Cybersecurity

Americans now fear cyberattack more than nuclear attack

In an aerial view, fuel holding tanks are seen at Colonial Pipeline's Dorsey Junction Station on May 13, 2021 in Woodbine, Maryland.

Americans now see cyberattack as the greatest threat facing the country, two recent polls show, suggesting that cyber fears have outflanked concern over climate change, immigration, terrorism or nuclear weapons. 

The national obsession with computer-on-computer attack, documented in a 2023 Gallup poll and a 2022 Pew Research survey, comes at a time when cyberattack seems to be everywhere and nowhere. 

Most Americans would be hard-pressed to name a recent act of cyberterrorism that claimed American lives or plunged the nation into economic chaos. Yet, the daily news cycle brims with accounts of rising cyber tensions. More than any past cyberattack, perhaps, Americans fear the attack that is yet to come. 

“We know all the terrorist groups are recruiting young computer specialists,” said Scott White, associate professor and director of the cybersecurity program at the George Washington University. “It’s no longer bombs. It’s, Can you launch a cyberattack from a safe-haven country against the United States?” 

In the Gallup poll, published last month, 84 percent of respondents rated cyberterrorism as a critical threat, ranking it above 10 other fears, including international terrorism, global warming, the conflict between Russia and Ukraine and Iran’s nuclear program.  

In the Pew survey, published last June, 71 percent of Americans rated “cyberattacks from other countries” as a major threat, ranking them above China’s or Russia’s power and influence, global warming and infectious disease. (Unlike Gallup, the Pew report did not specifically reference nuclear threats.) 

Fear of cyberattack cuts across party lines, which partly explains its standing as the nation’s topmost fear.  

In the Gallup poll, Republicans were slightly more likely to rate Iran’s nuclear program as a critical threat than cyberterrorism. Democrats were less worried about Iran, and more worried about global warming. Yet, respondents from both parties registered equal distress over cyberterrorism. 

“It is a new thing. People are afraid of technology, particularly when they don’t understand it,” said James Lewis, a senior vice president of the Center for Strategic and International Studies.  

Lewis joked, “I wish Gallup would do a poll on how many people think ‘Terminator’ was a documentary.”  

Some experts, Lewis included, sense that the national fear of cyberwarfare is overblown. He puts long odds on a military cyberattack against the United States by one of its enemies.  

“The Russians or the Chinese aren’t going to do a cyberattack unless they think war is imminent,” he said.  

“There are some pretty easy metrics here. Has anyone ever died? No. Has there ever been any economic or social disruption? No.” 

Compromising a single government website or paralyzing the network of a single power company is one matter, cyber experts say: Bringing down America’s computer networks altogether is quite another.  

The fundamental decentralization of the internet makes it a tricky target for cyberattack, said Jason Blessing, a Jeane Kirkpatrick Visiting Research Fellow at the American Enterprise Institute. 

“It has micro-vulnerabilities, but it’s near-impossible to bring down the entire thing,” he said.  

But acts of targeted cyberterrorism and cybercrime are well-documented. Some incidents suggest links to state-sponsored terror groups or even government agencies, but blame can be hard to affix. 

In 2021, cybercriminals extorted millions of dollars from Colonial Pipeline after jamming the company’s computer networks with “ransomware,” software that functions as a virtual kidnapper. The company preemptively shut off the gas pipeline, which stretches from New Jersey to Texas, triggering a miniature fuel crisis, complete with panic-buying and inflated prices. 

Cybersecurity experts cite several other acts of cyber-terror and cybercrime, some of them largely forgotten by the broader public. 

In 2020, U.S. officials alleged a Russian breach of computer networks for the Justice and State departments, NASA and numerous Fortune 500 companies, via compromised software. The so-called SolarWinds hack went undetected for months. 

In 2013, Iranian hackers attempted to take control of the Bowman Dam, outside New York, according to federal prosecutors, part of a broader cyberterrorism campaign that breached dozens of U.S. financial institutions over many months.  

The government of Georgia accused Russia of coordinating a series of computer-network attacks before and during the 2008 conflict between the two nations. Russia denied involvement. The cyberattacks disabled many government websites.   

Russia’s 2022 invasion of Ukraine brought “an onslaught of Russian cyberattacks” targeting the nation’s power grid and government sites, according to an NPR report. Ukraine has mostly fought them off.  

“And so, it’s not exactly idle speculation that these things are happening,” said Richard DeMillo, a professor at Georgia Tech’s School of Cybersecurity and Privacy.  

DeMillo doesn’t buy into the theory that no one has died in a cyberattack. He cites the surge in ransomware attacks on medical centers during the COVID-19 pandemic, with hackers seizing hospital networks and demanding money to unlock them.  

“And deaths have been attributed to those attacks,” he said, because of delayed care. 

DeMillo said individual cybercrimes are part of a vast universe of cyberattacks and cyberespionage, involving both criminal enterprises and government agencies. 

“In total, Iran, North Korea, China and Russia are spending a trillion dollars establishing the kind of reconnaissance necessary to mount these attacks,” he said. “The return on that has to be in the multiple trillions of dollars.” 

DeMillo cites Russia’s Internet Research Agency, which a ProPublica report describes as “a network of paid trolls” that, among other projects, allegedly attempted to influence the outcome of the 2016 election. 

Russian electoral meddling “wasn’t a hoax,” said Lewis of CSIS. “The Russians tried. But it had zero effect.” 

The ultimate fear, to some Americans, is that cyberterrorists will one day trigger a meltdown in a nuclear power plant or open the gates of a dam. 

“If I could control the Hoover Dam from a computer in Iran and, all of a sudden, at 3 o’clock in the morning, I could open up the dam and empty out all the water, how many thousands of people could I kill?” said White of GWU. “That’s terrorism.” 

Thankfully, that scenario remains unlikely. 

“Someone still has to flip an actual switch, or turn a crank,” he said. “That’s our buffer. We don’t have absolute connectivity from the software to the hardware. But, eventually, that’s going to go.” 

President Joe Biden has made cybersecurity central to the National Security Strategy. An update last fall includes sections on “securing cyberspace” and fending off ransomware attacks on regular citizens as well as cyberattacks on health systems, financial institutions and critical infrastructure.  

“This administration has done more than any previous administration to improve cybersecurity,” Lewis said. “There are key targets we need to make sure are hardened. The electrical companies that supply Washington. You don’t want the power going out in a crisis. [But] overall, we’re a lot less vulnerable than we were a few years ago.” 

And, of course, the world faces many perils beyond cyberattack. One is nuclear war. Nuclear fears surged in the weeks after the Russian invasion of Ukraine in February 2022.  

More than a year later, the nuclear threat seems greater than ever. The Doomsday Clock, a symbol of humanity’s proximity to extinction, stands at 90 seconds to midnight, signifying a moment of unprecedented danger. 

Peter Kuznick, a history professor and director of the Nuclear Studies Institute at American University, believes “the danger of nuclear war is probably greater” now than at the invasion’s start. 

But the nuclear threat, Kuznick said, is “something that people don’t want to think about.”