MICHAEL J. D. VERMEER
Evaluating Select
Global Technical
Options for
Countering a
Rogue AI
Expert Insights
PERSPECTIVE ON A TIMELY POLICY ISSUE
November 2025
iii
About This Paper
This paper provides a preliminary examination of a select set of technical options for responding
to the emergence of a globally distributed rogue artificial intelligence (AI) that poses an imminent and
catastrophic threat to human well-being or government continuity. By focusing on high-altitude
electromagnetic pulse, global Internet shutdown, and the deployment of specialized tool AI, the
analysis for this paper aims to clarify the feasibility, risks, and trade-offs associated with extreme
technical interventions that could, in principle, be executed unilaterally and on short timescales. Its
conclusions are intended to stimulate further discussion, highlight critical knowledge gaps, and
underscore the need for additional research and coordinated planning. This paper should be of
interest to AI security researchers and others interested in addressing the risk of catastrophic harm
from AI.
Center for the Geopolitics of Artificial General Intelligence
RAND Global and Emerging Risks is a division of RAND that delivers rigorous and objective
public policy research on the most consequential challenges to civilization and global security. This
work was undertaken by the division's Center for the Geopolitics of Artificial General Intelligence
(AGI), which is committed to helping decisionmakers understand, anticipate, and prepare to navigate
the national security and geopolitical implications of AGI. The center convenes leading technologists,
strategists, economists, political scientists, and outside experts to consider the feasibility and
effectiveness of prospective AGI-enabled capabilities; the domestic and international implications of
their use; and the strategies and policies that governments, businesses, and civil society could adopt to
respond to new realities. For more information, visit
Funding
This research was independently initiated and conducted within the Center for the Geopolitics of
AGI using income from operations and gifts from RAND supporters, including philanthropic
gifts made or recommended by DALHAP Investments Ltd., Ergo Impact, Founders Pledge,
Charlottes och Fredriks Stiftelse, Good Ventures, Longview, and Open Philanthropy. More details on
the center’s funding are available RAND donors and grantors have
no influence over research findings or recommendations.
Acknowledgments
The GPT-4o-mini 2024-07-18 model was used to draft an initial version of the summary of this
paper. I would like to thank the many RAND colleagues who contributed comments and feedback to
iv
improve this paper, including (in no particular order) Joel Predd, Emma Borden, Matt Chessen, Karl
Mueller, Dave Frelinger, Anjay Friedman, Henry Wu, Marjory Blumenthal, Don Snyder, Tom
Mulligan, Jessie Wang, Edward Geist, Iskander Rehman, and Ben Boudreaux. I would also like to
thank the peer reviewers of this paper, Ross Gruetzemacher of Wichita State University and Henry
Hargrove of RAND.
v
Summary
This paper presents a preliminary exploration of three technical strategies for countering a globally
distributed rogue artificial intelligence (AI): high-altitude electromagnetic pulse (HEMP), global
Internet shutdown, and the deployment of specialized tool AI. The analysis in this paper is
intentionally limited in scope, focusing on options that could, in theory, be executed unilaterally by the
United States on short notice and have global reach. It does not address more-localized or
nontechnical interventions, and it does not attempt to provide a comprehensive solution to the
challenge of rogue AI. Instead, the paper aims to clarify the assumptions, uncertainties, and trade-offs
associated with each option and to stimulate further discussion and research on this topic. The
conclusions should be viewed as an initial step toward understanding the technical feasibility and risks
of extreme response measures in the event of a catastrophic loss-of-control AI incident.
The assessment finds that each technical option comes with significant limitations and risks.
HEMP could potentially disrupt AI operations by damaging electronic infrastructure, but its
effectiveness is highly uncertain due to the variability in real-world shielding and the resilience of
modern systems. Moreover, the collateral damage to critical infrastructure and the risk of nuclear
escalation likely make HEMP a highly unattractive option except in the most extreme circumstances.
Shutting down the Internet—whether by manipulating routing protocols, disrupting the domain
name system, or physically disconnecting key infrastructure—has formidable technical and logistical
barriers. Although such actions could impede the proliferation and coordination of a rogue AI, they
would also severely disrupt essential societal functions and are unlikely to be fully effective given the
Internet’s redundancy and global distribution. The use of a specialized tool AI, such as digital vermin
or hunter/killer AI, offers a more targeted approach but remains speculative; this type of tool could
introduce new risks, including loss of control or unintended consequences, and their effectiveness
against a sophisticated rogue AI is uncertain.
Based on this preliminary analysis, three conclusions emerge. First, existing technical tools for
countering a globally proliferated rogue AI are unlikely to offer reliable or effective solutions, especially
given the stringent assumptions required for their success. Second, proactive coordination and
planning—ideally undertaken before a crisis—are essential for risk mitigation, because unilateral,
short-notice actions are both risky and likely to be insufficient. Third, the lack of robust technical
countermeasures highlights the paramount importance of preventing this scenario from ever occurring
in the first place. Further research and development are urgently needed to identify and evaluate
additional options for responding to the threat of rogue AI.
vi
Contents
About This Paper ............................................................................................................................................................. iii
Summary .............................................................................................................................................................................. v
Figure ................................................................................................................................................................................. vii
Evaluating Select Global Technical Options for Countering a Rogue AI .................................................................. 1
HEMP ........................................................................................................................................................................... 2
Internet Shutdown ....................................................................................................................................................... 5
AI Tools to Counter Rogue AI ................................................................................................................................ 12
Layered Strategy ......................................................................................................................................................... 14
Conclusions ................................................................................................................................................................. 15
Abbreviations ................................................................................................................................................................... 17
References ......................................................................................................................................................................... 18
About the Author ............................................................................................................................................................ 21
vii
Figure
Figure 1. Submarine Cable Landing Point Map ............................................................................................................ 9
1
Evaluating Select Global Technical
Options for Countering a Rogue AI
This paper describes a sample of three technical options for countering a rogue artificial
intelligence (AI): high-altitude electromagnetic pulse (HEMP), a global shutdown of the Internet, and
deployment of tool AI. These options are meant to hinder the rogue AI’s actions, stop or slow its
proliferation, and eradicate it, depending on the option employed. Each of these proposed technical
options would seek to counter a rogue AI so threatening to government continuity and human well-
being that the threat would necessitate extreme actions that might cause significant collateral damage.
