[listenallyall]

>> This is the very definition of an accident

How is something deliberately planned and executed, by a military intelligence agency, for weeks or months, an accident?

And how are you so sure Merck's IT team didn't fail to have backups, redundancy, security patches, etc. to prevent an attack of any sort from being such a big deal?

[t0ddbonzalez]

>"And how are you so sure Merck's IT team didn't fail to have backups, redundancy, security patches, etc. to prevent an attack of any sort from being such a big deal?"

If the insurance claim is ~$1.3bn, we can safely say that the NotPetya cleanup isn't a trivial thing for them.

How many companies have we heard about who were totally screwed after a ransomware outbreak, because their only backups were online - network connected? Does anybody have offline backups anymore?

Is corporate IT negligent where it appears to have no disaster recovery plan?

[blaser-waffle]

> Is corporate IT negligent where it appears to have no disaster recovery plan?

Arguably, yes. Merck isn't a small time start-up. They've been on the Fortune 500 list for 60+ years. They can afford whatever layers of backup and redundancy they need.

> Does anybody have offline backups anymore?

Previous gigs, for large ISPs and related orgs, did. This was on a team-by-team basis, though.

[MrMorden]

Any large organization that doesn't, at a bare minimum, implement NSA's Top Ten Cybersecurity Mitigation Strategies[1], ASD's Essential Eight[2], etc. is grossly negligent; and an insurance carrier willing to write a policy not conditional on implementing those strategies is equally negligent. The insurance carriers in this case could very well be attempting to deny payment under the acts-of-war exclusion because they're too incompetent or greedy to correctly write a cybersecurity policy.

[1] https://www.nsa.gov/Portals/70/documents/what-we-do/cybersec...

[2] https://www.cyber.gov.au/publications/essential-eight-explai...

[listenallyall]

>> too incompetent or greedy to correctly write a cybersecurity policy

Don't discount the insurers just yet. The act of war exclusion is likely preferable for the insurers because it would seem to broadly cover the entire incident and because it really doesn't require a whole lot of detailed discovery into Merck's internal processes. But if that fails, then the insurers will, most likely, once again try to deny the claim, this time focusing on the details of the cybersecurity-based policy exclusions.

My guess, with no evidence to back it up, is that the policy is very detailed and specific, and upon investigating its application, the insurers will reveal a lack of proper defense and mitigation processes by Merck, just as you describe.

[tchaffee]

Did that military agency plan for it to damage Merck? Or was that an accident?

[listenallyall]

Are you serious? They planned to launch the equivalent of a digital bomb, knowing full well there would be plenty of collateral damage. Hell no it isn't an "accident"

I will put it another way. I feel quite confident the 9/11 bombers did not know, or specifically target, my friends and acquaintances who died in those towers. Therefore, are you going to claim 9-11 was an accident?

If I intend to rob a convenience store, and in the process of doing so, my gun goes off and the clerk is shot and killed, was it just an accident?

[tchaffee]

Yes I am serious. Are you? How about we keep this respectful and do away with the condescending tone, which is not really welcome here on Hacker News?

9/11 was presumably intended to damage as much property and kill as many people as possible. So no, the people who died as a result of that terrorist attack against the US were not killed by accident.

Yes, if your gun accidentally goes off during a robbery, that is by definition an accident. An accident that could have been avoided if different choices had been made, but still an accident.

If the intended target in this case was the Ukraine, and companies in the USA suffered immense damages it's reasonable to ask if those unintended consequences were accidental. Similar to how a bomb dropped on an Italian border in WWII might accidentally kill ally French citizens on the other side of the border. With cyber warfare it becomes much more interesting, because those accidents don't respect physical distance.

[listenallyall]

I never said the gun went off "accidentally", you added that word to support your otherwise baseless argument. Guns go off during robberies because the robber got nervous or impatient, because there was a melee, because a third party got involved. By deliberately bringing the gun into the situation, the subsequent claim of an "accidental" firing is nullified.

A guy drinks two quarts of whisky at his favorite bar then drives home. On the way in his drunken state he runs a red light, smashes into a school bus and kills a 9 year old he never met named Mikey. Whoops, sorry Mikey's mom and dad, it was just an accident! Because Tchaffee says so.

[tchaffee]

Great example. Killing someone while drunk is called involuntary manslaughter. Because it's an accident. It was not planned. It wasn't intentional. I never once claimed that accidents can't be horrible. Or that reckless behavior that results in an accident should not be punished. I never said it was "just" an accident. That's you putting words in my mouth. What I said is very simple: if it wasn't part of the plan, it was an accident.

[listenallyall]

Absolutely false.

Dec. 2: https://www.oregonlive.com/crime/2019/12/drunk-driver-who-ki...

Nov 14: https://www.inquirer.com/news/david-strowhouer-sentence-dui-...

Nov 8: https://eccalifornian.com/drunk-driver-given-second-degree-m...

Nov 15: https://www.pressconnects.com/story/news/public-safety/2019/...

first-degree manslaughter, third-degree murder, second-degree murder, first-degree vehicular manslaughter

"Involuntary" isn't in any of these. And these are just the first few search results.

[listenallyall]

Wait, didn't even reach the absurd final paragraph. If I have a bomb with a blast radius of say, 200 meters, which I drop 50 meters inside an Italian border, knowing full well the blast radius extends into France, you are still claiming deaths in France from my bomb are just an accident?

[tchaffee]

Please point out where I said you know the blast radius and which direction it heads. Not to mention it's an analogy and I'm not a bombing expert. You can probably figure out my point.

[listenallyall]

>> a bomb dropped on an Italian border in WWII might accidentally kill ally French citizens

"On an Italian border." Where else could the blast possibly go, except on both sides of the border?

[corodra]

That's called manslaughter... You don't get to walk when you rob a place and "accidentally" shoot someone. A sassy judge should ask "Did you accidentally rob the place too?"

[tchaffee]

To be more specific, involuntary manslaughter. Which is broadly speaking an accident that occurred while committing a crime. Or due to some other negligence. We are still firmly in the territory of accident, regardless of the legal consequences.

[corodra]

You still get punished for it... That's the whole argument. Even it's an accident, it's not the same kind of accident as turning a corner and spilling coffee on them.

[corodra]

Not arguing with you. But I think a digital bioweapon is a better analogy than a bomb. Since it spreads without control after release, like a... well... virus. If a country released a bioweapon somewhere and it affected "un-intended targets" there's going to be a lot of international problems with that.

I kind of feel, and I'm not going to pretend I'm an expert, that digital warfare should be treated closer to biological warfare than just your typical bombs and bullets kind. Generally, and holy shit I know someone is going to flip their shit for me saying this, but generally a regular bomb (not nuke) is an acute type of problem. After it goes off, it's GENERALLY harmless after that. Yes, structure collapse, contamination, gas leaks and other after effects. But not really more booms from the bomb. Weaponized ebloa can still make more people sick, not affected by the original release. Same with NotPetya and other cyber attacks. After deployed, it can affect more and more targets as time goes on.