Enhancing Cyber-Nuclear Security
Strengthening Global Energy, Food, and Health Systems
An FP Analytics synthesis report
FP Simulations convene experts and leaders to participate in scenario-based, interactive programs which foster discourse and seek to address the challenges of diplomacy and crisis management, with the same focus and creativity that traditionally have been devoted to war games. On October 21, 2022, FP Analytics partnered with the International Strategy Forum (ISF), a program of Schmidt Futures, to hold an in-person simulation focused on a hypothetical scenario that unfolded in the European region and tackled complex challenges related to cyber and nuclear security, public health, and food security. Bringing together International Strategy Forum Fellows, participants were assigned roles as various stakeholders and compelled to think creatively about how to manage unfolding risks, mitigate humanitarian impacts, and safeguard critical infrastructure against evolving high-tech threats. Amid rising cyberattacks on critical infrastructure from state and non-state actors globally, the simulation prompted proactive thinking about emerging risks and the governance frameworks and multistakeholder partnerships needed to address them. Key findings included:
- Comprehensive and coordinated public messaging by reliable actors, such as the WHO, will be needed to manage the crisis and combat mis- and dis-information campaigns
- Rapid and coordinated humanitarian cross-border response will be vital to stemming immediate fallout from such a crisis, with entities such as NATO positioned to play a key role in supply delivery
- Drawing on lessons from the pandemic, pop-up radiation testing sites and coordination of healthcare workers would be needed to mobilize medical assistance and rapidly deploy health care personnel on the ground
- Public-private sector partnerships – including between governments and major technology companies – as well as cooperation with the IAEA will be vital to establish stricter protocols for inspections, compliance with minimum standards of cyber defense, and online safety at nuclear facilities
- There is a need to identify gaps and inconsistencies in national, regional, and global governance and private-sector capacity which could hinder a coordinated, rapid response should such an event occur
- Concerns around artificial intelligence and whether it poses an increased threat to global nuclear and cybersecurity necessitate greater country and cross-sectoral cooperation to implement technology-informed policy
Based on detailed research and drawing on relevant data, the hypothetical scenario incorporated a range of complex risks and realistic threats posed by emerging technologies to cybersecurity, energy security, and emergency preparedness. During the COVID-19 pandemic, cyberattacks increased exponentially, with over 623 million ransomware attacks occurring globally in 2021. Recognizing these escalatory trends, the simulation focused on intensifying transnational humanitarian, socio-economic, and security challenges following a fictional cyberattack on critical infrastructure in Europe. Set against the backdrop of the COVID-19 pandemic, the ongoing war in Ukraine, widening socio-economic inequality, democratic decline, and the worsening global energy crisis, participants were challenged in their assigned roles to collaborate with allies and partners. In teams, participants sought to address key cross-border governance questions and work toward a cooperative framework to manage an immediate crisis and stem the cascading effects.
Participants in the October simulation included representatives from government agencies and international organizations, experts in technology, cyber and nuclear security, and members of civil society. The participants were each assigned a role to ‘play’ or take on for the purposes of the simulation and were paired with a teammate. The participants were intentionally assigned roles that were distinct from their actual, professional roles in order to challenge the participants to evaluate the simulation and their actions from a new perspective. The roles for the simulation included the European Commission (EC), the Government of France, the Global Public Health Coalition, the Humanitarian Aid and Civil Society Coalition, the International Atomic Energy Agency (IAEA), the Private-Sector Technology and Cyber Coalition, and the United States Government. These roles were identified based on their regional and global relevance, influence, and capacity to address the hypothetical crisis, protect critical infrastructure, and strengthen preparedness. Throughout the simulation, an invited expert from a leading nuclear threat response organization provided insights and feedback to help guide participants to think through and reflect on their decision-making.
Scene Setter: Cyber Nuclear Security and Public Health
The scene begins with a group of unidentified hackers targeting a nuclear power plant in Northern France, gaining access to the plant’s operations using AI-powered tools and technology. Occurring against the backdrop of the ongoing energy crisis in Europe, this disruption exacerbates an already volatile energy security landscape and threatens global supply chains.
Move 1: A Radiological Release Impacts a Vital Waterway
One week after the cyberattack, the group of hackers gains control of the power plant, steals sensitive data, and remotely triggers the release of large quantities of radioactive materials into a critical waterway which provides drinking water, supports the region’s agriculture and energy sectors, and serves as a vital transportation path. Simultaneously, a disinformation campaign is launched and spread by AI-powered botnets, which alleges that Russian President Vladimir Putin orchestrated the crisis, heightening public panic.
