I worked at Merck for three years as a scientist and only left a week before this went down. My former colleagues said they stood around and did absolutely nothing for days and then struggled to get the tiniest amount of work done for weeks.
The article chooses not to get into stunning mistakes by Merck's IT that allowed this to happen in the first place. The patches for the EternalBlue exploit were released by Microsoft on March 14, but Merck's IT chose to sit on it for over three months. (Like many large companies, they disable Windows update, choosing to release patches on their own schedule.) Even after the WannaCry attack crippled computers around the world on May 12, they still had a month before NotPetya brought them to their knees on June 27.
While patches would have helped in this specific case, that's only because Merck was collateral damage.
In a targeted attack, it's likely the foreign agency would be using a 0-day attack.
The only way to protect against that is by reducing the OS monoculture, offline backups, and using network air gaps on critical data.
But those practices are extremely rare in my experience.
If I was on unfriendly terms with the US, I'd use this as a case study on how to cripple the economy by taking advantage of the large monocultures created by lax IT in a hundred or so of the largest firms.
> In a targeted attack, it's likely the foreign agency would be using a 0-day attack.
A targeted attack is also expensive and the victim would need to have something worth this kind of money and attention. "Nation state actor" just isn't a reasonable risk assumption for a great many organizations.
> The only way to protect against that is by reducing the OS monoculture, offline backups, and using network air gaps on critical data.
When the "nation state actor" comes looking for you with some motivation, all that and the air gap won't mean much. See Stuxnet.
Like J. Mickens said:
"Basically, you’re either dealing with Mossad or not-Mossad. If your adversary is not-Mossad, then you’ll probably be fine if you pick a good pass-word and don’t respond to emails from ChEaPestPAiNPi11s@virus-basket.biz.ru. If your adversary is the Mossad, YOU’RE GONNA DIE AND THERE’S NOTHING THAT YOU CAN DO ABOUT IT."
Nation-state actors can be deterred by nation states. If Vova believes that CNAing someone in the US will cause the US to bankrupt him and/or the people whose support he requires to stay in power, he'll make damn sure this doesn't happen. As long as the US does not demonstrate this capability and willingness to use it, he'll continue to misbehave.
Offline backups are about the easiest thing you can do, and they protect against pretty much everything. Air gaps are useful, but they're just a connection with unusually high latency. Network monitoring protects against zero-days.
The fact that good is worse than perfect does not mean good is no better than bad.
Having every machine in the company three months out of date on critical security patches is just negligence. I'm surprised the insurance companies didn't take that tack.
0days are precious and expensive. The odds of being targeted by one are incredibly low compared to those of being targeted by an exploit for which there is a patch.
True as that may be, let's keep in mind just how juicy of a target Merck is, being a gigantic multinational with a market cap roughly equivalent to the GDP of Portugal.
Merck has a new IT Head - joined on Nov 2018. The attack happened on Jun 2017 (i.e., 1.5 years earlier). Jim Scholefield - https://www.linkedin.com/in/jimscholefield/ Great pedigree: Nike, Coca Cola etc.
[Edit]
Seems to be: He will also have oversight of cyber-security – a big issue for the company after a ransomware attack in June 2017 brought the company to a grinding halt. Scholefield will be part of the company’s executive committee, reflecting how integral the digital transformation drive is to the business.
Probably. The whole time I was there, IT was a disaster. I did not know if the people at top were incompetent or they were just woefully underfunded like IT is in many companies. After a billion dollar loss, I would hope Merck came at it from both angles just to be sure.
My favorite memory was a mandatory security training for all employees. They had a couple of slides on how to make a good password, and one recommendation was to use "keyboard encryption". This is a technique to take a bad password like "ClevelandIndians" and shift the keys to the right (or other direction) to get "V;rbr;smfOmfosmd", a supposedly better password. I stood up at the Q&A time and "asked" how this meaningfully improved passwords given that it added at most two bits of entropy. I also responded to the "how was the training" survey with a recommendation to teach people correcthorsebatterystaple-style passwords instead. Colleagues who had been assigned to a later session said that a slide containing the XKCD comic had been inserted into the deck.
Are you saying those are better than the 'keyboard encryption'? Because they're not, every password cracker has functionality to string dictionary words together in various permutations.
Yes, they are (assuming the words are actually chosen at random).
The idea of "correcthorsebatterystaple-style" passwords is to randomly choose 4 words from a pool of about 2000 words. That gives about 11 bits of entropy per word, for a total of 44 bits.