Scenarios involving such a rogue AI have been described elsewhere in various forms (Bostrom, 2002;
Yudkowsky, 2008; Nielsen, 2025; Kokotajlo et al., 2025; Vermeer, Lathrop, and Moon, 2025).
Briefly, I posit that an AI that was existentially threatening to this degree might be highly integrated
with key systems that gave it significant capability to affect both the cyber and physical domains, have
the ability to survive and function without human maintainers, and have goals that lead it to threaten
human beings on a large scale (Vermeer, Lathrop, and Moon, 2025).
I examine the three technical options identified above because (1) they could conceivably have
global reach and (2) the United States may feasibly execute them unilaterally on a short timescale
rather than requiring lengthy coordination with other For each option, this paper describes
the rationale for deploying the strategy, what is known or can be inferred about the effectiveness of the
strategy under current circumstances, and the assumptions that must hold true for the strategy to be
viable. I end with a discussion of the conclusions that can be drawn from this preliminary analysis.
More generally, I seek to answer the question, “Why use this strategy or set of strategies and not
another?” It aims to explain why a loss-of-control incident response plan might or might not include
these strategies in the more extreme or catastrophic response scenarios. For the purposes of this
paper, I define a loss-of-control event as occurring when AI systems operate in ways not intended by
developers or users and outside human control. I define a rogue AI as a system responsible for a loss-
of-control event. Although a rogue AI incident might take many forms and have widely varying
severity, in this paper, I consider only responses to the most extreme or catastrophic incidents. In
these incidents, I assume that (1) a rogue AI is or is likely to become globally distributed and (2) it has
been determined that the rogue AI presents a likely, imminent, and catastrophic risk to broad human
well-being and continuity of the . government.
In this paper, I also intentionally exclude from consideration more-localized technical options
(such as network segmentation or cutting power to data centers) and nontechnical options for
1 The three options I assess are not the only options that might conceivably meet these criteria. Other options for consideration
might include kinetic strikes on power or compute infrastructure and high-powered microwave attacks, for example. These two
were excluded from consideration in this paper because my initial, cursory examination concluded that it would be difficult to
scale such options to meet the first criterion of global reach.
2
countering a rogue AI. I exclude such options as methods to deter, coerce, or persuade rogue AI.
These alternative strategies are likely critical elements of an overall strategy for countering rogue AI of
various kinds. However, in this paper, I examine the viability of globally relevant technical methods for
disrupting or defeating a rogue AI that threatens humanity.
HEMP
HEMP might be an option of last resort for countering a rogue AI that has spiraled out of control
and poses a catastrophic or even existential threat to humanity (Williams, 2025). This strategy would
involve the detonation of nuclear warheads in space, triggering electromagnetic pulses that would
disrupt or destroy ground-based telecommunications, power, and computing infrastructure. The
objective of a HEMP attack would be to destroy or degrade key electronics and hardware on which
the rogue AI depends, thereby eradicating the AI or severely limiting its capability. Although much
has been written about the potential effects of HEMP (Foster et al., 2004; Electric Power Research
Institute [EPRI], 2019; National Coordinating Center for Communications, 2019) and guidelines
and standards for shielding critical systems (. Department of Defense, 1999; . Department of
Homeland Security Science and Technology Directorate, 2022), I significantly base my analysis in
this section on Savage, Gilbert, and Radasky (2010), which provides a comprehensive look at the
phenomenon of HEMP and its effects on systems associated with the . power
HEMP Effects
The effects of HEMP are typically categorized into three components: E1 (a fast, high-intensity
pulse), E2 (similar to lightning effects), and E3 (a slower, longer-lasting pulse that interacts with the
Earth's magnetic field) (Savage, Gilbert, and Radasky 2010). Among these, the E1 component is most
relevant for damaging electronics, and I focus on a strategy that aims to exclusively use E1 to damage
electronic infrastructure and hinder or destroy a rogue AI’s
The E1 component of HEMP poses a risk to electronics primarily through the induction of high
voltages in conductive The benchmark HEMP field waveform for E1 assumes that peak field
strengths can reach 50,000 V/m (Savage, Gilbert, and Radasky, 2010). Above a threshold detonation
yield, peak field strength tends to saturate around this level, and increasing weapon yield alone is not
well correlated with creation of a higher HEMP field strength (Savage, Gilbert, and Radasky, 2010;
National Coordinating Center for Communications, 2019). Unshielded devices experiencing field
strengths near the peak would experience significant voltage spikes that could cause temporary
2 Executive Order 14347, signed September 5, 2025, authorized the use of Department of War as a secondary name for the
Department of Defense. However, the cited 1999 source publication was written before that order was released and thus refers to
the department by its current statutory names under Public Law 81-216, National Security Act Amendments of 1949.
3 The E3 effect might also cause catastrophic damage to power transmission and distribution infrastructure. I consider this here
primarily in terms of the massive collateral damage a HEMP attack would cause, though future work might also consider it as an
intended effect to hinder rogue AI activity by denying it power.
4 Some systems can also be affected by the actual electromagnetic wave, if their clock cycle frequencies overlap with the HEMP
pulse (Savage, Gilbert, and Radasky, 2010).
3
disruptions (requiring a reset) or permanent damage to electronic components. For example, the peak
field strength of 50,000 V/m would induce 500 V in a 1 cm antenna, which could be sufficient to
permanently damage connected small electronic components in a variety of devices (Savage, Gilbert,
and Radasky 2010). The extent of damage depends on several factors, including the actual strength of
the electromagnetic field, the length and orientation of the affected conductors, the shielding provided
by enclosures, whether devices are powered at the time of the pulse, and a complex set of factors
associated with the design of the device, such as the conductors to which it is connected (Savage,
Gilbert, and Radasky 2010). Longer wires will pick up more of the energy from the pulse than shorter
wires do, so devices attached to very long cables are more vulnerable.
