Will there be any publicly disclosed cyber attacks on nuclear facilities before the end of 2016?
This question was closed as "no" with an end date of 31 December 2016. In making this decision, the question team carefully reviewed the open source evidence of three different incidents. The first two incidents were reviewed when the initial news broke and again at the end of the year. The third was considered when the 2016 report from the Nuclear Threat Initiative was released. The first incident was the discovery of malware in a German nuclear power plant in May 2016. At the time, there was insufficient evidence to close question because it was unclear whether the malware was introduced into the system as part of an attack or if it was introduced inadvertently. A clarification relaying this decision was issued at that time. Although NTI counts this incident in their 2016 report (NTI), they present no new evidence about the incident and also go on to classify the intent of the act as "unknown" rather than as "intentional" or "accidental." With no additional evidence on how the malware was introduced, our decision in May remains unchanged. The second incident involved the release of data from a hydrogen isotope research center in Japan. In June, it was revealed that a PC at the facility was infected with a virus in November of 2015 and subject to remote control until late December 2015. Data from the research center was released in March and June of 2016, during the question's open period (Japan Times). It is unclear whether all the data was stolen in 2015 and released in 2016, or if some of the released data was acquired by the perpetrators during 2016. However, sources agree that the November 2015 spearfishing attack was what enabled the data to be stolen (Japan Times, eSecurity Planet), and because the spearfishing attack occurred prior to the question’s open period this incident does not qualify. The third incident was the at the Nuclear Regulatory Commission/Department of Energy and is listed in the NTI report with a February 2016 date, but the perpetrator of the incident was indicted for these actions in the spring of 2015, so the attack occurred prior to the question's open period (FBI). Given the clarification issued in May and the lack of subsequent evidence, there is insufficient evidence to close this question as "yes" based on the incident at the German power plant. The attack on the Japanese power plant began in 2015, prior to the question's open period, and so does not qualify, as did the Department of Energy incident. Threats emanating from the cyber realm have been increasing in frequency and severity. In just the last month, we saw Russia sanctioned for using cyber to disrupt elections, Kiev's power grid turned off after a cyber attack, and a huge merger put in jeopardy after Yahoo revealed that millions of its accounts had been hacked. The unique nature of the cyber domain creates challenges for adjudicating forecasting questions using open source material and requires that these questions be less precise than others you'll find on the site but given the growing importance of this threat, it is worth working through this ambiguity so that the Good Judgment forecasting community can engage on these issues and the wisdom of the crowd can be leveraged. We will be launching an open question next week to solicit your ideas on what questions we should be asking about this important topic and also how we should be asking those questions. We hope you will share your thoughts and continue to engage on the important issues of the day here at Good Judgment Open.
Recent reports by Chatham House and the Nuclear Threat Initiative suggest that many nuclear facilities are vulnerable to cyber attacks (NY Times, BBC, Financial Times).