Cyber attacks against civilian nuclear assets could have grave consequences and nations should formally agree to forego such attacks, according to a new report from the EastWest Institute (EWI).
“Until now, most bilateral work to reduce cyber risk has focused on confidence building measures, such as hotlines and information sharing about low-level attacks,” Bruce McConnell, a senior vice president of EWI and former deputy under secretary for Cybersecurity in the Department of Homeland Security, wrote in the foreword of the report, A Measure of Restraint in Cyberspace: Reducing Risk to Civilian Nuclear Assets
McConnell wrote that because “A comprehensive approach remains a long way off,” and cyber weapons are proliferating, the EWI is proposing that “nations forego the possibility of using those tools to attack civilian nuclear assets.”
EWI is a non-partisan, multinational think tank that addresses a wide range of security issues.
Cyber attacks against the nuclear sector are “constantly increasing,” according to the report. The Stuxnet virus that attacked an Iranian nuclear facility and was discovered in 2010 is the best-known attack but there are less publicized attacks, the report said. In the first half of 2013 seven attacks were reported to DHS, it said.
“This number is merely the tip of the iceberg, as many nuclear operators around the world do not report incidents, fearing the public opinion backlash that can follow, or simply because they are unaware of the attacks,” the report said. Despite the potential consequences of radiation leaks from such attacks, the progress between governments “to address cyber risks to civil nuclear assets has been slow.”
EWI makes four recommendations to strengthen cyber security in the civilian nuclear area. First, at a nuclear summit in The Hague in March states and corporations should discuss make a legally binding agreement for the prohibition in peacetime of cyber and technological attacks against civil nuclear sites in peacetime.
The report also suggest that nations establish a response center for “nuclear information security incidents of high severity” and sign a two-year-old Multilateral Statement on Nuclear Information Security.
Finally, states that have signed the 2012 Statement should issue assessments of their performance against their commitments as a means to drive more countries to sign, EWI said.