WASHINGTON — Earlier this year, America’s most famous investor, Warren Buffett, characterized cyber attacks as a bigger threat to humanity than nuclear weapons, calling them “the No. 1 problem with mankind.”
Buffett, who describes himself as a cyber-threats neophyte, was echoing the concerns of government officials and national security experts going back at least five years. The nation finds itself in a situation comparable to the Cuban missile crisis of 55 years ago, a 13-day confrontation between the United States and the Soviet Union over the deployment of Soviet ballistic missiles on America’s doorstep in Cuba, which followed American ballistic missile deployment in Italy and Turkey. This confrontation is often considered the closest the Cold War came to escalating into a full-scale nuclear war.
But the resolution of the crisis, involving a joint pullback by the two nuclear powers, laid the groundwork for the nuclear arms control and reduction treaties that have kept nuclear war at bay ever since. More than half a century later, we face comparable uncertainties in the global cyber-arena, and there is the same urgent need for de-escalation.
The similarities between cyber and nuclear weapons are painfully apparent: These attacks are capable of imposing catastrophic consequences on our critical national assets, with quick delivery times unimpeded by geographic boundaries. Conflicts between our nation and other countries, including Russia and North Korea, dominate the headlines. Our global landscape has become increasingly digitized, and this increased cyber connectivity is changing the nature of the threats we face, posing serious implications for our national security.
In October, a report surfaced that hackers linked to North Korea targeted American electric utilities. The ability to impact national critical infrastructure, by either taking it offline or weaponizing it, constitutes a very real threat but with a significant difference from the Cuban missile crisis: The enemy is unknown and the path to resolution is unclear.
When it comes to traditional warfare, there is an understood set of norms — a code of conduct — between nation states. These norms give the system predictability, which leads to stability. In the cyber world, the impacts are significant, but the code of conduct and the consequences for bad behavior haven’t been defined yet. The concept of “cyber attack” is not even clearly defined by the U.S. government, much less our potential enemies. And this lack of definitions and standards of conduct means that it is impossible to predict how a target will react or respond to a cyber attack.
This summer, we learned that the notion of a cyber attack against nuclear infrastructure within the U.S. is truly a practical reality. According to the New York Times, since May 2017, hackers have been penetrating the computer networks of companies that operate nuclear power stations and other energy facilities, as well as manufacturing plants in the U.S. and other countries. Among the companies impacted was the Wolf Creek Nuclear Operating Corporation, which runs a nuclear power plant near Burlington, Kan. Further reporting revealed that the U.S. government believed that the Russians were behind this and other attacks.
And this wasn’t the first instance of a cyber attack intentionally targeting some of the most sensitive facilities in the world. Stuxnet, a malicious computer worm that targets industrial computer systems first publicly identified in 2010, was responsible for causing substantial damage to Iran’s nuclear program. Although neither country admitted responsibility, the worm is frequently described as a jointly built American-Israeli cyber weapon. Stuxnet switched off safety devices, sabotaging centrifuges by making them spin out of control and destroy themselves. We’ve known for a decade that these potential consequences existed. In 2007, the Idaho National Laboratory conducted the Aurora experiment to demonstrate how a cyber attack could destroy physical components of the electric grid. The experiment used a computer program that rapidly opened and closed a diesel generator’s circuit breakers out of phase from the rest of the grid, causing them to explode.
The use and sophistication of these exploits is on the rise, and our physical national assets are not all that is being held at risk. The country is continuing to deal with credible allegations that our electoral and news media platforms were manipulated in the last election. Allowing for the obvious differences between cyber weapons and nuclear bombs, it’s not a stretch to say we are now heading toward a second Cuban missile crisis — of cyber warfare.
And it calls for the same determination and ingenuity that resolved the original one. Experts say the U.S. is well-positioned to lead an effort toward an enforceable treaty that establishes norms on the use of cyber weapons. Until we take on that challenge, we are unsure as a nation which act will generate what response, and so we stand by as malicious cyber acts expand and escalate. Powerful nations continue to test their abilities to use and deploy new kinds of weapons, and conflict seems inevitable, if not already a reality. It is likely to end in a crisis that will demonstrate and define acceptable limits and unacceptable actions. In 1962, that limit was found when the arming of a tiny island in the Caribbean pushed us to the edge of a nuclear disaster. How will it be found in 2017?
Anthony J. Ferrante is head of cyber security and a senior managing director at FTI Consulting. He served as director for Cyber Incident Response at the U.S. National Security Council.