Following the scene-setter and initial move, participants offered several strategies to combat the crisis. For example, participants assigned to impersonate the role of France responded by collaborating with teams representing Belgium, Germany, and the European Commission to contain the radiological emergency. As nuclear energy capacity expands globally, and new technologies are introduced, cyber threats to critical infrastructure have become an increasing concern. Participants assigned to the IAEA role facilitated a partnership with the team representing France —adhering to the Convention on the Assistance in Case of a Nuclear Accident or Radiological Emergency (1986)—and committed to conducting regional, technology, and cybersecurity risk assessments. In doing so, both teams focused on protecting critical infrastructure to ensure that hackers could not inflict any additional harm.
Alongside escalating cyber risks, the COVID-19 pandemic has exacerbated existing socioeconomic inequalities and supply chain vulnerabilities throughout the world, and thereby magnified the need for humanitarian assistance. For instance, the number of people worldwide experiencing food insecurity doubled from 135 million people before the pandemic to 276 million people. Considering this, the Humanitarian Aid and Civil Society Coalition stressed the importance of balancing existing humanitarian commitments while providing aid to those exposed to radioactive materials following the nuclear attack. In role playing, various teams offered to work closely with humanitarian organizations to provide expertise, supply funding, establish evacuation zones, and contribute to daily radiation reports to the European community. Additionally, the team representing the Global Public Health Coalition emphasized the importance of water and food testing, while underscoring the public health risks and the need for robust health infrastructure to respond to the radiological contamination effectively and rapidly.
Teams also called for a comprehensive and coordinated public messaging approach to combat the mis- and disinformation campaign stemming from the cyberattack. This was especially timely, as research suggests that false stories reach people six times more quickly than factual stories, and mis-and disinformation costs the global economy $78 million annually. The spread of the COVID-19 virus, in addition to revealing insufficient pre-pandemic levels of preparedness, unveiled an uncoordinated and often contradictory communication campaign that fostered confusion among the general public. Recalling these recent developments, teams representing the United States and the Private-Sector Cyber and Technology Coalition sought to identify false messaging, reduce the spread of misinformation on social media platforms, and quell public panic. Meanwhile, the team representing the Organization for Security and Cooperation in Europe (OSCE) offered to host a forum to encourage open dialogue between countries on public messaging, data and intelligence sharing, and the strengthening of critical infrastructure cybersecurity.
The expert commentator urged participants to view the regional crisis as an international problem that requires a coordinated, global response. The panel underscored the need for a communication strategy to provide the public with key information on the humanitarian and environmental risks and, in turn, what actions to take. To mitigate mass public panic, the expert commentator noted the importance of verifying the source of the cyberattack, regardless of what the hackers alleged.
Move 2: Health Systems Collapse
The second move of the simulation focused on the resultant health care crisis, food insecurity, and public distrust. One month after the radiological release, radioactive materials spread through the critical waterway, halting trade, navigation, and economic activity. Health care workers call for international assistance as hospitals face severe staff shortages, and medical stockpiles deplete due to the mass influx of patients needing treatment for radiation sickness. Meanwhile, the hackers launch another disinformation campaign, and protests erupt in Belgium as public panic spreads.
Following the second move, participants established solutions to alleviate the burden on public health systems following the radiological release. Straining public health infrastructure significantly, the COVID-19 pandemic has led to ongoing challenges, including the depletion of medical resources, delays in patient care, staff shortages due to high turnover and burnout rates, rising need for mental health and behavioral care, and increased healthcare disparities. To address the worsening health crisis—and the growing global shortage of medical practitioners with radiation biology and medical expertise—the teams representing the Global Public Health Coalition and the European Commission partnered to increase the number of healthcare workers in regions impacted by the radiological release. Relatedly, teams discussed strategies to address the mental health needs of medical practitioners to combat the rising shortage of healthcare workers globally: there is expected to be a supply gap of more than 15 million health workers by 2030. Drawing on lessons learned from the pandemic, particularly involving the importance of accurate and rapid testing, participants highlighted the need for pop-up radiation testing sites to improve system capacity at hospitals and other medical facilities. Simultaneously, the team representing the Private Sector Cyber and Technology Coalition helped by collecting data to identify medical staffing and supply shortages and implement predictive modeling to reduce supply chain issues. To further support response efforts, the teams of France, Belgium, and Germany coordinated with one another to mobilize medical assistance and relief and deploy health care personnel on the ground.
