COVID-19 is not “like a nuclear attack” but another kind of virus might be
A few weeks ago the Bulletin of the Atomic Scientists headlined an interview with novelist and academic Jeffery Lewis claiming it would explain “[h]ow the coronavirus outbreak is like a nuclear attack.” Indeed, Lewis insists the pandemic is, as he describes it, a “nuclear war in slow motion.” It isn’t, but as life under COVID-19 restrictions highlights the nation’s and, really, the world’s growing dependence on the web and associated cyber technologies, a virulent computer virus just might prove as dangerous as a nuclear war. Let’s unpack this a bit.
Context – COVID-19
As perilous as COVID-19 really is, even the grimmest forecasts of US deaths from it – 2.2 million at one point – never began to approach the horrific totals predicted for a nuclear attack.
Of course, assessing the lethality of something like COVID-19 about which much is yet to be learned is difficult, and the gyrating numbers the public has heard over the past weeks confirms that. Moreover, even gathering statistics is problematic. Zach Spilman noted on CAAFLog that:
Counting deaths assumes, of course, that there’s a reliable way to attribute a death to the coronavirus rather than some other cause. It’s intuitively obvious that not every person who dies with coronavirus dies from coronavirus.
Spilman then goes on to point out that the Centers for Disease Control (CDC) reports a death as a COVID-19 fatality even if coronavirus is just “a” cause that only “contributed” to the passing.
Still, as of this writing (April 18) the experts predict the number of COVID-19 deaths to reach about 60,308, which is around the upper end of the estimated number of deaths from seasonal flu for the 2019-2020 period. Clearly, seasonal flu is a very different illness from COVID-19 as there is no vaccine for this newest coronavirus and treatment options are limited, but the forecast does reflect the apparent efficacy of mitigating efforts like social-distancing, hand washing, and stay-at-home orders.
Before we look at what number of casualties might result from “a nuclear attack,” let’s see how COVID-19 compares with other causes of death in the U.S.. In an April 10 report CNN quoted Jeff Lancashire, a spokesperson for the National Center for Health Statistics, as saying:
“We have limited data on 2020 deaths by cause, and no final official numbers yet for 2019, but we do know by looking at the final death totals in 2018 for the two leading causes of death in the U.S., Heart Disease and Cancer, there is no way that at this point COVID-19 comes anywhere close to those totals,” Lancashire said in the email.
He noted that between January and April in 2018, more than 234,000 people in the United States died of heart disease and nearly 199,000 died of cancer.
Without diminishing the tragedy of the COVID-19 threat or, for that matter, that posed by other leading causes of death, let’s examine what we might expect from nuclear war.
Context – Nuclear War
Nuclear war would be a horror that’s virtually unimaginable. Last year the National Interest published an examination by Kyle Mizokami of Cold War era studies estimating the number of potential casualties in a nuclear war. It revealed that “an all-out U.S. attack on the Soviet Union, China and satellite countries in 1962 would have killed 335 million people within the first seventy-two hours.”
It also showed that “a Soviet attack against U.S. nuclear forces, other military targets, economic targets and population targets …could be estimated to kill between sixty and eighty-eight million Americans.”
Mizokami adds this important observation:
“As devastating as these projections are, all readily admit they don’t tell the entire story. While these three studies model the immediate effects of a nuclear attack, long-term problems might kill more people than the attack itself. The destruction of cities would deny the millions of injured, even those who might otherwise easily survive, even basic health care. What remains of government—in any country—would be hard pressed to maintain order in the face of dwindling food and energy supplies, a contaminated landscape, the spread of disease and masses of refugees. Over a twelve-month period, depending on the severity of the attack, total deaths attributable to the attacks could double.”
It seems clear a nuclear attack is several orders of magnitude more dangerous than the COVID-19 outbreak – even acknowledging as devastating as its effects have been on thousands of victims, and as disruptive it has been on our lifestyles and economy.
Could a cyber virus be as devastating as a nuclear attack?
Lots of smart people seem to think so. Although the new 7th edition of the National Security Law text went to print before the pandemic hit, it nevertheless points out that some experts consider that along with nuclear war, “a cyber attack on the U.S. electrical grid is one of the two greatest, immediate, existential threats to the nation.” Why? “The power grid is the one element of our critical infrastructure on which most of the others depend – including water, transportation, and communication.”
It isn’t hard to imagine the cascading and persisting effects a cyber virus could have if it disables the electrical grid for an extended period. Mizokami’s concerns about the deadly long-term problems a nuclear attack would produce actually mirror, in many respects, those of the experts who fear the results of a serous and widespread cyber-virus attack on the grid.