With a 2-word "keyboard encryption", even if you choose the two words the same way, you only get 24 bits of entropy: 22 bits for the words plus 2 more bits for the choice of which direction to shift (up/down/left/right = 4 options = 2 bits).
I'm not familiar with their environment but depending on the software and vendors who support aspects of software, those patches may be held at their request. That is people like Rockwell, Emmerson, whatever, may not “release” a patch because it can have implications for GxP environments. So not saying this is the case, but there are times when that is the case and companies have to sit on fixes.
However in these situations those systems are siloed and segregated do that things don’t propagate. I have no idea how Merck is setup.
Unless you do development where a Windows patch could break a complex environment, most people in the workplace are always using all Microsoft products anyway so they should just be on auto-update. All it takes is for some IT manager to sit on a critical patch for too long. If auto-updates break your setup, then you could opt-out and be moved to a sandboxed environment where you still get patches but only after they are verified. I remember when some vcredist patch broke a very expensive development suite. Despite all the engineers affected complaining to IT, it took them weeks to roll it back for us. In the mean time, we had figured out ways to debug the tool with Visual Studio, catch the error, and continue past it without crashing everything. The patch must have broke quite a lot of things because there was another one that came shortly after that seemed to avoid the problems.
If you’re in a large organization you do not want an auto-update to mess up something for 10,000+ people who are unable to work because the VPN or whatever other enterprise system/software stopped working.
I’ve seen enough issues this year with Azure and multi-factor sso being down. It makes me weary of Microsoft’s updates. Lots of customers screaming because they can’t access our portals.
Sometimes your vendors have to wait for Microsoft to fix something they broke which complicates it even more.
In many cases unpatched systems automatically fail GxP by not being patched but pharmaceutical organisations still run operations like it's the 90s and they just don't acknowledge the problems. Have worked in pharma IT for 10 years.
I think the problem is that their vendors’ applications run like it's the ‘90s. Often the orgs will be waiting on a vendor’s patch to be released which has been qualified for the sec patch. This requirement is kind of dubious but if you patch before they release their patch you’re on your own.
You'd think so but most vendor security patches appear very quickly even for 90s style systems, the problem is almost always the customer's own processes. All vendors in the pharma business space maintain a dedicated support and patch team for all deployed and commercially supported products and or course charge customers for the privilege.
As far I understood, particular machines were under GxP requirements, but the vast majority were not. We scientists had local admin access to our laptops. To access some GxP software, we connected via a client that was like a remote desktop.
It's up for the attacked (the US) to decide when the line is crossed and how to respond. Russian strategy is to confuse as mush as possible possible. They do cyber attacks, assassinations and political operations in the western countries.
> Hybrid warfare is a military strategy which employs political warfare and blends conventional warfare, irregular warfare and cyberwarfare[1] with other influencing methods, such as fake news,[2] diplomacy, lawfare and foreign electoral intervention.
> The U.S. Army Chief of Staff defined a hybrid threat in 2008 as an adversary that incorporates "diverse and dynamic combinations of conventional, irregular, terrorist and criminal capabilities".[9] The United States Joint Forces Command defines a hybrid threat as, “any adversary that simultaneously and adaptively employs a tailored mix of conventional, irregular, terrorism and criminal means or activities in the operational battle space. Rather than a single entity, a hybrid threat or challenger may be a combination of state and nonstate actors".[9] The U.S. Army defined a hybrid threat in 2011 as "the diverse and dynamic combination of regular forces, irregular forces, criminal elements, or a combination of these forces and elements all unified to achieve mutually benefiting effects".[9] NATO uses the term to describe "adversaries with the ability to simultaneously employ conventional and non-conventional means adaptively in pursuit of their objectives"
I really enjoyed this despite insurance usually being billed as dull. A few points I don't see anyone else making:
* Act of war is poorly defined (and gets more poorly defined by the year). Since insurers use this term and (I assume) wrote the contracts, any reasonable question over its definition should be interpreted in the insured favour. That's how most contract law works since otherwise the contract writer has a perverse incentive to make their contract language unclear and then argue definitions and technicalities. That's not just dishonest, it creates unnecessary uncertainty and excess court cases and those cost everyone.