In response to the food crisis, teams representing the Humanitarian Aid and Civil Society Coalition and Germany focused on the knock-on effects the crisis will have on global food supply chains. Noting the global food shortages exacerbated by the war in Ukraine, several teams highlighted the importance of utilizing the European Food Safety Program to ensure safe food consumption and ameliorate supply chain disruptions. To foster public trust, teams also highlighted the importance of coordinated information gathering from all governments, the IAEA, and the private sector to ensure that accurate public messaging is dispersed widely and rapidly across various platforms. Meanwhile, the team representing the OSCE focused on investigative measures to identify the perpetrators of the attack and how the global community should hold them accountable.
The expert commentator encouraged simulation participants to consider the World Health Organization (WHO) as a reliable source of both information and communication regarding public health responses and preparedness, radiological risks of the attack, and regional assistance in the form of medical expertise, personnel, and equipment. The expert also highlighted the role that the North Atlantic Treaty Organization (NATO) could play to mobilize coordinated response efforts and assistance to the regions impacted by the attack, including the transfer of food from food-secure regions to areas where contamination had occurred.
Move 3: An International Security Summit Is Convened
In the third move, set three months after the start of the health crisis, the radiological release spreads and contaminates soil and crops in the region. Amid health concerns, farmers destroy their harvests and livestock, thus impacting sub-regional agricultural production and driving up food prices. Governments and companies then pilot AI-enabled platforms to improve contact tracing and public health monitoring. However, civil society groups raise privacy and civil liberty concerns. The move concludes with the convening of an International Security Summit.
In the final move, simulation participants worked toward identifying long-term solutions to strengthen critical infrastructure and crisis preparedness. As the international community has yet to establish comprehensive legal frameworks governing cyberspace, AI, and other related sectors, all teams emphasized the need for international regulations and updated standards to foster greater transparency, strengthen security, and prevent future cyberattacks globally. While frameworks such as the First Draft of the Recommendation on the Ethics of Artificial Intelligence (2021) are a step toward creating mechanisms for global governance of AI technologies, there are currently 528 publicly known and unregulated data collection/surveillance tech companies operating across 47 countries. Considering that a nuclear disaster impacting food systems could disrupt over $49 billion worth of trade between the EU and the U.S., the economic fallout of a crisis such as the one described in the simulation could be immense. Recognizing the magnitude and complexity of these implications, teams in the simulation highlighted the importance of public-private sector partnerships and cooperation with the IAEA to establish stricter protocols for inspections, compliance with the minimum standards of cyber defense, and online safety at nuclear facilities.
Teams also emphasized the need for a new independent body to manage international responses to complex cross-border disasters. For instance, participants noted that while several international and national organizations are competent in crisis management and relief, collective coordination is needed across these organizations—in both developed and developing countries—to provide continuity in global response efforts amidst compounding crises. To ensure that resources are not diverted from those in need during existing crises, participants underscored the importance of establishing a process to review, prioritize, and allocate aid in numerous contexts simultaneously.
To close the simulation, the expert underscored the need for participants to focus on responding to and mitigating the immediate crisis. In the long-term, the expert highlighted the need for participants to further investigate and identify gaps or inconsistencies in national, regional, and global governance and private-sector capacity, which could hinder a coordinated, rapid, and effective response in the event of an actual cyber-nuclear disaster.
Enhancing Cyber Nuclear Security: An FP Virtual Dialogue
The FP-International Strategy Forum Simulation grappled with pressing cyber risks and incidents of hybrid warfare manifesting around the world. Russia’s recent seizure of the Zaporizhzhia nuclear plant provided a clear example of such risks. The attack dramatically raised the stakes of the war in Ukraine, along with concerns over the vulnerabilities of nuclear facilities and the ability to defend critical infrastructure. The incident is part of a growing trend of nation-state attacks on critical infrastructure. Cyberattacks have escalated sharply over the last year, the vast majority of which were attributed to Russia, with other countries, including Iran, North Korea, and China, increasingly targeting financial services, transportation systems, and communications infrastructure.
