A Cyber Insurance Backstop

In the first week of January, the pharmaceutical giant Merck quietly settled its years-long lawsuit over whether or not its property and casualty insurers would cover a $700 million claim filed after the devastating NotPetya cyberattack in 2017. The malware ultimately infected more than 40,000 of Merck’s computers, which significantly disrupted the company’s drug and vaccine production. After Merck filed its $700 million claim, the pharmaceutical giant’s insurers argued that they were not required to cover the malware’s damage because the cyberattack was widely attributed to the Russian government and therefore was excluded from standard property and casualty insurance coverage as a “hostile or warlike act.”

At the heart of the lawsuit was a crucial question: Who should pay for massive, state-sponsored cyberattacks that cause billions of dollars’ worth of damage?

One possible solution, touted by former Department of Homeland Security Secretary Michael Chertoff on a recent podcast, would be for the federal government to step in and help pay for these sorts of attacks by providing a cyber insurance backstop. A cyber insurance backstop would provide a means for insurers to receive financial support from the federal government in the event that there was a catastrophic cyberattack that caused so much financial damage that the insurers could not afford to cover all of it.

In his discussion of a potential backstop, Chertoff specifically references the Terrorism Risk Insurance Act (TRIA) as a model. TRIA was passed in 2002 to provide financial assistance to the insurers who were reeling from covering the costs of the Sept. 11, 2001, terrorist attacks. It also created the Terrorism Risk Insurance Program (TRIP), a public-private system of compensation for some terrorism insurance claims. The 9/11 attacks cost insurers and reinsurers $47 billion. It was one of the most expensive insured events in history and prompted many insurers to stop offering terrorism coverage, while others raised the premiums for such policies significantly, making them prohibitively expensive for many businesses. The government passed TRIA to provide support for insurers in the event of another terrorist attack, so that they would be willing to offer terrorism coverage again at reasonable rates. President Biden’s 2023 National Cybersecurity Strategy tasked the Treasury and Homeland Security Departments with investigating possible ways of implementing something similar for large cyberattacks.

There is a growing (and unsurprising) consensus among insurers in favor of the creation and implementation of a federal cyber insurance backstop. Like terrorist attacks, catastrophic cyberattacks are difficult for insurers to predict or model because there is not very good historical data about them—and even if there were, it’s not clear that past patterns of cyberattacks will dictate future ones. What’s more, cyberattacks could cost insurers astronomic sums of money, especially if all of their policyholders were simultaneously affected by the same attack. However, despite this consensus and the fact that this idea of the government acting as the “insurer of last resort” was first floated more than a decade ago, actually developing a sound, thorough proposal for a backstop has proved to be much more challenging than many insurers and policymakers anticipated.

One major point of issue is determining a threshold for what types of cyberattacks should trigger a backstop. Specific characteristics of cyberattacks—such as who perpetrated the attack, the motive behind it, and total damage it has caused—are often exceedingly difficult to determine. Therefore, even if policymakers could agree on what types of attacks they think the government should pay for based on these characteristics, they likely won’t be able to calculate which incursions actually qualify for assistance.

For instance, NotPetya is estimated to have caused more than $10 billion in damage worldwide, but the quantifiable amount of damage it actually did is unknown. The attack caused such a wide variety of disruptions in so many different industries, many of which likely went unreported since many companies had no incentive to publicize their security failings and were not required to do so. Observers do, however, have a pretty good idea who was behind the NotPetya attack because several governments, including the United States and the United Kingdom, issued coordinated statements blaming the Russian military. As for the motive behind NotPetya, the program was initially transmitted through Ukrainian accounting software, which suggests that it was intended to target Ukrainian critical infrastructure. But notably, this type of coordinated, consensus-based attribution to a specific government is relatively rare when it comes to cyberattacks. Future attacks are not likely to receive the same determination.

In the absence of a government backstop, the insurance industry has begun to carve out larger and larger exceptions to their standard cyber coverage. For example, in a pair of rulings against Merck’s insurers, judges in New Jersey ruled that the insurance exclusions for “hostile or warlike acts” (such as the one in Merck’s property policy that excluded coverage for “loss or damage caused by hostile or warlike action in time of peace or war by any government or sovereign power”) were not sufficiently specific to encompass a cyberattack such as NotPetya that did not involve the use of traditional force.

