The chief meteorologist and federal emergency response official at the Department of Homeland Security has spent years tracking a threat most policymakers have yet to reckon with:  AI-enabled cyberattacks timed to extreme weather.

“Creativity, ingenuity, and intellect are no longer required to set loose the AI attackers of  tomorrow,” Sunny Wescott warned. Now, all that’s needed is a system left unpatched and a storm on the forecast. 

Wescott and I connected after the GovAI Summit in Arlington, VA in 2025 to talk about how the public sector should approach the compounding dangers of evolving technology and severe weather such as hurricanes, tornadoes or heatwaves.

When a weather event hits, systems lose connectivity and routine security patches don’t get installed on time. The longer systems go unpatched, the more exposed vulnerabilities accumulate.

When natural disasters and cyber threats compound rather than take turns, no target is more exposed than the power grid.  

At the same time, a flood of emergency communications becomes a vehicle for phishing attacks — bringing, in Wescott’s words, “the weakest link in operational security to the front door.” 

The stakes of the threat Wescott describes are high. A successful compound attack would not simply extend a power outage — it would collapse the systems society depends on to manage the disaster itself: hospitals, water treatment, emergency communications, supply chains. 

The policy response must match the threat. Policymakers continue to plan for cyber threats and weather emergencies as separate events, when the real danger lurks in the overlap between them. 

The Ultimate Distraction  

When natural disasters and cyber threats compound rather than take turns, no target is more exposed than the power grid.  

During a hurricane or heatwave, the power grid runs near capacity, alarms ring constantly and operators field hundreds of simultaneous alerts. A malicious actor already embedded in grid infrastructure can take advantage of the chaos to activate undetected.

The damage of the resulting cyberattack would be indistinguishable from a grid buckling under demand surge: a system failure in a sea of system failures. Furthermore, when attribution fails in the chaos of a storm, no deterrence signal gets sent. An adversary that strikes undetected once faces no cost for doing it again. 

A simulation by researchers at Johns Hopkins University, the University of California at Berkeley and New York University confirmed that a cyberattack on Long Island’s power grid timed to an extreme weather event could increase grid disruption more than three times compared to a standalone attack. It could also extend forced outages from three hours to eleven, leave nearly 198,000 customers without power, and cause a 37% drop in economic productivity for state and local government organizations — including transit systems and emergency services that communities depend on to manage a crisis.

AI does not just make cyberattacks more powerful. It makes them more accessible.

That multiplier effect is what makes the timing of such a cyberattack deliberate, not incidental. 

Artificial intelligence accelerates every stage of this stacked threat. Large language models are already used by nation-state actors to conduct reconnaissance, identify vulnerabilities and develop attack tools faster than human analysts can respond. 

Anthropic displayed how much can be done with minimal human supervision in late 2025, when a Chinese state-sponsored group used AI to execute 80-90% of an espionage campaign against roughly 30 technology, finance, government, and critical infrastructure targets. 

Now, Anthropic’s Claude Mythos has autonomously uncovered critical vulnerabilities in every major operating system and web browser. With that achievement, advanced AI crossed a threshold that AI scientist Yoshua Bengio had warned was coming, wrote Gordon Goldstein, an adjunct senior fellow at the Council on Foreign Relations. It showed that AI is able to identify previously unknown software vulnerabilities, weaponize them and chain exploits together in ways no prior model could.  

AI does not just make cyberattacks more powerful. It makes them more accessible. As Brianna Rosen and Jam Kraprayoon write in Foreign Affairs, tasks that once required teams of highly skilled professionals will soon run continuously with limited oversight. 

Every nation expanding its electric grid is expanding its exposure to the threat of a cyberattack in extreme weather; it is not a uniquely U.S. problem. 

As electrification expands the grid’s digital footprint, the threat-monitoring arm of the North American Electric Reliability Corporation (NERC) warns the attack surface will broaden exponentially, at precisely the moment that U.S. tensions with China and an escalating conflict in the Middle East are raising the stakes of critical infrastructure as a target. 

This Is Not a Drill 

A deliberate, weather-masked cyberattack has not yet occurred. But the capability exists and the access is in place. What remains is only the decision to activate. 

For example, in 2023, Chinese state-linked hackers operating under the name Volt Typhoon spent 300 days inside the network of a small electric utility in Littleton, Massachusetts — not to cause disruption, but to map the network. The hackers exfiltrated operational data, including grid layout and infrastructure details. 

Former FBI Director Christopher Wray has called Volt Typhoon the “defining threat of our generation.” The pre-positioning is already done. 

Meanwhile, the windows of potential operational chaos are multiplying. The average time between billion-dollar weather disasters in the United States has fallen from 82 days in the 1980s to just 10 days in 2025. More frequent extreme weather events mean more operational  chaos windows, when grid operators are overwhelmed, anomalous readings are expected and a  quiet activation could go unnoticed.  

Adversaries do not have to guess when those windows open. As Wescott has noted, the same weather forecasting data the government makes freely available to help communities prepare gives adversaries a precise scheduling tool.  

Building the Defense the Threat Demands 

Three steps could materially reduce the risk of an AI-enabled cyberattack timed to extreme weather. 

First, the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Energy must fund AI-powered anomaly detection systems built specifically for compound scenarios, such as a cyberattack activating during a live weather emergency. Current intrusion detection tools are calibrated for  normal operating baselines, but during a weather event, normal operations vanish. Defensive AI must  learn to distinguish storm signatures from adversarial ones in real time. If AI is what accelerates the threat, it must also be what accelerates the defense.

The adversary already has a forecast. The question is whether we build our defenses before they decide to use it.

Second, NERC’s GridEx exercises, which currently simulate cyber and physical threats in  isolation, must incorporate mandatory compound scenarios. Grid operators need to practice detection and response under exactly the conditions an adversary would choose. This requires no new funding, only a regulatory mandate  that reflects how adversaries may operate. 

Third, the U.S. should lead development of a multilateral framework for real-time intelligence sharing on compound weather-cyber attack vectors. The deliberate exploitation of natural disasters must be treated as a category of attack that crosses a line — not just strategically, but morally. 

The Stakes Are Global 

Every nation expanding its electric grid is expanding its exposure to the threat of a cyberattack in extreme weather; it is not a uniquely U.S. problem. 

Furthermore, the failure to think creatively about compound threats isn’t uniquely American. Most countries aren’t analyzing this combination of risks either. 

But domestically, the stakes are compounded by a troubling contradiction: The Pentagon has quietly scrubbed climate analysis from its planning documents, even as extreme weather grows more frequent and more operationally disruptive. Government officials cannot harden installations against threats they have been ordered not to analyze. 

The adversary already has a forecast. The question is whether we build our defenses before they decide to use it.

Zeinah Abdelsalam is an MSFS candidate in Science, Technology and International Affairs at Georgetown’s School of Foreign Service, where her work focuses on energy transition and security. She is an energy, tech and trade policy associate at Aquia Group.