Against this backdrop, on March 22, 2023, FP hosted the virtual dialogue Enhancing Cyber Nuclear Security, produced with support from ISF, which convened leading scientists, experts, and government officials to discuss how the nuclear risks in Ukraine, recent attacks on critical infrastructure, and scenario planning can inform policy, investment plans, and partnerships to strengthen international security going forward.
Kickstarting the dialogue, panelists highlighted the need for international cooperation to prevent and respond to cyberattacks. As Brandon Wales, the executive director of the Cybersecurity and Infrastructure Security Agency (CISA) noted, “We view our international partnerships with friends and allies around the world as really a key aspect of our cybersecurity here at home… And it’s something that we take very seriously in trying to build this community to be stronger, to make sure that no matter what our adversaries throw at us, we’ll be able to handle it.” As other panelists observed, facilitating international cooperation in the cyberspace is a significant challenge. Dr. Alina Polyakova, the president and CEO of the Center for European and Policy Analysis (CEPA), emphasized that nations and close allies often disagree with one another regarding issues such as the urgency of cyber threats, cybersecurity strategies, and cyber threat attribution. For instance, Dr. Polyakova noted that the Cyber Resilience Act, proposed by the European Commission, “does not necessarily go hand-in-hand” with the Biden Administration’s newly released National Cybersecurity Strategy. Dr. Page Stoutland, consultant for scientific and technical affairs at the Nuclear Threat Initiative (NTI), underscored the need for international cooperation to strengthen nuclear security, as exemplified in the Cyber Nuclear Forum. By creating a community of cyber-nuclear leaders from across the world, Dr. Stoutland added, experiences and best-practices can be exchanged to address existing vulnerabilities and threats comprehensively.
Another key priority raised during the virtual dialogue was the facilitation of public-private partnerships to prevent and respond to cyberattacks. Specifically, panelists underscored the importance of government cooperation with major technology companies, internet service providers, cybersecurity vendors, and other organizations. As governments around the world often do not have access to the plethora of data that large companies do, security can be improved through close collaboration and information sharing to gain greater visibility of the cyber ecosystem, said Brandon Wales. According to Dr. Polyakova, “We’ve actually seen ways in which American companies have been very effective in working together with U.S. and European governments. In Ukraine, there’s been a really fantastic set of private-public partnerships there, so absolutely the private sector has to be at the table.”
Panelists also discussed concerns around artificial intelligence (AI) and whether it poses an increased threat to global nuclear and cyber security. Caroline Baylon, research affiliate at the University of Cambridge and leader of the All-Party Parliamentary Group for Future Generations with the UK Parliament, emphasized the instability of AI systems, identifying a number of ways in which they can be compromised. Relatedly, Dr. Stoutland noted, “We have made [AI] systems now more complex than we can effectively manage, which particularly for high consequence systems, whether that be a nuclear weapon, whether that be a nuclear facility or even the country’s financial systems, that’s an incredibly dangerous place to be.” Panelists underscored the challenges of cyber and nuclear security throughout the dialogue, touching on the associated risks of emerging technologies. Andrew Moore, Chief of Staff to Eric Schmidt, noted the complexities of global regulation as technology evolves at a rapid pace. Country and cross-sectoral cooperation to implement technology- informed policy, he added, will be critical in the years ahead. At the same time, Moore spoke of how AI shows promise in revolutionizing diplomacy. Highlighting how it can support the work of international relations and connect humanity, Moore discussed the ability of AI automated language-processing tools to overcome language barriers, reduce the need for professional interpreters, and shorten negotiation times.
Rapidly declining costs and expanded access to cyber tools have made nuclear facilities and other critical infrastructure increasingly vulnerable to cyberattacks from a range of actors. Large-scale cyberattacks targeting financial systems, communication networks, and transportation systems—such as the Colonial Pipeline ransomware attack—have underscored the need for stronger and more comprehensive cyber defense operations globally. Participants from both the crisis simulation and the virtual dialogue emphasized the need for greater preparedness and the salience of international cooperation and collective action, across governmental and non-governmental sectors, to ensure a more coordinated approach to detect and deter cyber criminals. Relatedly, taking steps to establish international policies and legal framework to regulate technology and cyberspace will be key to protect critical infrastructure and prevent the exfiltration of sensitive data. In light of emerging geopolitical and public health crises, facilitating continued dialogue and concerted action to safeguard digital networks will be vital to strengthening emergency preparedness and cross-border security going forward.
By Saskia Beréngère Brain, Policy Fellow, FP Analytics