Is your law firm thinking about ‘cyber kinetic’ attacks?

North Korea’s nuclear capabilities have received significant press recently, and not without cause. The possibility of a mushroom cloud over Los Angeles is terrifying and certainly warrants concern. Seeming lost in the focus on a future nuclear attack, however, is the current capacity of North Korea and others to launch a devastating digital attack against the United States.

Right now, cyberattacks could take state and federal courts offline, or cause a chemical plant to melt down and release a deadly chemical cloud over part of the United States. These threats, however, are often overlooked, despite being generally more imminent than traditional kinetic attacks. Accordingly, attorneys should weigh cyber threats more heavily when accounting for risk in contracts and in advising their clients.

The cyberattacks described above are identified as “cyber kinetic” attacks — i.e., digital hacks that cause physical harm. Many nations perform cyber kinetic attacks regularly, including the United States, which reportedly has been cyber kinetically sabotaging North Korean missile programs for years. To continue with North Korea as an example, while the press has focused on their nuclear capabilities, there is considerable evidence demonstrating that North Korea has already attained the resources, skills, and capabilities necessary to digitally attack the United States, and potentially cause significant physical damage and loss of life.

North Korea, however, is but one example and there are significantly more powerful cyber regimes that pose a potential threat to the United States. The likelihood and potential for destruction of cyber kinetic attacks, of which we have seen only a small glimpse to date, significantly outweigh the chances of a nuclear attack or a physical terrorist attack. This is partly due to the fact that cyberattacks have a low barrier to entry, can be conducted from anywhere in the world, and are extremely difficult to attribute. This makes them ideal weapons for factions or smaller nations targeting a nation with a powerful conventional military force, such as the United States.

Anticipating these threats is challenging, because there are so many possibilities for cyber kinetic attacks that we have not seen come to fruition yet. It is imperative, however, to start considering the possibilities and to have the conversation with clients and throughout the legal community. The following are some examples of potential cyber kinetic attack situations that lawyers may want to consider in assessing risk:

• Targeting nuclear power plants or nuclear weapons systems to cause malfunctions (Indeed, one of the most famous examples of a cyber kinetic attack is the Stuxnet virus that caused centrifuges in an Iranian nuclear power plant to malfunction.)

• Targeting power grids and critical infrastructure;

• Targeting rails systems, causing trains to collide or derail. Such an attack can target passenger trains, that carry people, or freight trains, that often carry dangerous cargoes like toxic chemicals;

• Targeting hydroelectric companies to open waterways and destroy nearby communities, as well as deprive regions of power;

• Targeting the computer networks that maintain air traffic control centers;

• Targeting automobiles that contain software to cause malfunctions while driving;

• Targeting medical devices such as pacemakers or insulin pumps.

Of course, these are but a few of the potentially destructive uses of cyberattacks. This list is by no means exhaustive and cyber threats evolve rapidly.

Given such imminent threats, lawyers should be asking, “Why do we continue to write and approve contracts that account for physical harm but largely ignore harm arising from a cyber kinetic attack?” The answer is complex, but one possible contributing factor is that blood and bullets are more tangible than 1s and 0s. The image of a mushroom cloud is iconic, while malware is faceless. Good lawyers, however, consider every angle, especially those that aren’t sensationalized.

Here then are some basic suggestions for dealing with large scale cyber kinetic attacks. First, clients should include cyber insurance in their portfolio of insurance products, along with standard general liability, director and officer, and workers compensation insurance. And, the cyber insurance product being considered should be carefully reviewed by the attorney to make sure that it fits the client’s purpose and business.

Second, cyber kinetic attacks should be incorporated into client disaster preparedness policies and protocols. Plans should be made now to protect and/or migrate essential information in the event the client is impacted by a cyber kinetic attack, just as companies now routinely prepare for hurricanes, floods, or terror attacks.

Third, relevant contracts should be scrutinized, amended or written to take cyber incidents into account. For example, large-scale cyber incidents could be incorporated into the “act of god” or force majeure clause that would release your client, in whole or in part, from meeting the contracts requirements. Likewise, indemnification provisions should apportion liability in the event of a cyber incident, and reps and warranties should be used to ensure that the parties to a contract, particularly vendors in vendor contracts, have taken appropriate steps to protect their data from hacks.

This article represents only the personal views of the authors and does not reflect those of their employers or client.