Accordingly, insurers such as Lloyd’s have begun to change their policy language to explicitly exclude broad swaths of cyberattacks that are perpetrated by nation-states. In an August 2022 bulletin, Lloyd’s instructed its underwriters to exclude from all cyber insurance policies not just losses arising from war but also “losses arising from state backed cyber-attacks that (a) significantly impair the ability of a state to function or (b) that significantly impair the security capabilities of a state.”  Other insurers, such as Chubb, have tried to avoid tricky questions about attribution by suggesting a government response-based exclusion for war that only applies if a government responds to a cyberattack by authorizing the use of force. Chubb has also introduced explicit definitions for cyberattacks that pose a “systemic risk” or impact multiple entities simultaneously. But most of this language has not yet been tested by insurers trying to deny claims. No one, including the companies buying the policies with these exclusions written into them, really knows exactly which types of cyberattacks they exclude. It’s not clear what types of cyberattacks courts will recognize as being state-sponsored, or posing systemic risks, or significantly impairing the ability of a state to function. And for the policyholders’ whose insurance exclusions feature this sort of language, it matters a great deal how that language in their exclusions will be parsed and understood by courts adjudicating claim disputes.

These types of recent exclusions leave a large hole in companies’ coverage for cyber risks, placing even more pressure on the government to help. One of the reasons Chertoff gives for why the backstop is important is to help clarify for organizations what cyber risk-related costs they are and are not responsible for. That clarity will require very specific definitions of what types of cyberattacks the government will and will not pay for. And as the insurers know, it can be quite difficult to anticipate what the next catastrophic cyberattack will look like or how to craft a policy that will enable the government to pay only for a narrow slice of cyberattacks in a varied and unpredictable threat landscape. Get this wrong, and the government will end up writing some very large checks.

And in comparison to insurers’ coverage of terrorist attacks, large-scale cyberattacks are much more common and affect far more organizations, which makes it a far more costly risk that no one wants to take on. Organizations don’t want to—that’s why they buy insurance. Insurance companies don’t want to—that’s why they look to the government for assistance. But, so far, the U.S. government doesn’t want to take on the risk, either.

It is safe to assume, however, that regardless of whether a formal backstop is established, the federal government would step in and help pay for a sufficiently catastrophic cyberattack. If the electric grid went down nationwide, for instance, the U.S. government would certainly help cover the resulting costs. It’s possible to imagine any number of catastrophic scenarios in which an ad hoc backstop would be implemented hastily to help address massive costs and catastrophic damage, but that’s not primarily what insurers and their policyholders are looking for. They want some reassurance and clarity up front about what types of incidents the government will help pay for. But to provide that kind of promise in advance, the government likely would have to pair it with some security requirements, such as implementing multifactor authentication, strong encryption, or intrusion detection systems. Otherwise, they create a moral hazard problem, where companies may decide they can invest less in security knowing that the government will bail them out if they are the victims of a really expensive attack.

The U.S. government has been looking into the issue for a while, though, even before the 2023 National Cybersecurity Strategy was released. In 2022, for instance, the Federal Insurance Office in the Treasury Department published a Request for Comment on a “Potential Federal Insurance Response to Catastrophic Cyber Incidents.” The responses recommended a variety of different possible backstop models, ranging from expanding TRIP to encompass certain catastrophic cyber incidents, to creating a new structure similar to the National Flood Insurance Program that helps underwrite flood insurance, to trying a public-private partnership backstop model similar to the United Kingdom’s Pool Re program.

Many of these responses rightly noted that while it might eventually make sense to have some federal backstop, implementing such a program immediately might be premature. University of Edinburgh Professor Daniel Woods, for example, made a compelling case for why it was too soon to institute a backstop in Lawfare last year. Woods wrote,

One might argue similarly that a cyber insurance backstop would subsidize those companies whose security posture creates the potential for cyber catastrophe, such as the NotPetya attack that caused $10 billion in damage. Infection in this instance could have been prevented by basic cyber hygiene. Why should companies that do not employ basic cyber hygiene be subsidized by industry peers? The argument is even less clear for a taxpayer-funded subsidy.