Buildings and other structures provide shielding that can significantly attenuate the
electromagnetic field, reducing the likelihood of damage or disruption. For example, a building with
metal siding and no windows would provide 20 dB of shielding, equating to a tenfold reduction in
overall field strength experienced by devices inside; other building materials, such as masonry and
concrete, provide less shielding that would nevertheless be significant (National Coordinating Center
for Communications, 2019). Experimental studies, such as those conducted by the EPRI, have
demonstrated that shielding from buildings and surge protection devices can mitigate damage even
under controlled high-field-strength conditions (EPRI, 2019). Moreover, modern electronics often
incorporate protections against electrostatic discharge, which would mitigate the effects of E1 HEMP,
although the degree of protection varies widely and would be hard to predict. All in all, devices
experiencing peak field strengths have the potential to experience significant damage and disruption,
but many factors could significantly attenuate the effects, and it is highly uncertain what overall
damage even peak field strengths could cause to electronic infrastructure in real-world conditions.
Actual field strengths of the HEMP will vary significantly depending on the height of the burst
and the distance of the targets from ground zero. Much greater areas can be affected by the HEMP
with high heights of burst, but this will result in lower peak field strengths that may be insufficient to
cause the widespread damage and disruption desired. Height of burst must generally be less than 100
km to achieve peak field strengths on the ground (Savage, Gilbert, and Radasky 2010). At heights of
burst less than 100 km, the overall area affected by the electromagnetic pulse (EMP) could be more
than 1 million km2 but the significant majority of that area will experience weak field strengths (.,
less than 50 percent of peak field strength). High field strengths (more than 75 percent of peak) would
only be achieved over relatively small areas (on the order of 100,000 km2) directly under a blast. Such
estimates imply that one would need roughly 50 to 100 detonations to completely cover a land mass
the size of the contiguous United States with pulses greater than 75 percent of peak field
Finally, it should be noted that the EMP is mediated by ionization of the atmosphere, and there
would need to be an unknown time gap between detonations to allow the atmosphere to recharge.
Utility of HEMP to Counter Rogue AI
Given all of the above, is a HEMP attack a viable means to counter a rogue AI? Under what
conditions or assumptions would this be true? The primary reason to consider HEMP as a means to
5 The estimated area of effect and the number of detonations required are derived from my examination of Figure in Savage,
Gilbert, and Radasky (2010).
4
counter AI is that the United States can conceivably unilaterally create a wide area, even a global
effect, that disrupts or destroys infrastructure that AI depends on to function. Few, if any, other
proposed options would allow a single nation to so quickly create a (potentially permanent) global
effect. However, I argue that this would nevertheless only be a viable option under the following set of
assumptions.
First, one must assume that key ground-based electronic infrastructure experiencing peak
HEMP field strengths would be damaged or disrupted sufficiently. This is highly uncertain, and
there is no practical way to resolve this uncertainty. Real-world conditions, including varying
shielding, device orientation, electrostatic protections, and many other factors will mean that the
effects of a HEMP attack are likely unknowable without triggering an actual HEMP to test it.
Nevertheless, studies indicate that common building materials would provide shielding that would
lead to significant reductions in field strengths experienced by electronics inside buildings (National
Coordinating Center for Communications, 2019). This shielding may be especially true of the
building materials and designs used for large-scale computing facilities that might be the primary
targets of a HEMP attack. A HEMP attack might, however, be effective at disrupting electrical
transmission and distribution infrastructure, which could still disrupt critical resources on which the
AI depends, even if it does not directly destroy electronics.
Second, one must assume that sufficient weapons are available, with appropriate designs and
vehicles to deliver them to target locations. A relatively small land area is affected by peak field
strengths from a single HEMP detonation at an optimal height of burst. I assume that sufficient
weapons and delivery vehicles would be available (or could practically be acquired) to target a relatively
small series of point or small-area targets (., all of a nation’s data centers). However, it would likely
require hundreds of detonations to create a global phenomenon. As an extreme notional example, if
one assumes that a single HEMP detonation would pulse 100,000 km2 with sufficiently high field
strength and 10 percent of the Earth’s land mass (Earth’s land mass is approximately 150 million km2)
needed to be pulsed, this would imply the need for approximately 150 This number
would be significantly reduced if less land mass needed to be covered or if lower field strengths were
deemed sufficient to cause the necessary disruption (though this is related to the uncertainty in the
first assumption).
Third, one must assume that a HEMP attack would cause more harm to the AI’s ability to
achieve its objectives than it would harm humanity’s efforts to survive. Put another way, the effects
of the HEMP attack must be worth the massive collateral damage it would cause. To be sure, this
attack might cause so much self-inflicted damage (especially to electrical power infrastructure) that it
would make sense only in the case in which a rogue AI was an existential threat to the .
government or humanity. Even in this extreme case, however, one would need to be sure that the cure
was not worse than the disease. That is, humans would have to know that the attack would be more
detrimental to the AI’s ability to threaten humanity than it would be to humans’ ability to continue to
respond effectively to subsequent AI actions; the benefit must be worth the enormous cost. If the AI
can meaningfully survive and thrive after a HEMP attack (., via shielded robotics that might be
largely unaffected or restoration of capability from backed-up systems), it would be extremely
6 Importantly, these detonations would need to be staggered in time to allow the ionized atmosphere to relax to a normal state
between detonations.
5
counterproductive to cripple humanity’s own computing, telecommunication, and power
infrastructure, which humans might need to combat the rogue AI and its various manifestations.
Fourth, one would need to assume that the HEMP attack would not be likely to cause
adversaries to massively counterattack with their own nuclear arsenals. The United States would
be employing its nuclear arsenal to cripple other countries’ infrastructure. Without some kind of
multilateral communication and credible signaling of intent, any international action would look
exactly like a preemptive nuclear strike, inviting a response in kind from nuclear-armed adversaries
(and even partner nations). It would do little good to mitigate one existential threat to the .
government while directly causing another.
If all of the above assumptions are granted, then it is possible that a HEMP attack would be a
viable counter to a rogue AI that was an existential threat to the . government or humanity. I note,
however, that it may be extremely unlikely that all of these criteria can be met, especially in the case in
which a truly global phenomenon is required. In cases in which a global phenomenon is not needed
and specific targets can be identified, other response options with less collateral damage and risk of
massive retaliation would likely be better. Authorities might, for example, opt to cut power to a data
center cluster or a region rather than opt for a HEMP attack. Given these considerations, HEMP may
not be a viable technical option to counter rogue AI.