* I was sort of amazed by mention of the presidents pronouncements as if they mattered. Do they matter legally? They shouldn't: presidents are in no way a reliable source of information on geopolitical matters. Quite the opposite, they have the most motive to lie and its literally often illegal to expose that (if an NSA employee leaked classified proof it was NOT the Russians, they'd be imprisoned under the espionage act). Leaving aside the current presidents reliability, Obama pronounced on the Sony hack, blaming North Korea. Almost 5 years later and no evidence has been produced and plenty of people doubt that. Its also worth noting that no president should be empowered to effectively decide billion (trillion?) dollar lawsuits without oversight or scrutiny, they're not kings after all.
* Finally I thought how adult and reasonable Lloyds' response was. Both in settling the claim (assuming they did so for a reasonable fraction of what was owed) and requiring explicit cyber policies going forwards. That's the act of a group that is reasonable and wishes to take a long term, useful, role in the economy. Any bozo can sell "insurance" policies and then quibble over ever claim, the result is people stop buying. But honouring your commitments and correcting yourself going forwards is exactly what we need in insurers. I wonder what can be done to get US Corporate structures to follow a similar model?
So what does this mean for company cybersecurity? Will companies be motivated to secure their networks by higher insurance rates? Will insurers hire infosec auditors? Will insurers stop offering coverage, and leave companies to consider hacks as Black Swan events?
They would be very wise to hire their own auditors, not necessarily to go into their client's businesses but to review the assessments most of them are already getting periodically, to make sure that evidence presented actually made sense and earned them a pass. It's been my experience that IT auditors are often book smart, but IT-experience poor. Some are simply not savvy or experienced enough to interpret their own framework the same way a week or a month later.
The claim in the article is that the target was Ukraine, the attacker Russia, and Merck a collateral casualty at an attempt to disguise a state-sponsored cyber-attack as a criminal extortion attempt.
One would need to dig deeper to get a really informed opinion. I do believe Russia to be able and willing to do that, I do believe the so-called "Western intelligence agencies" to blame any malware on Russia or China on the flimsiest evidences.
There is also the possibility that the same tools were used both by the GRU and Russian criminals, leading to a misleading identification. Black hats would totally take someone else's malware and modify it for their purpose while still hiding their tracks.
Zero days are expensive to get but once they are exploits in the wild, they are anyone's to use.
If you analyze the NotPetya attack, it differs from other ransomware attempts in two respects. First, it was specifically targetting Ukraine. Second, the attackers didn't actually take any money but rendered all systems defunct. If you are a criminal, you aim to make money, right? Why give up on that possibility? It makes no sense.
So, even if in the infosec world you can never say never, but just as Stuxnet is generally attributed to Israel/USA, in the same way NotPetya is attributed to Russia, even though none of these countries will ever admit they actually did it.
Oh I did not know that. The attack was behaving differently on Ukrainian targets? That's a pretty damning thing indeed and makes the question of the act of war very relevant.
Note that it could make sense to a pro-Russia Ukranian group to extort money abroad and to hurt economically on the target. That seems to be the Russian MO to not be directly implicated in the Ukrainian operations: help with tools, weapons and money the groups that are already in place.
They give up direct control over the actions in exchange of deniability.
As far as I know, it didn't behave differently on Ukraine targets. The attack was on Ukrainian tax software M.E.Doc that businesses in the Ukraine are legally mandated to use.
So it was targeted at the Ukraine, but plenty of multinational companies also operate there, so they were collateral damage
There just need to be one, with a good write up of the evidence and the evidence be better than "they used the same tools" or "their IP is in Russia". The linked article does not detail them.
I have seen US TLAs blame China on really laughable evidences (and fail to do it properly on the one undeniable attack they did on GitHub)
This is a bit simplistic my educated guess is in Russia, Ukraine and prob some other countries given pay structure in 3 letter agencies they simply can not afford hiring proper skills for the cyber sec especially for the offensive side. So they have a hybrid private/gov system where certain groups get some level of immunity for their "commercial" activities in exchange for deploying their skills for 3 letter agency use when needed. Alternatively people who are caught for some criminal activity get their sentence suspended in exchange for services.
Yeah sure, just like sanctions and tariffs are a economic way of doing war. But how do you response with counter cyber attacks or sanctions and tariffs.
The main problem with allowing cyberattacks into the "declaration of war" category against all known diplomatic norms, is that attribution is extremely questionable. History is full of false flags done in the physical realm. Cyberattacks will be no different, other than easier to perform.
Considering it hit the company by accident via a server in Ukraine the whole act of war thing is really questionable.