The answer is to ensure that a backstop applies only to companies that follow basic cyber hygiene guidelines, or to insurers who require those hygiene measures of their policyholders. These are the types of controls many are familiar with: complicated passwords, app-based two-factor authentication, antivirus programs, and warning labels on emails. But this is easier said than done. To a surprising extent, it is difficult to know which security controls really work to improve companies’ cybersecurity. Scholars know what they think works: strong encryption, multifactor authentication, regular software updates, and automated backups. But there is not anywhere near as much empirical evidence as there ought to be about how effective these measures are in different implementations, or how much they reduce a company’s exposure to cyber risk.

This is largely due to companies’ reluctance to share detailed, quantitative information about cybersecurity incidents because any such information may be used to criticize their security posture or, even worse, as evidence for a government investigation or class-action lawsuit. And when insurers and regulators alike try to gather that data, they often run into legal roadblocks because these investigations are often run by lawyers who claim that the results are shielded by attorney-client privilege or work product doctrine. In some cases, companies don’t write down their findings at all to avoid the possibility of its being used against them in court. Without this data, it’s difficult for insurers to be confident that what they’re requiring of their policyholders will really work to improve those policyholders’ security and decrease their claims for cybersecurity-related incidents under their policies. Similarly, it’s hard for the federal government to be confident that they can impose requirements for a backstop that will actually raise the level of cybersecurity hygiene nationwide.

The key to managing cyber risks—both large and small—and designing a cyber backstop is determining what security practices can effectively mitigate the impact of these attacks. If there were data showing which controls work, insurers could then require that their policyholders use them, in the same way they require policyholders to install smoke detectors or burglar alarms. Similarly, if the government had better data about which security tools actually work, it could establish a backstop that applied only to victims who have used those tools as safeguards. The goal of this effort, of course, is to improve organizations’ overall cybersecurity in addition to providing financial assistance.

There are a number of ways this data could be collected. Insurers could do it through their claims databases and then aggregate that data across carriers to policymakers. They did this for car safety measures starting in the 1950s, when a group of insurance associations founded the Insurance Institute for Highway Safety. The government could use its increasing reporting authorities, for instance under the Cyber Incident Reporting for Critical Infrastructure Act of 2022, to require that companies report data about cybersecurity incidents, including which countermeasures were in place and the root causes of the incidents. Or the government could establish an entirely new entity in the form of a Bureau for Cyber Statistics that would be devoted to collecting and analyzing this type of data.

Scholars and policymakers can’t design a cyber backstop until this data is collected and studied to determine what works best for cybersecurity. More broadly, organizations’ cybersecurity cannot improve until more is known about the threat landscape and the most effective tools for managing cyber risk.

If the cybersecurity community doesn’t pause to gather that data first, then it will never be able to meaningfully strengthen companies’ security postures against large-scale cyberattacks, and insurers and government officials will just keep passing the buck back and forth, while the victims are left to pay for those attacks themselves.

This essay was written with Josephine Wolff, and was originally published in Lawfare.

Tags: , , ,

Posted on February 28, 2024 at 7:02 AM27 Comments

Comments

Dave February 28, 2024 9:49 AM

A federal backstop for corporations without minimum standards for eligibility sets the wrong incentives. There are plenty of clever attackers, but there are also far too many companies using outdated, unpatched equipment. Shifting the costs to the government lowers the incentive for companies to improve baseline security.

echo February 28, 2024 10:37 AM

This is almost as worrying as endorsing the scheme by a random lawyer to indemnify if a particular handwavy set of authorities and processes was used. That was an industry “get out of jail free” card if ever I saw one.

This insurance backstop wheeze is socialism for rich people.

UK and EU are way ahead of the US in some areas that matter. If not regulations then law or the general aspects of governance and social attitudes which are all interlinked. I know the classic GDP/neoliberal school don’t get it but that’s a systemic pressure which effects outcomes.

https://ec.europa.eu/eurostat/statistics-explained/index.php?title=Quality_of_life_indicators_-_measuring_quality_of_life#The_need_for_measurement_beyond_GDP

The US especially (as post 1970 it is the biggest guilty party) needs to look beyond GDP and prioritise quality of life indicators. And yes this can include security even if nobody wants to hear it. Nobody is going to find the answer staring at a soldering iron or their bank balance.

