclusion clauses.

[diffeomorphism]

> which BTW isn't a country, so by definition, one can't go to war with it?

Suppose North Korea shoots artillery on Samsung factories. Is that not an act of war because they were targeting a company's buildings?

The US has some mixed messaging on cracking. On the one hand they reserve the right to consider attacks on them as acts of war (and to respond with bombs) on the other hand they have no reservations about cracking others (e.g. Iran).

[lexs]

I would say that it's not an act of war against Samsung but South Korea which should be a difference.

[ealexhudson]

This was corporate property insurance, and it excluded "acts of war". It doesn't matter who the war is between; the fact that a cost was incurred due to war would mean that you cannot claim that cost on the insurance policy. If it only referred to acts against a specific state, then you would have no need to include the wording in the contract as it would be a no-op.

Insurance policies have often tried to exclude the highly-unlikely-but-ruiniously-costly coverage; hence the similar "acts of god" exclusions (and obvs there's rarely any disagreement about whether god was specifically the actor). A war is a usually a large-scale event causing a large amount of damage; without excluding it you would expect many insurers to be bankrupted. "Cyberwar" is something of a different matter and I could see why either side would want to litigate to clarify the definition.

[listenallyall]

>> This is the very definition of an accident

How is something deliberately planned and executed, by a military intelligence agency, for weeks or months, an accident?

And how are you so sure Merck's IT team didn't fail to have backups, redundancy, security patches, etc. to prevent an attack of any sort from being such a big deal?

[t0ddbonzalez]

>"And how are you so sure Merck's IT team didn't fail to have backups, redundancy, security patches, etc. to prevent an attack of any sort from being such a big deal?"

If the insurance claim is ~$1.3bn, we can safely say that the NotPetya cleanup isn't a trivial thing for them.

How many companies have we heard about who were totally screwed after a ransomware outbreak, because their only backups were online - network connected? Does anybody have offline backups anymore?

Is corporate IT negligent where it appears to have no disaster recovery plan?

[blaser-waffle]

> Is corporate IT negligent where it appears to have no disaster recovery plan?

Arguably, yes. Merck isn't a small time start-up. They've been on the Fortune 500 list for 60+ years. They can afford whatever layers of backup and redundancy they need.

> Does anybody have offline backups anymore?

Previous gigs, for large ISPs and related orgs, did. This was on a team-by-team basis, though.

[MrMorden]

Any large organization that doesn't, at a bare minimum, implement NSA's Top Ten Cybersecurity Mitigation Strategies[1], ASD's Essential Eight[2], etc. is grossly negligent; and an insurance carrier willing to write a policy not conditional on implementing those strategies is equally negligent. The insurance carriers in this case could very well be attempting to deny payment under the acts-of-war exclusion because they're too incompetent or greedy to correctly write a cybersecurity policy.

[1] https://www.nsa.gov/Portals/70/documents/what-we-do/cybersec...

[2] https://www.cyber.gov.au/publications/essential-eight-explai...

[listenallyall]

>> too incompetent or greedy to correctly write a cybersecurity policy

Don't discount the insurers just yet. The act of war exclusion is likely preferable for the insurers because it would seem to broadly cover the entire incident and because it really doesn't require a whole lot of detailed discovery into Merck's internal processes. But if that fails, then the insurers will, most likely, once again try to deny the claim, this time focusing on the details of the cybersecurity-based policy exclusions.

My guess, with no evidence to back it up, is that the policy is very detailed and specific, and upon investigating its application, the insurers will reveal a lack of proper defense and mitigation processes by Merck, just as you describe.

[tchaffee]

Did that military agency plan for it to damage Merck? Or was that an accident?

[listenallyall]

Are you serious? They planned to launch the equivalent of a digital bomb, knowing full well there would be plenty of collateral damage. Hell no it isn't an "accident"

I will put it another way. I feel quite confident the 9/11 bombers did not know, or specifically target, my friends and acquaintances who died in those towers. Therefore, are you going to claim 9-11 was an accident?