It’s completely reckless use of malware and there should be consequences for Russia not taking care of their offensive weapons and causing serious damage.
But phrases like “act of war” shouldn’t be thrown around like that. I highly doubt that was Russia’s intention, which I think should matter, even if we still find them at fault.
I don't think the accidental nature is the crux here. As I understand it, if a Russian bomb had inadvertently damaged / destroyed a physical office in Ukraine, the insurance would not have covered that either. The question is whether or not this virus was an act of war (against Ukraine) or if this was an act of vandalism/crime by an individual actor.
No, it wasn't. And this over-militarized diction of cybersecurity is dangerous. You want nation states to be bombing developers sitting in offices due to a perceived threat because this garbage rhetoric is how that happens.
If a country funds a bunch of script kiddies to attack something somewhere does that make the attack a state action? If the state takes measures to conceal the source of that funding then is it still a state action? If a group of script kiddies takes action due to a general suggestion from a state actor? If a group of script kiddies with political aims congruent with one or more state actors takes action all on their own?
This stuff is fundamentally different than the case where a group of people end up with guns and engage in politically motivated violence. It is really a form of advanced trolling. The fact that absolutely anyone can do with with no fear for their life or freedom makes it politically meaningless.
There is no such thing as cyberwar...
So insurance is really just about insuring against security lapses. It should be priced appropriately and should come with requirements.
Act of war against .... Merck, a company? I've heard of some circuitous logic to deny insurance claims, but this was not an act of war against Merck, which BTW isn't a country, so by definition, one can't go to war with it? Well, maybe hyperbolically a competitor might, but unlike real war, they're bound by the rules and laws of civil society
This is the very definition of an accident, if the article is to be believed, with Merck not even being the target. Pay up insurers, this is why you exist.
Further, what is the point of insurance, especially for sensitive IP laden companies like pharma research, if there's no protection against nationa-state attacks, which isn't outside the realm of possibility for such companies.
That argument doesn't hold water. You don't need to be an intended target or a country for something to be an act of war.
If North Korea drops a nuclear bomb on China, and the nuclear cloud does collateral damage in India, that's still damage from an act of war.
Acts of war are excluded since insurance is designed to spread cost for isolated events. If my house burns down, everyone chips in to rebuild it. You can't reasonably insure widespread events. If an entire country is demolished, whether by war, flood, or other large-scale natural disaster, insurance would just go under.
Things are murky here. But not for those reasons. We can start with there not being a war, continue into covert ops not really being the same as war, and keep going for a while. I do think insurance SHOULD pay for this one. But it's not that simple.
While I’m opposed to using legal terms to weasel out of an insurance claim, it’s an interesting question. If Russia deliberately dropped a bomb on Merck’s factory, it would unquestionably be an act of war. Likewise if they dropped a bomb on a neighboring plant and also accidentally destroyed Merck’s plant.
But dropping a bomb on a facility in Ukraine, with equally destructive shrapnel destroying facilities all over the world? Knowing that using this weapon can easily cause such collateral damage?
We barely have the terminology for discussing this type of warfare. The initial attack was an act of war, certainly. Beyond that, we have to come up with definitions and reactions. At the very least, it’s a subject for diplomatic channels, maybe even sanctions.
Dropping a bomb is not an act of war because of the target itself. It is because to do it you have to violate the country's whole security system and cause damage to the country's real state, which is an act of war, whereas to invade a company's cluster of computers you don't have to compromise the country's whole cybernetwork.
It is interesting though to think about aftermath. If it is not an act of war, one can compromise a country's economy without going directly against the country itself.
>Dropping a bomb is not an act of war because of the target itself. It is because to do it you have to violate the country's whole security system and cause damage to the country's real state, which is an act of war, whereas to invade a company's cluster of computers you don't have to compromise the country's whole cybernetwork.
I would counter that you don't need to violate all of the US's defense to bomb Hawaii and we all know how that was received. So yes, a state sending assets to go destroy some other state's property within the borders of said state is generally considered an act of war. That said, details matter a lot and these situations are basically handled on a case by case basis.
Deliberate attacks against a country’s economy would probably be handled on a case by case basis through diplomatic channels.
E.g. I’d argue that if China announced it would not repay its massive Treasury debts to the US, that would basically be an act of war even if no aggression was used, just due to the extreme destructive effects. And the reaction would be similarly upsetting, although not quite on the level of an unprovoked, large-scale military action.