Macron and the French government have been upping their game recently. The French have always been good at some things. They put it more diplomatically than me but I’m tending to agree to let US problems be US problems. The poodles in Downing Street won’t like it but the hallmark of Europe is quality. I’m all in on that.

JonKnowsNothing February 28, 2024 11:18 AM

@TimH, ALL

re: So “we the people” pay for lax security measures?

What the real dynamic is:

  • (US) Capitalism requires all things must generate profit
    • Corporations generate profit
  • No opportunity can be passed to generate profit
    • Cyber Insurance is a new opportunity to generate profit
  • Profit is not for the Public Good; Profit is for the Private Good
    • Removing assets from the Public Good to fund a Private Good improves Profit
  • Profit is the only marker that matters. Stock Value is a means to determine Profit Marker.
    • Shareholder and stock ownership is of variable value.
    • The Public is neither owner nor shareholder.

So in summary:

  • Some people will make a lot of money and buy mega mansions from Your Individual contribution(s) to Their Wealth Fund.

jbmartin6 February 28, 2024 11:26 AM

Of course insurers back the creation of a federal backstop, that’s free re-insurance for them. Let these private companies either pay for the re-insurance or refrain from writing the policies. This is supposedly what they are good at, isn’t it? There are some interesting points about data sharing perhaps, but in general what controls are effective is well known. Implementing them isn’t always so easy. perhaps instead we can pass the cost on to OS and application companies who saddle us with less secure defaults that are costly and complicated to change.

Shane February 28, 2024 11:32 AM

Why don’t we simply advocate for insurance companies to adjust their rates instead of advocating for the creation of a new tax-to-industry pipeline which will inevitably be abused?

Wannabe techguy February 28, 2024 12:15 PM

Great comments here so far. The taxpayers should NOT have to “backstop” these companies. The pharma and insurance companies make piles of money, let them fight it out.
My limited understanding is that most(all?) attacks are because of lax security whoever is doing the attacking.
But of course, we know that it will never happen. The taxpayers will get stuck again.

frank February 28, 2024 1:34 PM

As a USA citizen, we are the ones who facilitate corporate subsidies, commonly referred to as corporate welfare. It is essential that these subsidies include a stipulation: a designated portion, approximately 20%, should be specifically earmarked for addressing corporate cyber litigation and implementing remedial actions.

echo February 28, 2024 2:58 PM

(US) Capitalism requires all things must generate profit

And:

Implementing them isn’t always so easy. perhaps instead we can pass the cost on to OS and application companies who saddle us with less secure defaults that are costly and complicated to change.

Basically this.

Stop having an economy based on BS and building junk which is then ripped down and replaced with more junk ad infinitum. It’s “good” for the economy if your only criteria is GDP. It’s also very resource wasteful both in terms of quality of peoples lives but also natural resources and energy.

There’s many instances of passed on cost ending up costing ten times or one hundred times more. Sometimes thousands. In a personal context me being lazy likes to get it right first time than spend days, weeks, or months mopping up.

It’s all fixable. Security develops in partnership with the other measures of a post purely GDP world.

Winter February 28, 2024 3:58 PM

(US) Capitalism requires all things must generate profit

Economics is the branch of knowledge concerned with the production, consumption, and transfer of wealth.

Where wealth is meant as giving people what they need (and want). As Adam Smith wrote about the The Wealth of Nations.

The idea of Liberalism (in the Economist sense) was that the Wealth of the Nation would be best served by letting everyone trying to do their best for themselves and reap the fruits of their labor and ingenuity. [1] That was the original idea of Capitalism: That everybody can own the means to make a living and reap the fruits of their labor.

But it was clear even to Adam Smith that the “owners” if businesses would collude to take all of the cake and leave nothing for the rest. Which has basically been achieved in the US. It has been done by first making the population the Big Myth [2] about the Free Market that is not so free without a big government. Without a government to keep the market free, the economy was divided between the oligarchs. The top 1% owns 30% of wealth, the top 10% a total of 65% wealth. Half the US population together owns less than 3% of wealth.[3]

[1] Americans and many other people do not know that prior to Capitalism, or Liberalism as it was called then, most people were not allowed to own land, my old, or factories and were most certainly not allowed to reap the fruits of their labor and ingenuity.