If I intend to rob a convenience store, and in the process of doing so, my gun goes off and the clerk is shot and killed, was it just an accident?

[tchaffee]

Yes I am serious. Are you? How about we keep this respectful and do away with the condescending tone, which is not really welcome here on Hacker News?

9/11 was presumably intended to damage as much property and kill as many people as possible. So no, the people who died as a result of that terrorist attack against the US were not killed by accident.

Yes, if your gun accidentally goes off during a robbery, that is by definition an accident. An accident that could have been avoided if different choices had been made, but still an accident.

If the intended target in this case was the Ukraine, and companies in the USA suffered immense damages it's reasonable to ask if those unintended consequences were accidental. Similar to how a bomb dropped on an Italian border in WWII might accidentally kill ally French citizens on the other side of the border. With cyber warfare it becomes much more interesting, because those accidents don't respect physical distance.

[listenallyall]

I never said the gun went off "accidentally", you added that word to support your otherwise baseless argument. Guns go off during robberies because the robber got nervous or impatient, because there was a melee, because a third party got involved. By deliberately bringing the gun into the situation, the subsequent claim of an "accidental" firing is nullified.

A guy drinks two quarts of whisky at his favorite bar then drives home. On the way in his drunken state he runs a red light, smashes into a school bus and kills a 9 year old he never met named Mikey. Whoops, sorry Mikey's mom and dad, it was just an accident! Because Tchaffee says so.

[tchaffee]

Great example. Killing someone while drunk is called involuntary manslaughter. Because it's an accident. It was not planned. It wasn't intentional. I never once claimed that accidents can't be horrible. Or that reckless behavior that results in an accident should not be punished. I never said it was "just" an accident. That's you putting words in my mouth. What I said is very simple: if it wasn't part of the plan, it was an accident.

[listenallyall]

Wait, didn't even reach the absurd final paragraph. If I have a bomb with a blast radius of say, 200 meters, which I drop 50 meters inside an Italian border, knowing full well the blast radius extends into France, you are still claiming deaths in France from my bomb are just an accident?

[tchaffee]

Please point out where I said you know the blast radius and which direction it heads. Not to mention it's an analogy and I'm not a bombing expert. You can probably figure out my point.

[corodra]

That's called manslaughter... You don't get to walk when you rob a place and "accidentally" shoot someone. A sassy judge should ask "Did you accidentally rob the place too?"

[tchaffee]

To be more specific, involuntary manslaughter. Which is broadly speaking an accident that occurred while committing a crime. Or due to some other negligence. We are still firmly in the territory of accident, regardless of the legal consequences.

[corodra]

Not arguing with you. But I think a digital bioweapon is a better analogy than a bomb. Since it spreads without control after release, like a... well... virus. If a country released a bioweapon somewhere and it affected "un-intended targets" there's going to be a lot of international problems with that.

I kind of feel, and I'm not going to pretend I'm an expert, that digital warfare should be treated closer to biological warfare than just your typical bombs and bullets kind. Generally, and holy shit I know someone is going to flip their shit for me saying this, but generally a regular bomb (not nuke) is an acute type of problem. After it goes off, it's GENERALLY harmless after that. Yes, structure collapse, contamination, gas leaks and other after effects. But not really more booms from the bomb. Weaponized ebloa can still make more people sick, not affected by the original release. Same with NotPetya and other cyber attacks. After deployed, it can affect more and more targets as time goes on.

[throwaway_tech]

>but this was not an act of war against Merck, which BTW isn't a country,

Its an insurance policy...an act of war is a limitation on coverage.

No one is saying an act of war was specifically committed against Merck. Merck was damaged, filed a claim with its insurance and the insurer denied coverage because the damage was the result of an act of war (that has nothing to do with Merck being a county or the attack being directed at Merck).

[antif]

Act of war against Ukraine, per the article.

[tchaffee]

Not really per the article. The article says there are claims that it was an act of war against Ukraine. It does not provide proof that it was in fact an act of war.