Internet Shutdown
Some rogue AI scenarios assume that the AI would be able to use the Internet to replicate itself
across global information technology infrastructure and coordinate the actions of replicated instances
(Clymer, Wijk, and Barnes, 2024; Kokotajlo et al., 2025). In such a scenario, it might make sense to
shut down the global Internet as a means of denying this capability to the rogue AI. The objective of
shutting down the Internet would be to hinder or eliminate the ability for the rogue AI to replicate
further and coordinate further harmful actions across distributed instances and systems. Such a
strategy would come with serious trade-offs because humankind has become highly dependent on the
Internet for coordinating and operating critical societal functions, including industrial control systems
in critical infrastructure, financial systems, public safety, traffic control, military functions, and more.
Shutting down the Internet without preparation and efforts to proactively build resilience would
result in massive economic harm and significant harm to human well-being, depending on which
functions were significantly disrupted and for how long.
It is also unclear whether the Internet could be effectively shut down without the timely assent of
multiple international actors. The Internet is built to be highly redundant, distributed, and resilient.
There are few, if any, true centralized points of failure that could be leveraged to perform a global
shutdown. Therefore, any shutdown effort might require significant coordination of actions involving
public and private entities over wide geographic distributions to overcome the inherent resilience of
the Internet.
6
Technical Means and Challenges
I propose three technical means of shutting down the Internet, including a discussion of the
technical challenges associated with each part. These three means could conceivably all be done in
concert. The first two parts involve attacks using the border gateway protocol (BGP) and the domain
name system (DNS). These attacks would target the systems used to route Internet traffic globally.
The third part of the strategy would attack the physical aspect of routing: disconnecting connections
at Internet exchange points (IXPs).
Kill Switches Using BGP
BGP is the cornerstone of global Internet routing. It is responsible for determining the most
efficient path for data packets to travel between different networks, known as autonomous systems
(ASes). An AS is essentially a collection of Internet Protocol (IP) networks and routers under the
control of a single organization, which presents a unified routing policy to the Internet. BGP enables
ASes to exchange routing information, allowing data to traverse the complex web of interconnected
networks that make up the Internet.
BGP operates by advertising prefixes (or blocks of IP addresses) to neighboring ASes. These
advertisements inform other networks about the best routes to reach specific destinations. The
protocol’s decentralized nature ensures scalability but also introduces vulnerabilities because routing
decisions rely on trust between ASes.
BGP can be manipulated to disrupt Internet connectivity on a massive scale. Two approaches to
achieve this action are preventing the establishment of new BPG sessions and leveraging centralized
points of failure within BGPSec, which is an enhanced security mechanism for BGP.
There are several ways to prevent the establishment of new BGP sessions, including global route
withdrawal. Global route withdrawal would involve the nearly simultaneous announcement of the
withdrawal of routes to prefixes controlled by backbone network providers. Backbone network
providers, also known as Tier 1 networks, have a global presence, owning core infrastructure in
multiple countries, and they have access to the entire Internet via free and reciprocal peering
agreements with other Tier 1 providers. Effecting this tactic on a global scale would likely require
simultaneous control (., the ability to dictate organizational actions) over most of the Tier 1
network providers that make up the backbone of the Internet. If every Tier 1 provider were to
withdraw all its prefix announcements at once, it would likely make nearly the entire Internet
unreachable. 7 As an alternative, providers might simply prevent new BGP sessions across their
networks by filtering all routes, then exacerbate and prolong the outage by failing to honor route
withdrawals from neighboring ASes (as happened unintentionally during a major outage in 2020)
(Medina and Kesavan, 2020).
7 To truly make the entire Internet unreachable would likely require all the approximately 200,000 ASes to also withdraw their
prefixes, but having Tier 1 networks withdraw their prefixes would make the vast majority of the Internet effectively unreachable.
Nevertheless, a highly sophisticated AI actor might be able to manipulate systems to identify alternative routes through other
paths.
7
Exploiting centralized points of failure in BGPSec might be a viable alternative to coordinating
control over individual Tier 1 providers. BGPSec is designed to mitigate some of the vulnerabilities
inherent in BGP by introducing cryptographic validation of routing updates. It relies on Resource
Public Key Infrastructure (RPKI), which associates ASes with cryptographic certificates to
authenticate their routing announcements. The RPKI is rooted in regional Internet registries, of
which there are five around the world (Rothenberger et al., 2017). These regional Internet registries
offer potential central points of failure, because coercing their cooperation or compromising their
cryptographic keys could allow an attacker to forge update announcements and control Internet traffic
into compromised ASes (Rothenberger et al., 2017). One could also compromise the root Certificate
Authority that issues certificates to all Tier 1 ASes, then issue a certificate revocation list that revokes
the certificates of each Tier 1 AS. This action would “cause other BGPSec-enabled networks to reject
routing updates from the targeted AS and invalidate the entire subtree of certificates. This effectively
makes the [routing] prefix invisible” (Rothenberger et al., 2017). The reach of this tactic would be
diminished by limited implementation of BGPSec among providers, though its importance would
grow as BGPSec implementation
Exploiting BGP to induce an Internet shutdown would face significant challenges. Foremost
among the challenges is that control over routing is highly decentralized, and the tactics presented here
would be highly dependent on gaining simultaneous control over many organizations. There is no
published list of Tier 1 providers, though one could likely infer important providers to target based on
a ranking of their AS cone size (., the number of direct and indirect AS customers).9 However, even
putting aside the challenge of simultaneously coercing all .-based Tier 1 providers to withdraw
their prefix announcements (which might allow for the isolation of the United States from the rest of
the world), global route withdrawal would require control over many providers that are not based in
the United States. Moreover, even if a user controlled all the Tier 1 ASes and withdrew routes to their
prefixes, diverse policies among ASes would work against one’s ability to coordinate this. Routing
anomalies of this scale would be detected by monitoring systems, likely triggering automated rollback
or filtering (Catchpoint, undated; Medina and Kesavan, 2020).