[2] The Big Myth: How American Business Taught Us to Loathe Government and Love the Free Market By Naomi Oreskes, Erik M. Conway
‘https://www.goodreads.com/book/show/57693264-the-big-myth

In the early 20th century, business elites, trade associations, wealthy powerbrokers, and media allies set out to build a new American orthodoxy: down with “big government” and up with unfettered markets. With startling archival evidence, Oreskes and Conway document campaigns to rewrite textbooks, combat unions, and defend child labor. They detail the ploys that turned hardline economists Friedrich von Hayek and Milton Friedman into household names; recount the libertarian roots of the Little House on the Prairie books; and tune into the General Electric-sponsored TV show that beamed free-market doctrine to millions and launched Ronald Reagan’s political career.

[3] ‘https://www.statista.com/statistics/203961/wealth-distribution-for-the-us/

Chris February 28, 2024 5:20 PM

If these black-hat hacker groups are in fact state-sponsored, which it seems they are, why not prove complicity of the backing governments and seize their foreign assets to pay for the damage?

Aside from the fact that this could require a long, complicated trial, it would serve as a deterrent. (Although, it might not deter anything, and rather push NATO and the Moscow/Beijing/Tehran axis closer to WWIII.)

There’s a very close analogy with Privateers, who were commissioned by various European powers to raid each others’ merchant ships starting in the 16th century. This was later regarded as a property crime, presumably subject to civil litigation.

See https://en.wikipedia.org/wiki/Privateer#Computer_hackers
https://www.usni.org/magazines/proceedings/2020/april/us-privateering-legal

TimH February 28, 2024 6:26 PM

@Chris: “If these black-hat hacker groups are in fact state-sponsored…”

  1. False flag is easy
  2. All countries do it, sometimes domestically, so attribution becomes political

JonKnowsNothing February 28, 2024 9:26 PM

@All

Insurance is form of gambling. It is not a savings plan.

You bet on a particular type of outcome and the Insurance Company takes the other side of the bet. It doesn’t matter what sort of insurance it is, car, house, computer hacking, it is a form of betting.

The House Odds are set to favor the Insurance Company. There are several forms of Life Insurance but they are bets. The gamble is:

  • you bet you will die before a designated time (80yrs)

If you die before 80yrs and there are no other problems (like suicide) your survivors get some money. You pay a monthly premium that adds up over the lifetime of the police that provides these funds IF you die. If you do not die at the right time, the Insurance Company pockets the entire amount.

What you will not find in any insurance policy, private or government, a full compensation and restoration of an object of the bet.

  • If your house burns down, you get some funds but you will not get a new house, nor will the insurance company re-build one for you. The government will not restore your home or replace the damaged parts.

You get a payoff but you do not get a functional replacement.

What is being proposed is another bet. The gamble is that you will be hacked and if you are hacked you will get some funds. These funds will not repair the damage, recover the business, pay the employees, restore the business to a functioning entity.

Most businesses that experience a catastrophic failure go out of business. A flood knocks out Main Street, the old businesses do not return. A fire in a shopping district will directly damage some buildings and businesses but also damages adjacent ones. Most of these will go out of business too.

So, what is really the point of the Gamble on Hacking is a way to wind-down the company, in a way that retains as much Profit as possible in the upper hierarchy and limits the normal wind down wealth transfer to 2d, 3d, 4th debt holders.

Severely damaged companies require much more capital to repair than what will be returned from an insurance gamble. It’s much easier to start over and rebuild. There are loads of businesses that collapse, most are little known, some are very well known. Duration of business existence is not a protection.

The sticky part is that the payout is proposed to come from people Not At All Involved in the business. We are not stakeholders in any respect. It is not a pure gamble like Life Insurance because the payout is not paid by corporate premiums (ante up) but by government fiat payments taken from the population.

Consider

  • A $billion corporation gets hacked. All their data files are encrypted. Their hardware and software is compromised. Their products are in questionable condition.

The true cost of rebuilding this corporation is more than $billion. So how much is the gamble worth?

If the company does not pay premiums such that they receive $Billion as a payout, and the bulk of the payout does not come from paid in premiums, then they will still go out of business as they do not have enough capital to recover but they also take everyone on the fiat contribution list with them.