Journalist Ted Koppel, the author or the 2015 book, Lights Out: A Cyberattack, A Nation Unprepared, Surviving The Aftermath, warns that a massive cyber attack on the nation’s electrical grid could have catastrophic results. Koppel says such a cyber-attack “would not initially claim as many lives a nuclear attack, but the impact would be ruinous.” Koppel foresees:
Maintaining public order will come down to manpower and become more difficult with each passing day, especially in urban areas where law enforcement will be overwhelmed.
There would be a huge hunger/thirst crisis; people would die from starvation, social breakdown, or disease. There will be a major loss of life. Only one in 10 would survive a year into a nationwide blackout.
Also in 2015, former director of the CIA James Woolsley was asked by a Congressional committee about the number of casualties that would result if the electrical grid was brought down for an extended period of time. Woolsey responded (emphasis added):
“It’s briefly dealt with in the commission report of . There are essentially two estimates on how many people would die from hunger, from starvation, from lack of water, and from social disruption. One estimate is that within a year or so, two-thirds of the United States population would die.
The other estimate is that within a year or so, 90% of the U.S. population would die. We’re talking about total devastation. We’re not talking about just a regular catastrophe.”
Just last summer Prof. Jeremy Straub acknowledged in an article that so far cyber-attacks “have done little more than steal data.” but warns that “there are signs that hackers have placed malicious software inside U.S. power and water systems, where it’s lying in wait, ready to be triggered.”
Prof. Straub says he’s “concerned that a cyberattack with widespread impact, an intrusion in one area that spreads to others or a combination of lots of smaller attacks, could cause significant damage, including mass injury and death rivaling the death toll of a nuclear weapon.” (Emphasis added.)
How would the casualties occur? Much like Koppel and Woolsey, Straub predicts:
Unlike a nuclear weapon, which would vaporize people within 100 feet and kill almost everyone within a half-mile, the death toll from most cyberattacks would be slower. People might die from a lack of food, power or gas for heat or from car crashes resulting from a corrupted traffic light system.
Rising cyber threats in the COVID-19 era
Could that happen here? Experts tell us that computer “[v]ruses and malware are constantly evolving, becoming more advanced and more dangerous by the second.” Even more troubling, last January a new report showed, without identifying which cyber–criminal groups or countries might be involved, “that at least three hacking groups have the ability to interfere with or take down power grids across America.” The results, it said, would be “catastrophic.”
With the onset of the pandemic, even more malevolent actors are trying to take advantage of the situation. Forbes says that “COVID-19 crisis has turned the U.S. workforce into a work-from-home army, giving new access points to malware, cyber viruses and phishing attacks,” In short, with “more people working from home, the attack surface for attackers has never been wider in the U.S.”
The evidence is mounting that hackers are exploiting this enlarged “attack surface.” The Hill says that “[c]yber threats to both the health care sector and average Americans have surged as hackers look to take advantage of the panic and chaos caused by the coronavirus crisis.”
It isn’t just criminals or even terrorists who are making this such a dangerous period for the U.S. ZDNet reports that “[s]tate-sponsored hackers are now using coronavirus lures to infect their targets.” It explains that:
“Government-backed hacking groups from China, North Korea, and Russia are not letting a global pandemic go to waste and have begun using coronavirus-based phishing lures as part of their efforts to infect victims with malware and gain access to their infrastructure.”
In mid-March, Matthew P. Donovan, who is performing the duties of the undersecretary of defense for personnel and readiness, included cyber perils in warning the Senate Armed Services Committer that today the “United States faces an array of threats from near-peer competitors China and Russia that have not been seen since before the fall of the Berlin Wall.”
On April 8 the Department of Homeland Security noted that “the surge in teleworking has increased the use of potentially vulnerable services, such as virtual private networks (VPNs), amplifying the threat to individuals and organizations,” and issued an alert warning that COVID-19 was being exploited by malicious actors, both cyber criminals and what it called “advanced persistent threat (APT) groups.”
Time to double-down on cyber vigilance
Notwithstanding the pandemic, it’s rather obvious that threats posed by America’s adversaries have not diminished, but rather seem to be increasing, especially in the vitally important cyber realm. No doubt their calculations include the fact that COVID-19 has made the U.S. even more dependent on web-based communications and other cyber capabilities, thus resulting in what they could perceive as greater vulnerability.
Crooks may see this as simply an opportunity for profit. Other malevolent actors – to include especially nefarious nation-states – may have even darker intentions. A massive attack could not just further cripple the U.S. economy, but also would present the opportunity to kill millions of Americans. Some might think that would be a ‘knockout blow’ and believe the pandemic is the right time to attempt it.
Cyber viruses can, in fact, be weapons of mass destruction. It’s critically important that America’s military and civilian cyber-security forces double-down on their vigilance as the most dangerous virus we may face might not be biologic but rather electronic.
Still, remember our Lawfire® mantra: gather the facts, examine the law, evaluate the arguments – and then decide for yourself!