But it quickly becomes a discussion of semantics at that point ;)
Yeah, this act was wildly indiscriminate. Russia could easily have limited the propagation of NotPetya to Ukraine only, but chose not to. That makes the act irresponsible and comparable to distributing an infectious biological agent via randomly addressed mail bombs that were posted in Kiev.
An appropriate response needs to arise from a cooperative authority like the UN or Interpol, and needs a policy suited to address future events before they arise.
>If Russia deliberately dropped a bomb on Merck’s factory, it would unquestionably be an act of war.
The US does this all the time and it is not labeled an act of war. The most famous incident is the Al-Shifa medical facility, but this is common practice in the "war on terror."
> which BTW isn't a country, so by definition, one can't go to war with it?
Suppose North Korea shoots artillery on Samsung factories. Is that not an act of war because they were targeting a company's buildings?
The US has some mixed messaging on cracking. On the one hand they reserve the right to consider attacks on them as acts of war (and to respond with bombs) on the other hand they have no reservations about cracking others (e.g. Iran).
This was corporate property insurance, and it excluded "acts of war". It doesn't matter who the war is between; the fact that a cost was incurred due to war would mean that you cannot claim that cost on the insurance policy. If it only referred to acts against a specific state, then you would have no need to include the wording in the contract as it would be a no-op.
Insurance policies have often tried to exclude the highly-unlikely-but-ruiniously-costly coverage; hence the similar "acts of god" exclusions (and obvs there's rarely any disagreement about whether god was specifically the actor). A war is a usually a large-scale event causing a large amount of damage; without excluding it you would expect many insurers to be bankrupted. "Cyberwar" is something of a different matter and I could see why either side would want to litigate to clarify the definition.
How is something deliberately planned and executed, by a military intelligence agency, for weeks or months, an accident?
And how are you so sure Merck's IT team didn't fail to have backups, redundancy, security patches, etc. to prevent an attack of any sort from being such a big deal?
>"And how are you so sure Merck's IT team didn't fail to have backups, redundancy, security patches, etc. to prevent an attack of any sort from being such a big deal?"
If the insurance claim is ~$1.3bn, we can safely say that the NotPetya cleanup isn't a trivial thing for them.
How many companies have we heard about who were totally screwed after a ransomware outbreak, because their only backups were online - network connected? Does anybody have offline backups anymore?
Is corporate IT negligent where it appears to have no disaster recovery plan?
> Is corporate IT negligent where it appears to have no disaster recovery plan?
Arguably, yes. Merck isn't a small time start-up. They've been on the Fortune 500 list for 60+ years. They can afford whatever layers of backup and redundancy they need.
> Does anybody have offline backups anymore?
Previous gigs, for large ISPs and related orgs, did. This was on a team-by-team basis, though.
Any large organization that doesn't, at a bare minimum, implement NSA's Top Ten Cybersecurity Mitigation Strategies[1], ASD's Essential Eight[2], etc. is grossly negligent; and an insurance carrier willing to write a policy not conditional on implementing those strategies is equally negligent. The insurance carriers in this case could very well be attempting to deny payment under the acts-of-war exclusion because they're too incompetent or greedy to correctly write a cybersecurity policy.
>> too incompetent or greedy to correctly write a cybersecurity policy
Don't discount the insurers just yet. The act of war exclusion is likely preferable for the insurers because it would seem to broadly cover the entire incident and because it really doesn't require a whole lot of detailed discovery into Merck's internal processes. But if that fails, then the insurers will, most likely, once again try to deny the claim, this time focusing on the details of the cybersecurity-based policy exclusions.
My guess, with no evidence to back it up, is that the policy is very detailed and specific, and upon investigating its application, the insurers will reveal a lack of proper defense and mitigation processes by Merck, just as you describe.
Are you serious? They planned to launch the equivalent of a digital bomb, knowing full well there would be plenty of collateral damage. Hell no it isn't an "accident"
I will put it another way. I feel quite confident the 9/11 bombers did not know, or specifically target, my friends and acquaintances who died in those towers. Therefore, are you going to claim 9-11 was an accident?
If I intend to rob a convenience store, and in the process of doing so, my gun goes off and the clerk is shot and killed, was it just an accident?
Yes I am serious. Are you? How about we keep this respectful and do away with the condescending tone, which is not really welcome here on Hacker News?
9/11 was presumably intended to damage as much property and kill as many people as possible. So no, the people who died as a result of that terrorist attack against the US were not killed by accident.