  • C’est un feu de paille

bl5q sw5N February 28, 2024 9:52 PM

@ JonKnowsNothing

(US) Capitalism requires all things must generate profit

An at least implicit distinction is being made between capitalism and non-capitalism or modified capitalism of some kind.

The more fundamental distinction is between property system and debt system.

For the best chance at economic freedom and prosperity, enterprise needs to be based on property ownership.

Basing enterprise on debt is anti-economic and even anti-human because debt insists in payment even if the enterprise fails. This is unreal and hence unreasonable because in the course of things some ventures succeed and others fail. The only just way to deal with this is for all in the venture to share risks as well as profits. In this context insurance plays a simple and natural role.

Government has no specific economic role. It’s role in economics is simply its general primary role i.e. justice. Make sure there is no theft.

Winter February 28, 2024 11:08 PM

@bl5q sw5N

The only just way to deal with this is for all in the venture to share risks as well as profits. In this context insurance plays a simple and natural role.

“This” failure of enterprises is dealt with in bankruptcy laws. The whole idea of legal corporations and trusts is about distributing the damage of failures between the owners of the enterprises and the creditors. Insurance is a way to hedge the risks of failure.

Basing enterprise on debt is anti-economic and even anti-human because debt insists in payment even if the enterprise fails.

Debt is very human. A recent book about “debt” is even called “Debt: The First 5000 Years” (by David Graeber). The whole system of fiat money is based on debt.

bl5q sw5N February 29, 2024 1:15 AM

@ Winter

bankruptcy

Just another form of insisting on payment of debt after a failure. Property values are arbitrarily destroyed. A completely ramshackle kludge compared to the principled solution.

If all goes well, everyone is happy to share in the gains. But strangely if all goes badly, some people are not happy to share the losses. So much for equity.

All this is analogous to the theft involved in usury.

Winter February 29, 2024 2:00 AM

@ bl5q sw5N

Re: bankruptcy

Just another form of insisting on payment of debt after a failure.

Bankruptcy replaces debt servitude (slavery) and debtor’s prison.

That is, bankruptcy replaces loss of freedom for money.

JonKnowsNothing February 29, 2024 12:19 PM

@ bl5q sw5N, @Winter, ALL

re: Bankruptcy Debt

The purpose of borrowing is to raise Capital, generally for a project of some sort. Buying a house, starting a business or expanding a business.

There is nothing wrong with this model and it’s built into Capitalist and other Economic Models because a single person is not likely to have all the Capital needed in their pockets. This applies to ordinary people as well as people with extraordinary wealth. The difference between them is the scope of the project.

  • A ordinary person might want to buy an e-bike for $5,000
  • A SAltman wants to sell OpenAI for $7,000,000,000,000 [$7Trill]

In both cases at least one end of the transaction will look to borrow funds.

Lenders may supply Capital provided they receive assurances that the purpose has a substantial chance of success, there is ample fall-back Capital and they can earn PROFIT at the standard Rate of Interest for the project and time period.

Money is not Free, it does not grow on Trees, and you have to Pay for it one way or another. With your allotment-of-life-time (70yrs) spendt working or trading off for other items you have accumulated like car, house, or that e-bike.

Bankruptcy Laws vary in USA from State to State, but generally they have the same goal.

  • If an enterprise fails to produce PROFIT and no longer has CAPITAL to remain solvent, how shall the residual value of the enterprise be distributed?

Of important note:

  • Businesses do not fail because they do not generate PROFIT, they fail because they do not have CAPITAL.

The rules of distribution are both complex and straightforward. Lenders get first call on residual value. Lender hierarchy are banks, bond holders of different classes. Vendors or Suppliers fall below Lenders. There is a mixture here between unpaid wages, unpaid goods already delivered, contracted goods not yet delivered and other folks expecting their invoice to be paid.

Bankruptcy is a normal part of the Business Cycle and is often beyond the control of the enterprise.

  • If you invested in making surf boards for sale in the Sahara Desert that might be a bad project and you could go bankrupt.

  • If you invested in making surf boards for sale in the Sahara Desert that included a solar sail, e-engine system, mounted on gibmal sand-wheels you might make many times the amount borrowed.

