In terms of existential risk, how would you consider the coming technological singularity? What about the future of automated drone combat? Or the possibility of nuclear annihilation? Or biological weapons? Now what about a foreign cyberattack?
If you’re like most people, the latter seems to be the most ridiculous concept — and the one least worthy of concern. It’s easy for us to imagine the world getting destroyed by nuclear weapons because we’ve already seen two of them dropped on cities — and we’ve got some questionable leaders in charge of policing their use. And it’s easy for us to picture an AI takeover because we’ve seen it over and over again in pop culture.
But for some reason we don’t take cyber threats seriously enough. And if we want to be adequately prepared, we need to change that — fast.
The possibility of a cyberattack
I want to start by acknowledging the true possibility of a cyberattack, compared to the possibility of other types of existential risks.
The chances of a nuclear strike are much lower than most people expect. While nuclear arsenals are still numerous, and safety standards (in some cases) leave something to be desired, consider this: it’s been more than 70 years since the atomic bombs were dropped on Hiroshima and Nagasaki, and in that time we’ve had the tensest, most aggressive nuclear standoff imaginable with the USSR. Yet despite that animosity and availability, no further strike was made — and the possibility of self-assured destruction through nuclear winter inhibits any nation from making a strike.
The probability of a malicious AI takeover is also low, if for no other reason than our limited understanding. It’s highly unlikely that any competent AI would develop sufficiently malicious intentions, and even a paperclip maximizer with sufficient capabilities to be an existential threat is many years to many decades beyond our reach — even in the most optimistic estimates.
But the threat of a cyberattack is real, and already unfolding. Consider the WannaCry ransomware attack in May 2017, which affected more than 200,000 computers in 150 countries across the world, demanding Bitcoin payments. Up to 70,000 devices in National Health Service hospitals in England and Scotland alone were affected, including blood storage refrigerators and MRI scanners, putting patients’ lives in jeopardy.
And the total cost of the attack is estimated to be up to $4 billion USD. It’s suspected that North Korea was behind the attack, but even if the country isn’t affiliated with it, this incident proves just how imminent a threat cyberattacks can be.
The existential risk
The probability of occurrence is grounds for concern, but the severity of a well-executed attack should be even more troubling.
The most intuitive cause for concern is monetary. More than 92 percent of all currency in the world exists only in digital and non-tangible forms; if a single financial institution is disrupted, it could wipe out billions of dollars in assets, and undermine consumer faith in fiat currency. The disruption here could affect entire countries’ economies, and for anywhere from hours to months.
But the WannaCry attack exposes an even more important vulnerability: healthcare. Our hospitals rely on technology for the vast majority of patient treatments, whether it’s documenting the progression of a case or literally keeping a patient alive. One sophisticated attack on a hospital could jeopardize hundreds to thousands of lives.
And that’s not even considering the possibility of a cyberattack targeting our utilities and infrastructure. Our society is heavily dependent on being able to access water, electricity, and food very easily — and without these basic necessities, millions of lives could be in jeopardy. Consider the Northeast Blackout of 2003, which wiped out power in the Midwestern United States and Ontario for just 7 hours in some areas (and a day or two in others). This relatively short, small-scale outage resulted in an estimated 100 deaths — and it was all rooted in a single software bug from an Akron, Ohio company. If an unintentional cyber vulnerability was enough to cause this much havoc, a coordinated, malicious attack would be orders of magnitude more consequential.
Accessibility and ease
Wars require the approval of high-ranking authorities, and the coordination of millions of people. AI would, hypothetically, require the cooperation of some of the world’s most brilliant minds and many years of work. Even the worst effects of global climate change will only unfold after many years and continued, worldwide abuse of the environment.
But in the world of cybercrime, extreme damage can be done by a bored teenager in their bedroom. Back in 2000, when he was 15 years old, a hacker going by the name Mafiaboy shut down sites operated by Yahoo, CNN, eBay, E-Trade, and others for several hours. And while that seems innocuous, it resulted in an estimated $1.3 billion in total losses — and shows just how vulnerable even our best-guarded digital assets really are.
Why cyberattacks don’t seem credible
I’ve demonstrated why cyber threats are so devastatingly powerful, so why aren’t more people taking them seriously? Part of the problem is the public perception of “hacking.” Most people imagine a lone computer nerd temporarily taking down a major company’s site in exchange for several thousand dollars, then moving on, or at worst, a major data breach (like ones affecting Target or Ashley Madison) affecting everyday consumers, but only temporarily, and in limited capacity. WannaCry is the only large-scale, potentially-nationally-motivated attack we’ve seen, and even that got limited press exposure compared to other hacks and data breaches.
We’re also guilty of assuming that the baseline resources we rely on to live — including food, water, electricity, and yes, the internet — are going to be there no matter what. Somehow, it’s easier to imagine someone sending a nuclear bomb to wipe out a city than it is imagining these supply lines drying up from a coordinated cyberattack.
I don’t have a solution for this problem, other than encouraging us all to think critically about the real nature of cyberthreats. Because a cyberattack can hit anything — including big companies, hospitals, government websites, or power plants — we need governmental institutions, private companies, and organizations to work together to better guard their technology (and by extension, us). Proactive defense, ongoing monitoring, and redundant backups are the only ways we can maximize our chances of surviving such an attack.