Skip to content
Tech News
← Back to articles

What Happens if China Hacks the US Water Supply? I Went to a Secret War Game to Find Out

read original more articles

It’s around an hour and 10 minutes into the role-playing game I’ve been invited to observe, a simulated catastrophic cyberattack on US water utilities, when the whole thing begins to feel less like a fun afternoon playing Dungeons & Dragons and more like a plausible threat to civilization.

A full 24 hours of in-game time have passed since hackers disrupted 5,000 water utilities across the United States in this imagined scenario. Joshua Corman, the former Cybersecurity and Infrastructure Security Agency strategist serving as our dungeon master, stands at the front of a conference space in an office tower high above Times Square, narrating the latest updates to the game’s participants, a few dozen insurance executives set up in six teams. All of them have gone disturbingly silent.

“You ready? It’s about to get harder,” Corman says. “I’m going to share a few things, and it’s going to hurt.”

It is, of course, still the same April afternoon as when we started—but in game time, the second-order effects of widespread water outages have started to become clear. Food refrigeration systems are failing at cold storage warehouses. Water-dependent drug and chemical manufacturing has been bottlenecked, leading to insulin shortages. Data centers’ cooling systems are failing, causing outages of cloud services. Most critically, 2,000 hospitals are without water, hampering patient care and in some cases leading to evacuations as HVAC systems shut down and the July heat—the game takes place just before Independence Day in 2027—bakes facilities.

Worse yet, Corman is playing a looping video onscreen, at the front of the room, showing a burst water main: The hackers have managed to trigger not just IT disruption but also, in at least some cases, real physical destruction that will take far longer to fix. “Everyone downstream is without water pressure,” Corman says. “Everything depends on water.”

(The tension in the room has also peaked, in part, due to Corman’s decision to deny participants any organized restroom breaks. “There are no breaks in real incident response,” Corman explains just before the giant water pipe starts gushing onscreen. “If you have to go to the bathroom, go to the bathroom. But you might miss something vital.” No one goes to the bathroom.)

The central task Corman has assigned for this round to the teams of participants, all of whom are playing the surprisingly pivotal role of insurance companies, is to decide how they’ll dole out their resources—contracted cybersecurity incident responders and money—and which clients will get priority.

Will their business relationships with clients dictate their response? Or will they focus on minimizing harm for the most possible people? And given that some clues in the game are already suggesting this catastrophic cyberattack was carried out by the Chinese military to hamper a US response to its invasion of Taiwan, will the insurers be required to focus on keeping military facilities operational?

Left unspoken in this question is another range of disastrous possibilities for the insurers themselves: Will this catastrophe bankrupt them? Or will they invoke an “act of war” exclusion in their insurance policies—a standard clause that exempts carriers from all liability when an armed conflict breaks out—and pay their clients nothing, thus risking that they’ll become the villains of the story?

The teams have 15 minutes to decide on a policy. “OK?” Corman asks. “Let’s start the clock now.”