Yes, if your gun accidentally goes off during a robbery, that is by definition an accident. An accident that could have been avoided if different choices had been made, but still an accident.
If the intended target in this case was the Ukraine, and companies in the USA suffered immense damages it's reasonable to ask if those unintended consequences were accidental. Similar to how a bomb dropped on an Italian border in WWII might accidentally kill ally French citizens on the other side of the border. With cyber warfare it becomes much more interesting, because those accidents don't respect physical distance.
I never said the gun went off "accidentally", you added that word to support your otherwise baseless argument. Guns go off during robberies because the robber got nervous or impatient, because there was a melee, because a third party got involved. By deliberately bringing the gun into the situation, the subsequent claim of an "accidental" firing is nullified.
A guy drinks two quarts of whisky at his favorite bar then drives home. On the way in his drunken state he runs a red light, smashes into a school bus and kills a 9 year old he never met named Mikey. Whoops, sorry Mikey's mom and dad, it was just an accident! Because Tchaffee says so.
Great example. Killing someone while drunk is called involuntary manslaughter. Because it's an accident. It was not planned. It wasn't intentional. I never once claimed that accidents can't be horrible. Or that reckless behavior that results in an accident should not be punished. I never said it was "just" an accident. That's you putting words in my mouth. What I said is very simple: if it wasn't part of the plan, it was an accident.
It's only false if you are willing to be a victim of confirmation bias.
"DUI manslaughter charges are more common than DUI murder charges. Simply put, an intoxicated driver is arrested after causing an accident that resulted in the death of another person. The driver did not intend to cause the death, but it happened as a result of drunk driving."
It would be child's play for anyone at this point to use a search engine to dig up loads of examples of people convicted for involuntary manslaughter as a result of killing someone while drunk driving.
You get points for tenacity, I'll concede that. But your argument is simply wrong. You stated: "Killing someone while drunk is called involuntary manslaughter" Of course, most of the time it is. But you didn't qualify with "usually" or "often" (or with "while driving", for that matter). A single example of killing someone while drunk NOT equating to involuntary manslaughter, is sufficient to prove your statement to be false, same as if you had said "prime numbers are odd."
The flaw in your logic this whole time is your insistence that anything unintended = accident. Things can be unintended but also not an accident. All the previous examples. Involuntary manslaughter laws tend to use the word "unintentional" but not "accidental." How about the Free Solo guy -- certainly he didn't intend to die, but had he slipped and fell, when the whole point of the climb was to do it without any safety equipment, it couldn't be classified as an accident. Car "accidents" are rarely accidents -- in most cases, one party failed to follow a safety signal or violated some rule. And yes, if you deliberately drop a bomb near a border, you can't claim the allies you killed on the other side were accidental. Collateral damage, yes, accidental, no.
If you cannot see that, or that it isn't "accidental" when a serial drunk driver kills someone, or a gun getting fired during a robbery also isn't accidental -- or when a government unleashes a computer virus that it knows will likely affect hundreds/thousands of computers owned by people or companies it doesn't care about -- well, you're maintaining a position about which few people would agree.
You're being pedantic. It is called involuntary manslaughter. And it's most often called that. And sometimes it is called other things. There is nothing false about my statement.
> same as if you had said "prime numbers are odd."
Not really. Same as if I had said "ALL prime number are odd". Which I did not say. "Prime number are odd" is a true statement. So is "prime numbers are even".
> The flaw in your logic this whole time is your insistence that anything unintended = accident
I never claimed that everything unintended is an "just" an accident, but at this point you are just being pedantic. Your original claim was that something deliberately planned cannot result in accidents. That if something is planned, then the outcome itself must have also been planned. That's the flaw in your logic.
If the Russian government intended to attack Ukraine and a US company was unintentionally damaged, then no, that result was not planned.
In your original comment you claimed "knowing full well there would be plenty of collateral damage". Do you have proof that they knew there would be collateral damage? Do you have proof that they took no steps to try to contain the damage to Ukraine but they simply got it wrong?
> it isn't "accidental" when a serial drunk driver kills someone
How did the drunk driver all of a sudden become a serial drunk driver?
> a government unleashes a computer virus that it knows will likely affect hundreds/thousands of computers
Where is your evidence that they knew this?
> you're maintaining a position about which few people would agree.
So what? Does majority consensus determine logical consistency? And I'll claim the same thing: you are the one who is maintaining a position about which few people would agree. It's that easy.