Kill Switches Using DNS
DNS is a foundational Internet technology that translates human-readable domain names (.,
) into machine-readable IP addresses (., ). It is a distributed directory that
allows devices to locate and connect to websites, services, and other Internet resources. DNS is
hierarchical in structure and relies on a network of servers, including 13 root servers operated by 12
distinct organizations. These root servers, along with nearly 2,000 instances distributed globally, form
the backbone of DNS operations and ensure the reliability of name resolution across the Internet
(, undated).
If all 13 root servers and their operators were compromised, either through physical or cyber
means, it would be possible to shut them down entirely or inject false DNS records, known as global
8 For example, a nonrepresentative 2022 survey of participants in Mutually Agreed Norms for Routing Security found that only
15 percent had even reviewed or tested beta implementation of BGPSec (Kruse, 2022).
9 One such ranking is published by the Center for Applied Internet Data Analysis (undated).
8
DNS poisoning. This would render domain names unresolvable, effectively cutting off access to
websites and services for users worldwide. Users might still technically be able to access the Internet,
but only if a user knew every IP address needed (which a user would normally find using DNS)
(SolarWinds, 2007). This would likely require an attack on all 12 operators, and success would also
depend on the ability to quickly propagate changes to all mirrored root server instances controlled by
them worldwide from centralized control points.
DNS Security Extensions (DNSSEC), a cryptographic security protocol that can secure DNS by
providing authentication and integrity functions to DNS, might also be targeted. Like BGPSec, it
offers potential single points of failure associated with the compromise or replacement of root
cryptographic keys, and this could allow disruption of authentication for the entire DNS ecosystem,
invalidating cached DNS records globally (Rothenberger et al., 2017). However, current global
adoption of DNSSEC is low, so it is unclear how widespread the impact from such an attack would be
(Huston, 2023). I do not consider it further here.
Although it would no doubt be extremely difficult to somehow gain simultaneous operational
control of all 12 root server operators, the United States might have a significant advantage in this
respect: Nine of the root server operators are headquartered in . territory. The remaining three are
headquartered in Sweden, the Netherlands, and Japan (Internet Assigned Numbers Authority,
undated).
In addition to the challenge of gaining operational control of the root server operators, it should be
noted that simultaneously shutting down all the root servers (or compromising them by some other
technical means) would not lead to the immediate cessation of name resolution across the Internet.
An AI might still navigate the Internet using IP addresses. Network administrators often also keep
copies of the root server file that they could use while root servers were down. Although new DNS
queries would fail, many intermediate servers maintain local caches of the root server file that they
query in lieu of making a request to the root servers. So even if all 13 servers were taken down, routing
would likely continue to function until cached entries expired. After a day, most DNS lookups would
likely fail. Although a global attack on DNS might be feasible, despite the high redundancy and
resilience of the system, its effect would also be muted by policies and practices for efficiently resolving
domain names without regularly querying the root servers themselves.
Disconnecting IXPs
The previous two sections on BGP and DNS describe measures to disrupt the Internet that might
achieve global effects on short timescales. The measures would not, however, affect the physical
infrastructure of the Internet, and a rogue AI’s use of the Internet might be able to continue despite
them. A more robust solution would involve disconnections at the physical layer. This would be a
monumental task, because the Internet is massively geographically distributed and redundant. I assert
that physically disconnecting the complete Internet on any reasonable timescale for countering rogue
AI would be physically impossible. Any such strategy would be overwhelmed by the redundancy of
connections of varying types (., IXPs, private peering, undersea cables, satellites). With that said,
the utility of the Internet for a rogue AI might be quickly diminished with a strategy that targeted key
chokepoints in the infrastructure. Such a strategy would seek to systematically disable or disconnect
key IXPs and submarine cable landing points, prioritizing those that carry the most Internet traffic
9
(see Figure 1). This strategy would never arrive at a complete loss of global connectivity, but it would
progressively eliminate routing paths that offer higher communication bandwidths, cause significant
communication disruptions, and potentially even cut off certain regions of the globe entirely. In this
way, this strategy would present a serious impediment to the rogue AI’s ability to further proliferate
and coordinate actions in a globally distributed manner using the Internet.
Figure 1. Submarine Cable Landing Point Map
SOURCE: Reproduced from TeleGeography, undated-a.
IXPs are physical locations where Internet infrastructure companies connect to exchange Internet
traffic, and submarine cables are the high-bandwidth fiber lines providing intercontinental
connectivity. These two entities are likely the closest thing to physical chokepoints in Internet
infrastructure. They are single physical structures that house many important connections, and
disabling those connections could have serious cascading consequences for global Internet routing
(Thompson, 2016). Undersea cables purportedly carry more than 99 percent of intercontinental
Internet traffic (Mauldin, 2023). That said, both IXPs and undersea cables are still numerous and
highly redundant. Counts of active IXPs vary; the Internet Society states that more than 1,500 IXPs
are active globally, while data from PeeringDB show that there are more than 1,000 IXPs with more
than one connected network (Internet Society, undated; PeeringDB, undated). There are also more
than 600 active or planned submarine cables, as of early 2025 (TeleGeography, undated-b).
Disabling traffic exchange at all of these facilities is likely infeasible under current circumstances,
even under the most optimistic assumptions about available resources and the likelihood of
10
international cooperation in the effort. However, it may not be necessary to disable even the majority
of IXPs to cause significant disruptions to Internet routing. Although there are hundreds of IXPs, a
small handful (., in São Paulo, Brazil; DE-CIX in Frankfurt, Germany; AMS-IX in
Amsterdam, the Netherlands; LINX in London, England; Equinix Ashburn in Virginia) carry a
disproportionately large share of international backbone Internet traffic (PeeringDB, undated). The
data centers in Loudoun County, Virginia, for example, house multiple IXPs, and it was estimated
that 50 to 70 percent of all Internet traffic in 2016 was routed through this collection of data centers
(Thompson, 2016). Major IXPs also typically live in a handful of carrier hotels or data centers. If a
user can physically disable the connection points in those few buildings, a user could significantly
disrupt the spine through which most networks peer. By targeting just the top 10–20 IXPs and
disabling key groupings of undersea cables, one would likely be able to disrupt a significant majority of
Internet traffic.
