The small print leaving UK plc exposed to ‘nuclear level’ cyber attacks

INTERNATIONAL DESK: At a press conference in the heart of Silicon Valley, five men in suits posed for a photograph that shed unprecedented light on the world’s most powerful intelligence partnership.

The men belonged to the Five Eyes espionage alliance, each representing intelligence services from Britain, Australia, Canada, New Zealand, and the US. Until then, they had never appeared together in public.

Their smiles to the camera contrasted against a dark warning shared by one group member, Britain’s head of MI5, Ken McCallum.

The UK had seen a sharp rise in aggressive attempts by foreign states to steal the country’s high-tech secrets, he warned. The biggest threat of all: China.

According to McCallum, more than 20,000 people in the UK have been approached by Chinese agents online as part of “epic scale” espionage efforts.

One alleged Chinese spy created fake profiles on LinkedIn to contact thousands of British officials – offering cash, trips to China and paid speaking gigs as ways of extracting state secrets.

Reports of China’s covert spy network in the UK will weigh on the minds of City bosses, as corporations fortify their offices with costly cyber defences to protect their data being stolen by ransomware gangs.

While some UK companies are now spending millions of pounds spent on cyber insurance, many remain uncovered.

Most vulnerable are Britain’s small and medium-sized businesses, according to Jamie MacColl, a cyber research fellow at defence think tank Royal United Services Institute.

“A lot of organisations just don’t view it as an important risk, particularly smaller companies. They might think, you know, a cyber attack is something that happens to someone else, or it’s something that only happens to large corporations,” he says.

The coverage gap can be partly blamed on insurance fees.

A decade ago, cyber insurance was cheap and easy to buy. Insurance companies cut their prices to spark demand in a nascent market.

“Naive insurers entered into the cyber insurance market with not a lot of cybersecurity expertise, wrote policies that had very high limits and no kind of security requirements to get a policy. They all got burnt when ransomware became an issue,” says MacColl.

The rise of Russian-backed cyber hackers demanding multi-million pound ransoms from City firms left underwriters lumbered with mounting losses. Some insurers were forced to leave the cyber risk market entirely.

Profit-seeking insurers hiked prices and made it harder to qualify for protection, with many companies not meeting the higher minimum security requirements.

While costs have since come down as more cyber insurers re-entered the market over the past year, how much these policies will actually cover has also been hotly debated.

Where trade secrets are stolen by cyber spies, the answer is typically straightforward.

While insurance will often pay for follow-on investigation and compliance costs after a cyber attack, the loss of intellectual property and proprietary information is not usually covered.

Insurers can easily determine the value of financial losses from a company’s day-to-day operations being disrupted, but the same can’t be said for trade secrets.

“It’s hard to put a value on them. That’s not to say there’s no damage, but it’s harder for insurers to quantify,” says Josephine Wolff, an associate professor of cybersecurity policy at Tufts University in the US.

More complex is who foots the bill in the case of a catastrophic cyber attack.

Lloyd’s of London, the biggest and oldest global insurance market in the world, last year began excluding devastating “state-backed” cyber attacks from its standard insurance policies.

The new rule stopped insurers selling protection against state-sponsored cyber attacks which are so severe they “significantly impact” a country’s ability to function.

It sought to protect insurers from being exposed to enormous costs of systemic cyber warfare, updating war exclusions first introduced to protect earlier risk managers from being crippled by the costs of replacing sunken battleships during the Spanish Civil War.

“Think the digital equivalent of a nuclear strike. This remotest of possibilities, like a nuclear strike, is not one that insurers can cover as standard,” James Burns, head of cyber strategy at insurance company CFC Underwriting, wrote on LinkedIn.

The overhaul came after Western powers blamed Russia for the NotPetya hack in 2017, one of the most destructive cyber attacks in history which shut down computer systems of companies in more than 60 countries.

After a lengthy legal battle, insurers were left on the hook for billions of dollars in insurance claims.

However, it is not clear how the cyber exclusions will actually work in practice.

“We haven’t seen a lot of big tests of them yet. We haven’t seen a lot of attacks where insurers have denied big claims and people have gone to court to fight out what it all really means,” says Wolff.

This uncertainty will fuel companies’ concerns over reports that Chinese spies are lurking within their systems, laying the groundwork for future cyber warfare.

The potential danger of undetected spies was laid bare last year, after Chinese hacking group Volt Typhoon was caught breaching a US communications system at a crucial military outpost in the Pacific Ocean.

The China-based cyber attackers had been hiding on the island’s IT system since 2021 through a “stealthy and targeted” hacking campaign.

Microsoft security researchers said with “moderate confidence” that the covert attack was investigating ways to disrupt critical communications infrastructure between the US and Asia in future crises.

The discovery prompted fears that Beijing would try and cut off American military channels during an invasion of Taiwan, a long-time ally of the US located less than 2,000 miles away from the outpost.

It triggered a worldwide alert by the Five Eyes, with the UK’s cybersecurity agency later urging operators of critical national infrastructure to “take action to prevent attackers hiding on their systems”.

Rafe Pilling, director of threat intelligence at US cybersecurity company Secureworks, says: “You can’t just press a button and have a cyber attack being launched in the same way you can a missile. All of the access has to be in place ahead of time,” he says.

Renewed fears around Chinese espionage will serve as a reminder that although insurers are there to absorb risk, there’s a limit to the protection they offer.

“Companies can’t just think that insurance is going to be a panacea. They have to do things themselves,” says Jonathan Kewley, partner and co-chair of the global tech group at magic circle law firm Clifford Chance.

The smiles at that Silicon Valley press conference belie an alliance working furiously to defend Western infrastructure from attacks too devastating to insure against. (THE TELEGRAPH)