The Caribbean region is vibrant and diverse, known for its sparkling waters, pristine beaches, and friendly people. Home to 44 million people and a hub for more than 30 million visitors a year, the region faces a shifting landscape of economic, geographic, and infrastructure vulnerabilities. These risks are compounding: a hurricane can simultaneously damage infrastructure, depress tourism, and strain government resources, which, in turn, severely limits recovery. When an island’s single hospital is taken offline due to ransomware or other cyber activity, there will be repercussions on individuals needing care. Building resilience across all sectors is paramount. Exposure of critical infrastructure to climate impacts poses risks for the development of robust cybersecurity measures in the region’s growing digital environment. The cybersecurity capacity of Latin America and the Caribbean has already been surpassed in an increasingly connected world. The region is the world’s fastest growing in terms of disclosed cyber incidents, with a 25% annual growth rate in the last decade. At the same time, the Caribbean is on the frontlines of the climate crisis, facing rising sea levels, stronger and more frequent storms, and worsening rainy and dry seasons. Exploring connections between cyber and climate threats was the focus of a conference on Cyber Climate Convergence in the Caribbean, hosted by the Centrale Bank van Aruba (CBA) on February 5, 2025.
In her opening address to the conference, CBA President Jeanette Semeleer stressed that we are living in a polycrisis world. “Building cyber climate resilience in the Caribbean will require bridging national policy siloes as well as bolstering our sectoral and vital infrastructure strategies,” she stated. “The intensification of interconnected risks and polycrisis begets an equally integrated strategy and pathways for ‘polyresponses’ and ‘polyresilience.’ We can no longer afford to resolve our cyber threats and climate hazards in a fragmented and isolated fashion.”
Cyber Program Director, Allison Pytlak joined the conference in Aruba and teamed up with Carolyn Gruber from the Environmental Security Program to chart the connections between building cyber security and climate resilience. Both offered reflections from their research to show how taking action to prepare for one challenge, whether cyber or climate, can help in prevention of the other.
Cyber/Climate Touchpoints
On the surface, the worlds of climate and cyber may seem distinct. But a closer look reveals some striking parallels.
- Systemic Risk with Cascading Impacts. The NotPetya cyberattack in June 2017, considered to be among one of the most impactful malware incidents in history, caused over $10 billion in damages, affecting sectors from shipping companies to medical facilities. That same year, the WannaCry ransomware operation affected hundreds of thousands of computers across 150 countries, affecting multiple industries from telecommunications and transportation to the United Kingdom’s National Health Service. Similarly, coastal communities like Mauritius face interlinked climate threats from tropical cyclones, flash flooding, sea level rise, and saltwater intrusion.
- Long Latency Periods. Cyber vulnerabilities may exist undetected for years before being exploited. Likewise, greenhouse gas emissions today will shape climate conditions for decades to come.
- Multistakeholder Engagement & Transboundary Response Needed. Cyber incident response and climate adaptation both require multiple teams and organizations working in parallel across governments, private sector partners, and civil society. Similarly, international climate adaptation efforts prioritize local-led solutions. The most productive solutions will be locally informed and led, and include perspectives from government, the private sector, and civil society. An integrated and holistic understanding of climate risk and vulnerability can help local decision-makers and international partners best prioritize action, identify solutions, and strengthen coastal climate resilience.
- Intersecting Threat Vectors. Cyber operations targeting critical infrastructure can exacerbate environmental harm, while extreme weather events can damage or destroy critical digital infrastructure. For instance, a 2018 earthquake and resulting tsunami in Sulawesi, Indonesia disrupted internet connectivity, mobile cell phone networks, and financial transactions. Tonga connectivity has been severed completely on multiple occasions following natural disasters, including after a volcanic eruption in 2022 that severed undersea fiber-optic cables. The Pacific Islands Forum emphasized these inherent connections at a UN meeting on international cybersecurity in December last year and was reinforced during a recent UN cybersecurity working group session.