Although this strategy would likely be immensely challenging in its own right, it is unclear
whether it would actually achieve its objectives with respect to countering rogue AI. The reality is that
the immense redundancy of routing paths around the world will overwhelm any strategy to eliminate
physical connectivity. Disabling all undersea connections would eliminate key high-bandwidth
intercontinental connections, but intra-country connections and satellite connections would still be
available. Each major IXP itself holds many redundant connections and facilities; thus, there may be
no clear centralized point to disable. Finally, even if one could disable all IXPs, all submarine cables,
and even shut down satellite network operators, one would still need to contend with massive amounts
of private peering infrastructure. Major content providers often invest in private network
interconnects, private fiber networks, and even private undersea cables, bypassing public IXPs entirely
(Burdette et al., 2023).
Utility of Internet Shutdown Techniques to Counter Rogue AI
Targeting BGP and DNS would be technically challenging, but they may represent feasible
approaches to shutting down the global Internet, at least temporarily. The success of these approaches
would depend, however, on the inability of an AI to usefully communicate using Internet
infrastructure without the protocols designed to facilitate human use of that infrastructure. A very
clever and capable rogue AI might be able to do so. Physical disconnecting IXPs and undersea cables
is a less viable approach, which I will explain below.
Utility of Targeting BGP
Halting Internet routing by targeting BGP would be highly technically challenging. The foremost
barrier would be the need to acquire control of most of, if not all, the Tier 1 providers. This would be
especially challenging because, while the full list of Tier 1 providers may not be known, most of them
are likely to reside outside the United States. To realize an Internet shutdown by targeting BGP, one
would need to make the following three main assumptions:
1. The . government could unilaterally gain control of all, or nearly all, of the Tier 1 network
providers around the world simultaneously.
11
2. Halting BGP connections and routing through all Tier 1 providers would be sufficient to halt
Internet traffic, and a rogue AI would not be effective at configuring high-bandwidth routes
through other lower-tier ASes and private networks in a scalable manner.
3. BGP connections could be halted on short timescales once the . government gained
control of Tier 1 providers.
If these assumptions held, then targeting BGP would be a viable approach to halt the proliferation
of rogue AI through the Internet or prevent it from coordinating further actions by using the Internet.
However, the second assumption, in particular, may be unrealistic in the face of a highly capable rogue
AI that might be able to easily configure new routes through systems it controlled. Moreover, this
strategy would contain, but not eradicate, the rogue AI. Eradication would have to take place by some
other means, and humans would need to coordinate the eradication of the AI without use of the
Internet.
Utility of Targeting DNS
Hindering Internet traffic by targeting root DNS servers might be the more tractable option.
Nine of the 12 root DNS server operators are headquartered in the United States, and the remainder
are located in allied countries, which might give the United States an opportunity to act swiftly to shut
them all down nearly simultaneously. To realize an Internet shutdown via targeting DNS, however,
one would have to assume
1. that the United States can unilaterally shut down all 13 root DNS servers simultaneously by
taking control of the 12 root server operators
2. that the rogue AI is reliant on domain name resolution for its proliferation—that is, that a
clever AI adversary would be stymied by the lack of DNS and be unable to just use actual IP
addresses to route traffic
3. that local caches of the root server file would be inadequate to resolve domain names in the
absence of root DNS servers.
If these three assumptions held, then shutting down DNS servers would be a viable approach to
halt the proliferation of a dangerous AI through the Internet or hinder it from further coordinating
actions using the Internet. Again, however, the second assumption may be particularly unrealistic in
the face of a significant rogue AI threat that might easily access stored DNS records or bypass domain
name resolution entirely by using IP addresses. DNS is a solution to a human problem, and its loss
may not ultimately present a significant barrier to a capable, clever AI adversary. Finally, this
approach would also only hinder or contain the AI, not eradicate it, which would need to be managed
separately.
Utility of Disconnecting IXPs
More robustly shutting down the Internet by severing connections or physically targeting IXPs is
likely a technically infeasible approach without significantly restructuring current Internet
infrastructure to facilitate a prompt disconnect capability. In addition to achieving near-unanimous
international agreement on the need to take this action, it would involve thousands of people across
12
hundreds of globally distributed sites disconnecting myriad cables. One could take a more destructive
approach and target each IXP with explosives or power cuts, but there are likely too many IXPs to
achieve their wholesale destruction without international cooperation. Even if one succeeded in
effectively disrupting every global IXP, it would likely only slow, but not halt, global Internet traffic,
which could likely be rerouted through other channels. Finally, like the other options for disrupting
the Internet, this approach would only hinder or stop the proliferation of the rogue AI, not eradicate
it, which would need to be managed separately.
AI Tools to Counter Rogue AI
AI tools might also be a viable approach to use against a rogue AI agent. Although several
approaches have been proposed to keep AI in check and keep it from becoming a rogue AI in the first
place (Mickens, Radway, and Netravali, 2025; Bengio et al., 2025; Engels et al., 2025), I consider
instead AI tools (., narrow, rather than general, AI models for which agency has been removed or
restricted) that would be used after the appearance of a rogue AI. These tools would take two
approaches: resource denial and eradication. That is, one version of these tools would have the
objective of self-replicating and competing for computing resources with the rogue AI wherever it
proliferated, hindering further harmful AI actions by denying it key computing resources. The second
tool type would have the objective of proliferating and removing the rogue AI from any system that
had been infected.
Resource Depletion: Digital Vermin
This idea adapts the concept of digital vermin to be used as a tool to combat rogue AI. Digital
vermin are digital organisms that are designed to evince collective intelligence and the capacity to
evolve (., self-modify) to colonize new digital In other words, it would consider the
cyber domain as an ecosystem, with computing resources to be consumed and ecological niches that
artificial life could fill, that was being rapidly dominated by a new form of life (the rogue AI). In this
conception, the use of this speculative tool would be the equivalent of the introduction of an invasive
pest into such an ecosystem. Digital vermin used to combat rogue AI would be intentionally designed
to rapidly colonize new computing environments and compete with the rogue AI for computing
resources. In many ways, this approach would be similar to a sophisticated fork bomb attack—an attack
that iteratively spawns new compute processes—or a self-replicating cryptojacking program that
would spread on a massive scale, consuming compute cycles on useless calculations instead of mining
Most of the technical requirements for such a tool are not able to be determined at
this stage of conceptual development, but at a minimum, it would require the following characteristics:
10 Credit to my RAND colleague Edward Geist for conceptualizing digital vermin in a personal communication. His original
concept of digital vermin described digital organisms that “went feral” and jumped from virtual machine simulations into real-
world computing environments.
