5 min read

State-led Offensive Cyber Operations Return to the Fore

Read more

By Hans Allnutt & Tom Evans


Published 28 February 2022


The shocking events taking place in Ukraine, and increased speculation regarding offensive cyber operations emanating from Russia, have driven state-led cyber capabilities firmly back into the consciousness of risk assessors, consultants and underwriters across the insurance market.

The Council on Foreign Relations reports that since 2005, thirty-four countries are suspected of sponsoring cyber operations1. Of those, China, Russia, Iran, and North Korea are attributed as having sponsored 77 percent of all suspected operations. Whilst the overwhelming majority of operations are characterised as espionage, those that fall into the category of offensive cyber, although less common, have proved on occasion to be hugely destructive. In the worst cases, they have been indiscriminate and, whilst another State’s government or national infrastructure might have been the putative target, the collateral damage caused has been far more widespread. NotPetya provides perhaps the most sobering example of this, but the Solar Winds Orion, APT31 and APT40 attacks proved similarly pervasive. All were attributed to either Russia or China, and all had direct and significant impacts on commercial organisations, not only those engaged in government contracts.

Beyond the immediate victim organisations, the impact of these operations has also proved hugely important for the global insurance market. Recent judgments involving Ace American Insurance2 and Zurich3 have thrown into stark relief just how vulnerable insurance policies can be to cyber-attacks attributable to States, to which standard war risks exclusions, for example, were held to be inapplicable.

There can be little doubt that this type of activity is also on the rise. According to The World Economic Forum’s Global Risks Report for 2022, cybersecurity failure ranks as a top five risk in East Asia and the Pacific as well as in Europe, while four countries — Australia, Great Britain, Ireland and New Zealand — ranked it as the number one risk. The report goes on to stress that;

In an era of rising tensions between superpowers, cyberattacks are another battlefront in which escalation is a key risk. If cyber threats continue without mitigation, governments will continue to retaliate against perpetrators (actual or perceived), leading to open cyberwarfare, further disruption for societies and loss of trust in governments’ ability to act as digital stewards.4 

The potential disruption envisaged here is sometimes characterised as systemic cyber risk; i.e., the risk that an offensive cyber operation causes the breakdown of an entire system or market, as opposed to one component part. The danger sometimes associated with cyber capabilities is that States’ behaviour at times seems to suggest that the inherent deniability of operations in the cyber realm makes their deployment somehow less risky5. Whilst that may hold true from an attribution perspective, it makes them all the more dangerous for those seeking to mitigate risks commercially. How does an underwriter assess the risk posed by such activity when comparative ease of use and deployment is high, but confidence in attribution to a particular State is low? The exercise becomes especially challenging in a geopolitical environment in which attribution becomes undesirable to those States actually capable of achieving it.


Cooperation between States in regulating their own cyber activities is widely considered to be neither achievable, nor desirable6. As a result, State governments are coming to be seen increasingly as struggling in their responsibilities to address threats to their own societies’ digital security. Speculation is rife that these difficulties will only be exacerbated by the advent of Internet 3.0 and the growth of the metaverse7.


In terms of how State-sponsored offensive cyber operations differ from more general cybercrime, the lines of demarcation are not always clear-cut. Whilst most cybercrime is conducted for economic gain, it is not difficult to conceive of any number of scenarios in which a cyber-criminal threat actor group’s desire to make money from exploiting a vulnerability could also serve the purposes of a State government seeking to destabilise a particular economy, market, or sector8. The ability of a government to distance itself from those individuals actually conducting cyber-attacks can also, plainly, be desirable.


It is clear that with the colossal rise in ransomware and malware incidents since 20209, the potential for State actors to exploit this trend is huge. Whilst some of this activity may take the form of disinformation or deep fakes for political outcomes, which may be of less immediate concern for commercial organisations, those organisations and insurers involved in, for example, the provision of critical national infrastructure, essential digital services, and government contracting, will need to be increasingly alive to the cyber security threat posed by state sponsored offensive cyber operations.


For insurers, taking steps to integrate cyber war exclusions sooner rather than later will be key to reducing their exposure and the risk of adverse judgments in contested claims. As ever, attribution will continue to play a crucial role, but understanding the scope for State-led activity in the cyber domain, including activity that might be disguised as more generic cybercrime will help to mitigate this growing risk area.



1Council on Foreign Relations Cyber Operations Tracker (https://www.cfr.org/cyber-operations/ (https://www.cfr.org/cyber-operations/)), accessed 14 February 2022.

2Merck & Co., Inc. v. Ace Am. Ins. Co., Case No. UNN-L-002682, (N.J. Super. Ct. Law Div. 2018)

3Mondelez Int'l, Inc. v. Zurich Am. Ins. Co., Case No. 2018-L-011008 (Cir. Ct., Cook Cnty.) Complaint filed Oct. 10, 2018.

4The Global Risks Report 2022, 17th Edition, published by the World Economic Forum.

5Sanger, D. The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age. Scribe UK, 2018.

6Taylor, J. The Regulation of the Civilian and Military Realms of Cyberspace. M.R.L.C.E 2017, 6, 121-147

7Clark, P.A. 2021. “The metaverse has already arrived. Here’s what that actually means”. Time. 15 November 2021. (https://time.com/6116826/what-isthe-metaverse/ (https://time.com/6116826/what-isthe-metaverse/)), accessed 14 February 2022.

8Countering State-Sponsored Cybercrime. The United States’ Attorney’s Office, Southern District of New York (https://www.justice.gov/usao-sdny/countering-state-sponsored-cybercrime (https://www.justice.gov/usao-sdny/countering-state-sponsored-cybercrime)), accessed 16 February 2022.

9Help Net Security. 2021. “Malware increased by 358% in 2020”. Help Net Security. 17 February 2021. (https://www.helpnetsecurity.com/2021/02/17/malware-2020/ (https://www.helpnetsecurity.com/2021/02/17/malware-2020/)) accessed 15 February 2022.


Tom Evans has recently joined DAC Beachcroft’s Cyber Team from the Royal Navy, where he specialised in matters of national security law and cyber. Tom is an expert in State-led cyber operations.