There is nothing wrong with Debt, and Bankruptcy is the method of distributing the Remains.

What the Mega-Corporations want with this Faux Insurance Model, is a method to raise Capital when their project unwinds and is no longer viable. They have already used all their Leverage (off-sets to debt) so they cannot raise additional Capital in the Open Market. With this model they can raise huge amounts of Capital at nearly no cost to themselves. The financing is done by those who gain zero benefit from the exchange (No Profit), and who have no control over how the Capital is distributed, where, when, how and to whom.

In straight up Capitalist Economics this is a poor structure, more common to Non-Capitalist Economic Models.

bl5q sw5N February 29, 2024 5:31 PM

@ JonKnowsNothing

There is nothing wrong with this model

Debt in the sense of “owed, must pay no matter what” is anti-natural and intrinsically involves theft. There is no rational way to rescue the notion.

Actually, all fixed obligations are really similarly fraudulent at base. There is no future fixed reality that can be guaranteed, so any contract involving forever fixed obligation is behind its perhaps brilliant disguise the demand of the highwayman behind their mask.

This idea of the validity of any contract no matter if unnatural, i.e. the absolute letter of the contract, came about at the time of the Protestant reformation, displacing the notion of equity, and is what is really being treated (under censor avoiding mis-en-scene) in Shakespeare’s play Merchant of Venice.

As you say credit is a great good in enterprise. But the relation between creditor and the entrepreneur has to be structured justly. This involves at least everyone sharing appropriately in the risks as well as the reward. Many other goods follow as a consequence.

JonKnowsNothing March 1, 2024 12:12 AM

@bl5q sw5N, All

re: Un-natural Debt

Un-natural debt, such as outright slavery, share cropping, bondage, indenture-ship, etc. normally involve a coercive exchange between a Lender (aka Loan Shark) and the Debtor (aka Indebted Person) and falls into various legal categories depending on country.

  • Many Arab states routinely outright enslave workers in their country.
  • The USA has many historical forms of debt slavery; some of these forms still exist.

This is a substantial legal problem that extends far beyond normal forms of debt and repayment.

Bankruptcy rules are laws. As laws they are written and modified by persons with power and authority to modify those laws. There are lots of loopholes and there are lots of civil rights issues involved in Default of Repayment.

Under normal business rules, the assets, cash, machinery etc. are sold and the proceeds are used to pay the debts of the business according to the laws in that location. (1) There are some people who never get paid because the assets are distributed to those who have, by law, a higher claims.

In the USA, a tax-bone is thrown to those who get nothing with an option to “write off the un-collectible debt” on their tax returns. The loophole gets closed over the period of time needed to exhaust the un-collectible debt and the amount that can be claimed per year plus the application of thresholds and ceilings for using the tax-bone.

It maybe the type of debt you are referring to are the ones that have No Bankruptcy Protection. In the USA this is medical debt, student debt and other specific consumer debt contracts.

Under normal bankruptcy rules, once all the assets have been distributed, the debtor is cleared of all existing debts. They don’t owe any more money but they may carry a stigma of being “A Bankrupt”. (2) In this other form of debt, it amounts to a lifetime of debt servitude because of several factors enacted by laws.

  • Bankruptcy process does not clear the debt. Debts to the Federal Government, such as Federal Guaranteed Student Loans issued with (false) inadequate representation cannot be dissolved.

  • Debts that involve state and federal support, such as Medical Debt, cannot be dissolved for the same reason: the law forbids this debt to be discharged.

  • Debts involving criminal or other restitution programs, may never be cleared.

All of these are items delineated in the laws. Many of these laws are recent additions or alterations that block the courts from discharging the debt.

Debt collection, is a BIG Business, aka The Repo Man. The Repo Man makes a PROFIT on your misery. The more miserable you are, the fewer options you have, the more PROFIT the Repo Man makes.

The Repo Man, takes on many disguises. They can be bankers, lawyers, sales persons, real estate agents, universities, along with federal agencies. They know which loans can be forgiven under bankruptcy rules and which ones can never be discharged.

You can very well guess which one’s you will be offered.