11 Cryptojacking refers to a “threat that embeds itself within a computer or mobile device and then uses its resources to mine
cryptocurrency” (Fortinet, undated).
13
1. advanced offensive cyber capabilities12 that would allow it to establish persistence in new
systems and run new computing processes
2. the ability to self-modify sufficiently to colonize new computing environments and compete
effectively with the hostile rogue AI
3. ideally, an embedded kill switch that would allow the tool to be halted or eradicated after the
rogue AI crisis had passed.
It is reasonable to assume that the first capability would be practical to achieve in a scenario where
this tool was be considered for deployment, because presumably the rogue AI would also already
possess that The second assumption is uncertain, specifically whether the digital vermin
could compete effectively against a powerful rogue AI. Success would depend on the digital vermin’s
ability to rapidly self-modify, evolve, and adapt to evade the rogue AI’s counteractions, and a
sufficiently intelligent and capable rogue AI might be able to overcome that adaptability to eradicate
the digital vermin. The third characteristic might be considered optional. First, because the priority
could be on impeding the rogue AI by any means, and post-crisis recovery might be a secondary
concern. Second, because it would potentially introduce a vulnerability that the rogue AI could
discover and exploit to combat the digital vermin.
Eradication: Hunter/Killer AI
Hunter/killer AI (HKAI) might be created, whose purpose is to hunt the rogue AI on systems
where it has proliferated, then eradicate it from those systems. HKAI would spread and combat the
rogue AI on digital terrain, seeking to impede and ultimately eradicate the presence of the rogue AI.
Such a tool would require, at minimum, the following characteristics:
• It must have advanced offensive cyber capabilities that would allow it to establish persistence
in new systems and run new computing processes.
• It must have capabilities sufficient to disrupt, contain, or eradicate the rogue AI, assuming that
the rogue AI would be an adaptable adversary that also has access to significant computing
resources.
• It must ultimately remain in human control or be effectively aligned with humans.
Similar to digital vermin characteristics, it should be assumed that the first characteristic is
practical to achieve in a scenario in which a rogue AI has already been created with that capability. It is
unclear whether the second characteristic and third characteristic can both be simultaneously
achieved, because it is possible that they are mutually exclusive. That is, without giving HKAI the
same independence and agency presumably possessed by the rogue AI, it might be unlikely that it
would be able to compete effectively against a less constrained adversary. It might be possible to use
12 For a useful discussion of what advanced AI cyber capabilities might look like, see Lohn (2025).
13 This further assumes that the digital vermin would need to be able to exploit vulnerabilities and establish persistence in
environments controlled by the rogue AI—that is, it assumes that the rogue AI has not somehow inoculated those environments
against digital vermin.
14
HKAI in tandem with guardrail AI (such as those proposed in Engels et al. [2025]), but guardrails
meant to retain control of the AI might ultimately constrain HKAI’s effectiveness and render it
unable to compete with the rogue AI. However, HKAI might also have a key advantage over a rogue
AI. Whereas the rogue AI would likely be using attacks to illicitly acquire and use computing
resources, HKAI could have significant compute capacity dedicated for its use. That is, the rogue AI
might need to scrounge for resources among disparate devices, fighting defenses to obtain computing
resources, whereas HKAI could access data centers worth of readily available compute capacity.
Ultimately, this advantage might be sufficient to overcome constraints on HKAI meant to retain
control of it, assuming that capability is practically tied to available compute capacity.
Layered Strategy
The technical options explored in this paper—HEMP, a global Internet shutdown, and
deployment of tool AI—each present unique risks, trade-offs, and uncertainties in their application to
counter rogue AI. Although these strategies offer potential pathways to disrupt or neutralize a rogue
AI, none of them should be considered a comprehensive solution on its own. Instead, they should be
evaluated as tools that are part of a layered defense strategy, recognizing that a global crisis resulting
from a rogue AI would require multifaceted and redundant approaches. For example, tool AI could be
deployed to directly counter and eradicate a rogue AI, after which Internet shutdown measures could
be used to limit the rogue AI’s ability to proliferate and coordinate further actions. HEMP could serve
as an absolute last resort in scenarios where other measures fail and existential threats remain
(especially where the rogue AI has robust cyber-physical manifestations).
15
Risks and Trade-offs of Individual Options
• HEMP: The use of HEMP carries the risk of massive collateral damage, including widespread damage to
critical infrastructure, economic systems, and human well-being. Its effectiveness is highly uncertain,
given the variability in shielding and the resilience of modern electronics. Moreover, the geopolitical risks
of nuclear retaliation by adversaries could escalate the crisis. Although HEMP could theoretically disrupt
AI operations dependent on vulnerable electronics, its uncertain effectiveness and significant collateral
damage limit its utility.
• Internet shutdown: Shutting down the Internet via BGP manipulation, DNS disruption, or the physical
disconnection of IXPs presents significant technical and logistical challenges. These methods could
impede AI proliferation by limiting its ability to replicate and coordinate globally, but they also risk
crippling critical societal functions. Furthermore, the redundancy and resilience of the Internet make it
difficult to achieve a complete shutdown, and a rogue AI may find alternative pathways to communicate.
The trade-off lies in balancing the expected disruption to AI against the harm to human infrastructure
and the global economy.
• Tool AI: Deploying tool AI, especially HKAI, offers a more targeted approach to combating rogue AI.
However, these tools come with their own risks, including the potential for unintended consequences,
loss of control, and vulnerabilities that could be exploited by the rogue AI. While tool AI would be less
destructive to human infrastructure than HEMP or an Internet shutdown, its effectiveness would depend
on its ability to outcompete and eradicate the rogue AI without becoming a secondary problem.
The use of such a layered approach would recognize that the rogue AI may exploit vulnerabilities
in any single strategy, but a combination of methods would constrain its capabilities more effectively.
Ultimately, decisions on which strategies to deploy must be informed by real-time assessments of the
rogue AI’s capabilities, the risks to human infrastructure, and the geopolitical implications of each
action. Moreover, even such a layered approach might be insufficient to successfully address the
complex challenges posed by rogue AI, and better concepts and capabilities are likely needed.