Wait, didn't even reach the absurd final paragraph. If I have a bomb with a blast radius of say, 200 meters, which I drop 50 meters inside an Italian border, knowing full well the blast radius extends into France, you are still claiming deaths in France from my bomb are just an accident?
Please point out where I said you know the blast radius and which direction it heads. Not to mention it's an analogy and I'm not a bombing expert. You can probably figure out my point.
That would be an impossibility with WWII technology. It's irrelevant -- the scenario you described already acknowledged the bomb crossing the border and killing French citizens on the other side.
That's called manslaughter... You don't get to walk when you rob a place and "accidentally" shoot someone. A sassy judge should ask "Did you accidentally rob the place too?"
To be more specific, involuntary manslaughter. Which is broadly speaking an accident that occurred while committing a crime. Or due to some other negligence. We are still firmly in the territory of accident, regardless of the legal consequences.
You still get punished for it... That's the whole argument. Even it's an accident, it's not the same kind of accident as turning a corner and spilling coffee on them.
The thread is not about whether or not whoever did it gets punished. The question is whether or not it was accidental or if damaging Merck was an intentional act. Based on the evidence so far, it sure seems like damaging Merck was a result of negligence and not intentional.
Releasing a computer virus intended to replicate and spread on any machine it can... like... wtf are you arguing for? The whole point to the thing was to cause massive damage to whoever the intended target was, with little care for collateral damage. It was meant to spread hard and fast and cause damage. If you infected a Merck employee with weaponized ebola and that employee traveled to the USA while the strain was still in incubation, then got USA citizens sick with ebola, "Oh, it's okay, it was just an accident. No worries! You didn't mean to hurt the USA. Want to have some cheesecake with us?" Replace the USA with Germany, Japan, Chile, Mexico, South Sudan, I don't care. I'd feel just as strongly about this. It's not a Russia-USA issue. It's a "Russia literally gives zero fucks what happens to the world." I don't see bags of rice given out to poor countries with the Russian flag on it.
It was intentional even if Merck wasn't targeted. Negligence and accident aren't magic words to hide behind if your initial goal is to cause harm in the first place. Stuxnet at least had a bunch of parameters and was highly specialized so it only deploy on its intended target with little to no chance of opening up its payload on an unintended target. I'm not going to argue whether or not Stuxnet was morally in the right. But, it sure as shit proves there is a format of trying to make sure unintended targets don't get harmed in the process of widespread release of cyber warfare.
like... wtf are you arguing for? You seem to be upset that negligence is a word that describes irresponsible behavior with unintentional results. It's still an accident. It wasn't planned. That is my initial and only point.
Not arguing with you. But I think a digital bioweapon is a better analogy than a bomb. Since it spreads without control after release, like a... well... virus. If a country released a bioweapon somewhere and it affected "un-intended targets" there's going to be a lot of international problems with that.
I kind of feel, and I'm not going to pretend I'm an expert, that digital warfare should be treated closer to biological warfare than just your typical bombs and bullets kind. Generally, and holy shit I know someone is going to flip their shit for me saying this, but generally a regular bomb (not nuke) is an acute type of problem. After it goes off, it's GENERALLY harmless after that. Yes, structure collapse, contamination, gas leaks and other after effects. But not really more booms from the bomb. Weaponized ebloa can still make more people sick, not affected by the original release. Same with NotPetya and other cyber attacks. After deployed, it can affect more and more targets as time goes on.
>but this was not an act of war against Merck, which BTW isn't a country,
Its an insurance policy...an act of war is a limitation on coverage.
No one is saying an act of war was specifically committed against Merck. Merck was damaged, filed a claim with its insurance and the insurer denied coverage because the damage was the result of an act of war (that has nothing to do with Merck being a county or the attack being directed at Merck).
Not really per the article. The article says there are claims that it was an act of war against Ukraine. It does not provide proof that it was in fact an act of war.
No. Not an act of war: an act of embarrassment. Merck should be shamed.
Can we stop calling these things "cyber attacks" or "hacks"? I think "gross negligence on applying even basic information security" and "a focus on security theatrics" fit much better.
Not entirely Merck's fault. It wouldn't have happened (at this time) if Russia hadn't used their weaponized exploit.
There's also something to be said for being the first large-scale victim of a category of catastrophe that is known to be a real threat, but hasn't happened on this scale before.
But you do have a point. There were probably security or IT ops people who warned about this, and if Merck's shareholders take the full hit, organizations will properly feel the risk and adjust their backup & restore processes accordingly. Not so if insurance pays the full damages.