- Outsized Impact. In the same way that small island states have unique and differentiated risk factors and vulnerability to climate change, a cyber-attack can have similarly devastating and lasting effects. Evidence shows that communities are more vulnerable to cybercrime in the wake of an environmental or climate event, notably from cybercriminals and online scams.
- Feedback Loops. The expanding and evolving world of technology has its own environmental footprint, and therefore, very direct effects on the climate crisis. Data centers, cloud computing, AI and M/L, and cryptocurrency mining demand enormous energy resources, often from fossil fuels. The increasing amount of e-waste further compounds the impact the technology sector has on environmental security around the world.
Towards an “Extraordinary Transformation”
Building cyber security and climate resilience requires managing both the urgency of short-term fixes and the need to work towards a long-term vision. To strike the right balance will require a whole-of-society approach. As described by CBA President Jeanette Semeleer, the “national security, financial stability, and business continuity [of the Caribbean] require nothing less than an extraordinary transformation of our institutions and inter-institutional capacities, as we govern from the future in a Caribbean Society 5.0.”
Cyber Threats in Focus
Stimson’s Cyber Program’s 2024 research report on cyber accountability draws lessons from non-cyber domains that can be instructive for improving accountability in cyberspace. The report includes a case study about the Montreal Protocol to the Vienna Convention for the Protection of the Ozone Layer. The study looks at how the Protocol was negotiated, key aspects of what made it successful and which of those experiences or lessons could be instructive for global cyber governance efforts. The concept of “common but differentiated responsibilities” is important for cyber as well as climate governance, as is meaningful integration of the scientific community, and flexibility and adaptability. Other Cyber Program research on the role of market mechanisms point to parallels between environmental liability and cyber insurance such as how to measure and price catastrophic risk, which is often hard to predict; cascading effects; and the rapid emergence of new threats. Finally, the program’s growing work with Stimson’s Southeast Asia program on cybercrime scam operations may offer insights and good practice for how to reduce vulnerability to fraud and online scams after an environmental event. Learn more about the Cyber Program and its work here.
Climate Risk in Focus
For coastal cities and small islands, efficiently allocating resources to build climate resilience and enacting adaptation strategies is imperative. However, any efforts to do this are undermined by incomplete or unavailable subnational data, and compounded by technical, financial, and capacity gaps. Coastal communities need tools to consider multidimensional climate risks, develop cohesive strategies, and utilize this information to unlock additional climate finance and implement resilience actions. In response, the Stimson Center developed the Climate and Ocean Risk Vulnerability Initiative (CORVI). CORVI is a decision support tool that compares a diverse range of climate-related risks across the land-seascape to produce a coastal city risk profile. CORVI is locally based, holistic, and data driven. Looking across a broad set of ecological, economic, social, and political risk factors CORVI fills data gaps to provide a holistic assessment.
Learn more about the Environmental Security Program and its work here.
Cyber and Climate Threats: Shared Risks, Resilience, and Response Strategies
By Carolyn Gruber • Allison Pytlak
Emerging Technology
Cybersecurity and climate security may seem unrelated, but both pose escalating risks that demand innovative, cross-sector solutions. The Stimson Center’s Cyber and Environmental Security Programs explore how action to prepare for threats in one domain can mitigate threats in the other.
