Earlier this year, America’s most famous investor, Warren Buffett, characterized cyberattacks as a bigger threat to humanity than nuclear weapons, calling them “the No. 1 problem with mankind.”
Buffett, who describes himself as a cyberthreats neophyte, was echoing the concerns of government officials and national security experts going back at least five years. The nation finds itself in a situation comparable to the Cuban missile crisis of 55 years ago, a 13-day confrontation between the United States and the Soviet Union over the deployment of Soviet ballistic missiles on America’s doorstep in Cuba, which followed American ballistic missile deployment in Italy and Turkey. This confrontation is often considered the closest the Cold War came to escalating into a full-scale nuclear war.
But the resolution of the crisis, involving a joint pullback by the two nuclear powers, laid the groundwork for the nuclear arms control and reduction treaties that have kept nuclear war at bay ever since. More than half a century later, we face comparable uncertainties in the global cyber-arena, and there is the same urgent need for de-escalation.
The similarities between cyber and nuclear weapons are painfully apparent: These attacks are capable of imposing catastrophic consequences on our critical national assets, with quick delivery times unimpeded by geographic boundaries. Conflicts between our nation and other countries, including Russia and North Korea, dominate the headlines. Our global landscape has become increasingly digitized, and this increased cyberconnectivity is changing the nature of the threats we face, posing serious implications for our national security.
In October, a report surfaced that hackers linked to North Korea targeted American electric utilities. The ability to impact national critical infrastructure, by either taking it offline or weaponizing it, constitutes a very real threat but with a significant difference from the Cuban missile crisis: The enemy is unknown and the path to resolution is unclear.
When it comes to traditional warfare, there is an understood set of norms — a code of conduct — between nation states. These norms give the system predictability, which leads to stability. In the cyberworld, the impacts are significant, but the code of conduct and the consequences for bad behavior haven’t been defined yet. The concept of “cyberattack” is not even clearly defined by the U.S. government, much less our potential enemies. And this lack of definitions and standards of conduct means that it is impossible to predict how a target will react or respond to a cyberattack.
This summer, we learned that the notion of a cyberattack against nuclear infrastructure within the U.S. is truly a practical reality. According to the New York Times, since May 2017, hackers have been penetrating the computer networks of companies that operate nuclear power stations and other energy facilities, as well as manufacturing plants in the U.S. and other countries. Among the companies impacted was the Wolf Creek Nuclear Operating Corporation, which runs a nuclear power plant near Burlington, Kan. Further reporting revealed that the U.S. government believed that the Russians were behind this and other attacks.