Obamacare for Geopolitics

The United States needs better insurance against attacks—whether by Mother Nature or human actors.

A New York City police officer stands in fog after a water main break on Broadway in New York on Jan. 13.
A New York City police officer stands in fog after a water main break on Broadway in New York on Jan. 13. Timothy A. Clary/AFP/Getty Images

Assume you’re the leader of a nation that wants to strike another country—and that you want to do so without running the risk of devastating military revenge against your own. You’re in luck: Thanks to globalization and ever-increasing digitalization, you can hurt your rival by, say, launching multiple deniable cyberattacks against vital targets in its capital. You or your proxies can, for example, shut down transport networks or major corporations. Otherwise, there’s increasingly something even more insidious you could try: exploiting cities’ and businesses’ massive insurance gaps.

Consider this: Geopolitical and security risks endanger about $133 billon in some of the world’s 279 most important cities. That’s about 25 percent of the total economic activity in those cities. According to the Global Risk Outlook 2020, a report published by the Centre for Risk Studies at the University of Cambridge, the cities most vulnerable to geopolitical and security risks are Tokyo followed by Baghdad, Istanbul, Cairo, Riyadh, Osaka, Lagos, Khartoum, Tehran, and Manila.

In these and other cities, only a small share of assets are insured against geopolitical and security risk. The same is true for many cargo ships—troubling, given that 80 percent of the world’s trade travels by sea. Likewise, commercial firms supply armed forces around the globe with many of their vital goods via this route. These are insurance gaps, James Vickers, the chairman of Willis Re International, a global reinsurance broker, told me in January. “And they’re growing as the economies in many countries expands toward more exposed areas. In the [United States] for example, there’s more and more economic growth on the coasts, which are more exposed than the middle of the country to severe weather events.”

Insurance gaps are a serious issue, whether the attacks are perpetrated by Mother Nature, terrorists, or hostile states and their proxies. The tremors that hit Italy in August and October 2016 caused losses of $6 billion, of which only 3.4 percent was covered by insurance, the insurance think tank Geneva Association explains in a 2018 report. The Kumamoto earthquakes in Japan the same year caused economic losses of $32 billion, of which only $7 billion was covered by insurance. The terrorist attack on London Bridge and Borough Market in London in 2017, meanwhile, cost merchants forced to close their businesses for nearly two weeks an estimated 1.4 billion pounds, about $1.8 billion. They had no other recourse; the insurance available didn’t provide cover for such situations.

It is safe to assume that countries around the world are familiarizing themselves with their adversaries’ insurance gaps. Of course, asymmetric aggression—attacks below the threshold that would trigger a military response—are enormously attractive to rival countries even without such holes. And they’re increasingly common. In May 2019, for example, Deutsche Telekom’s honeypot system, a set of decoy targets for hackers, was targeted by cyberattacks an average of 30 million times per day; by November that figure had risen to an average of 42 million attacks per day. Not all of the attacks came from hostile states or their proxies, of course, but many did. Such grey-zone attempts are so appealing to attackers because they’re hard to attribute to a foreign government and even harder to retaliate against.

Insurance gaps make such attacks even more appealing. Companies have already learned to make themselves less attractive targets through good cyberdefense and hygiene, but they may not have realized that the absence of something as humble as an insurance policy may entice hostile actors to target them. U.S. firms may, for example, want to think about whether they’re covered against a strike Iran may launch to avenge the military leader Qassem Suleimani’s death.

It is, of course, in insurers’ interest to highlight the need for insurance, but there’s no doubt that insurance gaps are becoming a national security issue. Indeed, as the London Bridge terrorist made painfully clear, insurers may need to create new policies that will cover the range of devious deeds terrorists may come up with. There have always been people and companies that skimped on insurance, assuming they’d never need it. But the country that best exploits the weakness of another gains the upper hand—and insurance is one such weakness, as striking an underinsured target causes more harm than striking a well-insured one.

When NotPetya, a computer virus that originated with the Russian government, hit Merck in 2017, one of the results was that Merck couldn’t make its planned supply of HPV vaccine and had to borrow emergency supplies from the U.S. government. The pharmaceutical giant lost $870 million. If the U.S. government retaliated against Russia for the trouble, it didn’t say so. And Merck didn’t get the insurance payout it had counted on: It merely had property insurance, not war insurance, and its insurers made the rather logical point that an attack by the Russian government was an act of war.

Of course, governments of most developed countries possess powerful offensive capabilities that can deter at least some nonmilitary attacks. They also have good defensive tools, including civil contingencies agencies, that can limit the effects of catastrophic events. Some also conduct offensive cyberoperations themselves, partly for deterrence purposes. For example, in its 2018 Cyber Strategy, the U.S. Department of Defense vowed to “defend forward to disrupt or halt malicious cyber activity at its source, including activity that falls below the level of armed conflict.” In practice, under this defending forward policy, U.S. cybersoldiers patrol the world like neighborhood cops, occasionally making arrests to signal that it’s not worth misbehaving. While insurance may not be their foremost concern, they’re aware that cyberconflicts are only limited by attackers’ imaginations.

And not even the best cop can prevent all crime. Like earthquakes and terrorist attacks, nonmilitary attacks by hostile states could bring companies to the edge of ruin. “What do people do when they’re hit and can’t stand themselves up? They ask the government for money,” Vickers noted. “But governments are stretched.” Indeed, even wealthy governments such as those of Japan or Italy would struggle to provide repeated multibillion-dollar rescues. And the situation is much more critical in, say, Baghdad, Khartoum, and Tehran, where governments are both less wealthy and less able to minimize disruptions—strong insurance coverage would thus be vital.

NATO, meanwhile, worries about insurance during severe emergencies—that is, when one or more member states are under immediate threat of military attack. Because insurance policies typically (and not unreasonably) have so-called war exclusions, the outbreak of fighting would very rapidly put peacetime insurance policies out of action. Ships and aircraft would have a limited window to exit threatened areas, and new commercial war risk insurance policies that do exist would become commercially unavailable or extremely expensive. “In a crisis or conflict, the lack of war risk insurance would limit governments’ access to commercial air and sea lift,” Hasit Thankey, NATO’s head of resilience, told me. “NATO recognizes the importance of prearranging such insurance, or at least having alternative means to indemnify commercial carriers.”

Attacks on companies and other civilian targets will keep occurring simply because the costs are so low and they are such attractive targets. Governments may need to oblige companies to properly insure themselves and insurers to offer policies that cover all the forms of aggression hostile states, their proxies, and terrorists might come up with. But who’s going to pay for it? The Geneva Association proposes mandatory insurance schemes—a model similar to Germany’s health care system, where residents are obliged to get health insurance, which is provided by government-approved private companies. Call it Obamacare for geopolitics, with all the associated upsides and drawbacks. Yet the uncomfortable truth is this: Countries’ vulnerabilities are limited only by their rivals’ imagination. Protecting everyday life requires imagination, too, along with some money.

Elisabeth Braw is a fellow at the American Enterprise Institute. Twitter: @elisabethbraw

Trending Now Sponsored Links by Taboola

By Taboola

More from Foreign Policy

By Taboola