Who Pays for a Cyberattack?

As Ukraine approaches its presidential election slated for March 31, 2019, the issue of how to respond to cyberattacks continues to plague governments around the world. Potential strategies range from proactive deterrence to reactive prosecution and potential retaliation.

We know that hackers targeted the last Ukrainian presidential election in 2014. Therefore, we must prepare now, as an international community, to invest in the security of the March election. Democracies have a strong interest in helping one another to protect free and fair elections everywhere. Such efforts help to enhance, both today and in the future, the security of election infrastructure in democracies around the world.

One of the obstacles to a robust, unified defense against cyberattacks is the issue of liability. Identifying who is responsible for a cyberattack is important because someone has to pay for the damages — even if it is only the victim. This issue is particularly relevant to Ukraine and the 2017 “NotPetya” cyberattack.

The sums involved in the NotPetya attack are striking. One multinational corporation, Mondelez, which produces confectionary brands such as Cadbury and Toblerone, claimed “permanent damage” to 1,700 servers and 24,000 laptops, as well as lost revenue totaling over $100 million. Given the scale of this incident, WIRED Magazine called NotPetya “the most devastating cyberattack in history.”

These numbers demonstrate that the damage cyberattacks are capable of inflicting is increasing with time. Clearly, no company wants to absorb these losses, and most cannot. But who, given the difficulty of conclusively identifying perpetrators, is going to pay for them?

The US Government declared that “the Russian military” should be held responsible for NotPetya, claiming that the attack was “a part of the Kremlin’s ongoing effort to destabilize Ukraine.” Moscow, however, denies any involvement in the attack, and claims that it was also a victim of NotPetya. Additionally, Mondelez’s insurance firm, Zurich, concluded that NotPetya was an “act of war” — which could make it exempt from liability.

As the aftermath of the NotPetya attack illustrates, the frequent lack of conclusive evidence that can link the perpetrators of cyberattacks to their crimes means that compensating governments, companies, and individuals for their losses is exceptionally burdensome. This inability to determine attribution and damages also complicates attempts at deterrence.

NotPetya demonstrates that hackers can sow discord and influence international relations and transnational commerce with relative impunity. Given the regional and international implications of the upcoming Ukrainian elections, the demonstrated low costs of launching a cyberattack may increase the chances that hackers will try to interfere in March.