===

1) Under US civil laws, this is known as Asset Stripping. It’s done when an older person enters a care home because there is no one to look after them. Anything they own, is taken by the Federal, State, County (in USA the County has ultimate responsibility) and sold with the proceeds placed in an account “For the Benefit of” the person.

2) When the pool of Asset Stripped funds is exhausted paying the cost of the care home, the overseeing agent (~$500/hour), the person is evicted from that care home. It does not matter that there is no one to look after them or if they are sick, infirm or require special medical needs, they are evicted.

Sometimes a lower-standard care home is found, with emphasis on Lower Standard.

Sometimes the person is discharged To The Street.

Hospitals regularly discharge persons to the street, if they can be medically declared as not needing further hospitalization. It doesn’t matter if they can walk, talk, or act in a coherent manner.

anon March 1, 2024 12:33 AM

@Chris wrote:

“If these black-hat hacker groups are in fact state-sponsored, which it seems they are, why not prove complicity of the backing governments and seize their foreign assets to pay for the damage? …”

Because every other country on the planet, all 194 of them, would immediately sieze every U.S. asset within their respective territories.

Clive Robinson March 1, 2024 3:15 AM

@ bl5q sw5N, JonKnowsNothing, ALL,

Re : Forever Debt.

“Debt in the sense of “owed, must pay no matter what” is anti-natural and intrinsically involves theft. There is no rational way to rescue the notion.”

Actually there is…

It’s the notion of “insurer of last resort” which is “society” as represented by the “government”.

The idea is that some risks can not be forseen such as natural disasters and “acts of society” such as Government policy, insurrection and war.

The problem were people like George Soros and his “Black Wednesday” behaviour in Sept 1992, that in effect “asset stripped” an entire nation. And sadly proved that the supposed “Free Market” is more powerful than the “Government”.

US Politicians especially of the GOP were both scared and beguiled by the idea. Fundamentally they believe that any assets held by a government in trust for society against uncertain times is theft from their backers pockets. It’s what the “small government” nonsense is all about, that is the individual rights of a very few to rape pillage and plunder “the people” that are society and a nations future.

Thus their solution unsurprisingly given it’s driven by rapacious stupidity was to remove step by step the National Security afforded by the assets held in trust for the protection of society against risk.

We know that this notion of assets held as insurance against unknown risk was recognised well over four thousand years ago. The likes of flood and locust could stave a nation. Thus the ruler built grain storage and required farmers etc to put in a percentage of their grain into storage rather than sell it all. Thus this would keep food supplies going and the farmers themselves protected against flood and locust etc.

Exactly the same is still in use in the bank system where banks have to put money into the national bank as both deposits and to purchase insurance.

This is actually not “unnatural” nature via evolution has arrived at the 2/3rds or 67% rule where any process has storage along it’s process chain to allow for variability in the input.

It’s actually not 2/3rds or 67% but the “time constant” of the overall process. It’s based on the “percentage of a percentage” curve used for all manner of things such as “natural growth” and “half life” calculations we call “the exponential curve”.

The two points to remember are the approximate value of 2/3rds up the curve at one time interval and 99% at five time intervals (if you do a lot of such calculations remembering the values for the first five time periods allows easy piecewise linear interpolation that is as Australians say “Close enough for Government work”.

If you need it more accurately those five points are all that are required to work out the intermediate points as the curve stays the same at all points due to the “percentage of a percentage” formulation.

Robert the grate March 1, 2024 5:20 AM

You know how you can tell by the end of the first syllable when you’ve landed on a religious radio station? I get that same feeling from progressive stories about America. The facts aren’t incorrect, the problem is what they leave out. American history not only exploitation and racism. A lot more happened, and there was a lot of exploitation and racism in the pre-capitalist era. This kind of narrative rarely leads to clear thinking or good ideas.

Parallel forestation March 1, 2024 6:07 PM

What if the NSA laundered the required data through the DHS or a Wyden staffer? It has already been collected and paid for, and this is surely a major national defence concern.

Robin March 22, 2024 4:59 AM

Part of the solution could be to use the Aviation model for investigation of incidents. The idea is generally to avoid assigning blame, but to investigate circumstances in such a way that a) you find out what happened and b) warn others how to not have this happen to them.

This way companies that have been hacked can get details out and have their experiences be used as a learning for other companies too.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.