The Caribbean region is vibrant and diverse, known for its sparkling waters, pristine beaches, and friendly people. Home to 44 million people and a hub for more than 30 million visitors a year, the region faces a shifting landscape of economic, geographic, and infrastructure vulnerabilities. These risks are compounding: a hurricane can simultaneously damage infrastructure, depress tourism, and strain government resources, which, in turn, severely limits recovery. When an island’s single hospital is taken offline due to ransomware or other cyber activity, there will be repercussions on individuals needing care. Building resilience across all sectors is paramount. Exposure of critical infrastructure to climate impacts poses risks for the development of robust cybersecurity measures in the region’s growing digital environment. The cybersecurity capacity of Latin America and the Caribbean has already been surpassed in an increasingly connected world. The region is the world’s fastest growing in terms of disclosed cyber incidents,1Disclosed cyber incidents are unauthorized occurrences that jeopardize the confidentiality, integrity, or availability of a company’s information systems that are disclosed to the U.S. Securities and Exchange Commission. with a 25% annual growth rate in the last decade. At the same time, the Caribbean is on the frontlines of the climate crisis, facing rising sea levels, stronger and more frequent storms, and worsening rainy and dry seasons. Exploring connections between cyber and climate threats was the focus of a conference on Cyber Climate Convergence in the Caribbean, hosted by the Centrale Bank van Aruba (CBA) on February 5, 2025.
In her opening address to the conference, CBA President Jeanette Semeleer stressed that we are living in a polycrisis world. “Building cyber climate resilience in the Caribbean will require bridging national policy siloes as well as bolstering our sectoral and vital infrastructure strategies,” she stated. “The intensification of interconnected risks and polycrisis begets an equally integrated strategy and pathways for ‘polyresponses’ and ‘polyresilience.’ We can no longer afford to resolve our cyber threats and climate hazards in a fragmented and isolated fashion.”
Cyber Program Director, Allison Pytlak joined the conference in Aruba and teamed up with Carolyn Gruber from the Environmental Security Program to chart the connections between building cyber security and climate resilience. Both offered reflections from their research to show how taking action to prepare for one challenge, whether cyber or climate, can help in prevention of the other.
Cyber/Climate Touchpoints
On the surface, the worlds of climate and cyber may seem distinct. But a closer look reveals some striking parallels.
Towards an “Extraordinary Transformation”
Building cyber security and climate resilience requires managing both the urgency of short-term fixes and the need to work towards a long-term vision. To strike the right balance will require a whole-of-society approach. As described by CBA President Jeanette Semeleer, the “national security, financial stability, and business continuity [of the Caribbean] require nothing less than an extraordinary transformation of our institutions and inter-institutional capacities, as we govern from the future in a Caribbean Society 5.0.”
Cyber Threats in Focus
Stimson’s Cyber Program’s 2024 research report on cyber accountability draws lessons from non-cyber domains that can be instructive for improving accountability in cyberspace. The report includes a case study about the Montreal Protocol to the Vienna Convention for the Protection of the Ozone Layer. The study looks at how the Protocol was negotiated, key aspects of what made it successful and which of those experiences or lessons could be instructive for global cyber governance efforts. The concept of “common but differentiated responsibilities” is important for cyber as well as climate governance, as is meaningful integration of the scientific community, and flexibility and adaptability. Other Cyber Program research on the role of market mechanisms point to parallels between environmental liability and cyber insurance such as how to measure and price catastrophic risk, which is often hard to predict; cascading effects; and the rapid emergence of new threats. Finally, the program’s growing work with Stimson’s Southeast Asia program on cybercrime scam operations may offer insights and good practice for how to reduce vulnerability to fraud and online scams after an environmental event. Learn more about the Cyber Program and its work here.
Climate Risk in Focus
For coastal cities and small islands, efficiently allocating resources to build climate resilience and enacting adaptation strategies is imperative. However, any efforts to do this are undermined by incomplete or unavailable subnational data, and compounded by technical, financial, and capacity gaps. Coastal communities need tools to consider multidimensional climate risks, develop cohesive strategies, and utilize this information to unlock additional climate finance and implement resilience actions. In response, the Stimson Center developed the Climate and Ocean Risk Vulnerability Initiative (CORVI). CORVI is a decision support tool that compares a diverse range of climate-related risks across the land-seascape to produce a coastal city risk profile. CORVI is locally based, holistic, and data driven. Looking across a broad set of ecological, economic, social, and political risk factors CORVI fills data gaps to provide a holistic assessment.
Learn more about the Environmental Security Program and its work here.
Notes
Recent & Related