If you cannot trust any of your existing infrastructure anymore, including servers, desktops, storage systems, directory services, and the backup systems themselves, you will not be rebuilding it all in a day...
Our entire software and hardware ecosystem is extremely vulnerable and any single layer or part you can name has been proven insecure. Processors, programming languages, frameworks and packages, undersea cables, routers...it's swiss cheese all the way down.
All of us who are working in software and hardware are in a way to blame for this disaster and until everything is rebuilt from the ground up computing will depend on the worldwide cooperation of benevolent actors.
You're living in a modern IT dreamworld if you believe that.
The number of billion dollar companies out there with thousands of lines of VB6 code and Cobol on an AS/400 is a stupidly large number.
I don't believe it, NotPetya was generic ransomware that spread to a lot of organizations including the NHS in England. This fiction, yet another example of the neocons attempting to demonize the Russian Federation, no doubt to distract from problems at home.
You must be kidding, right? NotPetya was designed for Ukrainian targets and brought the country to their knees (again) - what some Western companies like Merck or Maersk experienced was just a tiny fraction of what the institutions in Kiev went through.
Whether insurers like AIG can run away from their contractual obligations playing the "cyber war" card is a different issue. Technically, it was a cyberattack similar to many others, no matter if the authors were Kremlin-employed or not.
Something like a missile attack on a Samsung factory is so easy to investigate and get conclusive evidence about what happened. Within hours or days we would know with almost certainty if it was an act of war or something else (accidental firing by the South Korea military or something...).
Consider something like Stuxnet, it took years before it was truly discovered and attribution could be made, at least in way which would hold up in a lawsuit about insurance claims.
Just as a thought experiment, if country X would shut down power in country Y, asking for 100 billion in ransom to start power again. Would that be an act of war, or just commercial extortion? It matters from a legal perspective, and perhaps the laws of war have to be updated for cyber warfare.
Laws of war require to wear uniform, even for cyber soldiers. If they are not wearing uniform when doing their informational attacks, masquerading as civilians, then it's just act of war crime. There is no need to update the law.
You're misinformed, laws of war do not prohibit intentionally not wearing uniforms, and the (many!) cases of war operations performed without uniform or wearing enemy uniforms (sometimes on large unit scale, e.g. in WW2) were not considered war crimes.
What may be the source of confusion is that the Geneva convention requires wearing uniforms... to get the protections afforded by Geneva convention. If your troops violate that requirement, then that means that if they're captured without uniforms, the enemy is free to not fulfil the prisoner of war treatment required by Geneva conventions, but summarily execute all of them as spies; which was also often the practical consequence in WW2 if such troops were cought. A parricular example may be the trial after WW2 of Otto Scorzeny and other officers for Nazi troops wearing USA uniforms during Operation Greif in Battle of Bulge, where they were acquitted on the claimed charges of war crimes because these actions were considered by the court as 'legitimate ruse of war'.
If I recall correctly, masquerading as Red Cross could be a war crime, there are specific provisions for that, but the international treaties do not prohibit to masquerade as civilians or enemy troops, or to perform all kinds of other misinformation.
For most members in most militaries, it's a legal requirement set by their command to wear uniforms - but it's a requirement that the commanders can alter if they deem it necessary.
Informational war is not a espionage, nor sabotage. It similar to sabotage, but, unlike sabotage, it's done from withing territory of attacker. If someone will destroy a factory behind enemy line, then it's sabotage. If someone will launch a rocket from their country to factory in another country, then it's not.
If it done by state military agency, then it's act of war.
If it done by civilians without support of and not directed by state, then it's terrorism.
If it done by civilians, with support of or directed by state, then it's state sponsored terrorism, a war crime.
There is no excuse for not wearing of uniform for warriors at their own country.
It's my opinion. If(when) I will catch Russian informational warriors, masqueraded as civilian journalists, I will treat them as spies, because they are not wearing uniform when doing war, even if they are doing their attack from their own country.
The article chooses not to get into stunning mistakes by Merck's IT that allowed this to happen in the first place. The patches for the EternalBlue exploit were released by Microsoft on March 14, but Merck's IT chose to sit on it for over three months. (Like many large companies, they disable Windows update, choosing to release patches on their own schedule.) Even after the WannaCry attack crippled computers around the world on May 12, they still had a month before NotPetya brought them to their knees on June 27.