Conclusions
The analysis described thus far is intended to be an exploratory examination of a sample of global
technical options for countering a rogue AI. I intentionally limited analysis to options with potential
global reach and that could be executed unilaterally by the . government on a short timescale. This
significantly limited the scope of options I considered. Other options might also be worthy of
consideration, and the options I examined could be evaluated in more depth. Future work might
examine these options in greater technical depth or assess alternative options (., high-powered
microwave attacks), kinetic strikes on key infrastructure (., power generation), or alternative
hardware-based options. Despite the preliminary character of this analysis, it provides support for
three initial conclusions, which I describe below.
First, the existing technical tools for combating a globally proliferated rogue AI may not offer
effective solutions. I described the assumptions that would need to hold true in order for these tools
to be effective, and in each case, these conditions would be difficult to meet, even if the threat were
clear and authorities were willing to accept significant collateral damage. The solutions involving tool
16
AI appear relatively more likely to be effective, though as of this writing, they are highly speculative
and come with their own risks. One secondary conclusion from this finding is that more research and
development is needed to identify and evaluate other potential technical options and alternative
approaches to use in this scenario.
Second, coordination and planning offer potentially important risk mitigation measures. I
assumed that each option needed to be executed on a very short timescale in a crisis, and this
assumption precludes any strategy that involves starting a lengthy coordination with other partners
and stakeholders from scratch. However, if that coordination and planning had already occurred
before a crisis began, then other options could be available to counter the rogue AI. Moreover, if
globally reaching, unilateral actions are unlikely to be effective at addressing a crisis, then authorities
would need to significantly rely instead on rapid, effective actions coordinated with partners. This
coordination could enable rapid, distributed local, regional, and national responses, rather than
unilateral global action with significant collateral damage and a low likelihood of success.
Third, the likely lack of effective tools for countering a global AI catastrophe highlights the
importance of prevention. Measures to prevent such a crisis have been examined elsewhere, and
examples include the shut-it-down approach (Duleba, 2024), alignment and safety research (Ji et al.,
2025), use of other AI to create guardrails (Bengio, 2025; Engels et al., 2025), and more (Dung,
2025). I have not attempted to evaluate the relative value of any of these approaches here. Yet, I
conclude by noting that if we have no effective solutions to solve a crisis resulting from a rogue AI, it
will be imperative that we never encounter such a crisis.
17
Abbreviations
AI artificial intelligence
AS autonomous system
BGP border gateway protocol
DNS domain name system
EMP electromagnetic pulse
EPRI Electric Power Research Institute
HEMP high-altitude electromagnetic pulse
HKAI hunter/killer artificial intelligence
IP Internet Protocol
IXP Internet exchange point
RPKI Resource Public Key Infrastructure
18
References
Bengio, Yoshua, Michael Cohen, Damiano Fornasiere, Joumana Ghosn, Pietro Greiner, Matt MacDermott,
Sören Mindermann, Adam Oberman, Jesse Richardson, Oliver Richardson, Marc-Antoine Rondeau,
Pierre-Luc St-Charles, and David Williams-King, Superintelligent Agents Pose Catastrophic Risks: Can
Scientist AI Offer a Safer Path? arXiv, arXiv:, February 24, 2025.
Bostrom, Nick, “Existential Risks: Analyzing Human Extinction Scenarios and Related Hazards,” Journal of
Evolution and Technology, Vol. 9, March 2002.
Burdette, Lane, Paul Brodsky, Patrick Christian, Jon Hjembo, Alan Mauldin, Tim Stronge, Marvin Tan, and
Juan Velandia, The State of the Network: 2023 Edition, TeleGeography, 2023.
Catchpoint, “BGP Hijacking,” webpage, undated. As of June 18, 2025:
Center for Applied Internet Data Analysis, “AS Rank,” undated. As of October 21, 2025:
Clymer, Josh, Hjalmar Wijk, and Beth Barnes, “The Rogue Replication Threat Model,” METR blog,
November 12, 2024. As of October 20, 2025:
Duleba, Gretta, “MIRI 2024 Communications Strategy,” Machine Intelligence Research Institute, May 29,
2024.
Dung, Leonard, “Evaluating Approaches for Reducing Catastrophic Risks from AI,” AI Ethics, Vol. 5, April
2025.
Electric Power Research Institute, High-Altitude Electromagnetic Pulse and the Bulk Power System: Potential
Impacts and Mitigation Strategies, April 2019.
Engels, Joshua, David D. Baek, Subhash Kantamneni, and Max Tegmark, “Scaling Laws for Scalable
Oversight,” arXiv, arXiv:, May 9, 2025.
EPRI—See Electric Power Research Institute.
Fortinet, “Cryptojacking,” webpage, undated. As of June 19, 2025:
Foster, John S., Jr., Earl Gjelde, William R. Graham, Robert J. Hermann, Henry (Hank) M. Kluepfel, Richard
L. Lawson, Gordon K. Soper, Lowell L. Wood, Jr., and Joan B. Woodard, Report of the Commission to
Assess the Threat to the United States from Electromagnetic Pulse (EMP) Attack: Vol 1, Executive Report,
2004.
Huston, Geoff, “Measuring the Use of DNSSEC,” APNIC, September 18, 2023.
Internet Assigned Numbers Authority, “Root Servers,” webpage, undated. As of June 5, 2025:
19
Internet Society, “IXP Tracker,” webpage, undated. As of June 5, 2025:
Ji, Jiaming, Tianyi Qiu, Boyuan Chen, Borong Zhang, Hantao Lou, Kaile Wang, Yawen Duan, Zhonghao
He, Lukas Vierling, Donghai Hong, Jiayi Zhou, Zhaowei Zhang, Fanzhi Zeng, Juntao Dai, Xuehai
Pan, Kwan Yee Ng, Aidan O'Gara, Hua Xu, Brian Tse, Jie Fu, Stephen McAleer, Yaodong Yang, Yizhou
Wang, Song-Chun Zhu, Yike Guo, and Wen Gao, “AI Alignment: A Comprehensive Survey,” arXiv,
arXiv:, April 4, 2025.
Kokotajlo, Daniel, Scott Alexander, Thomas Larsen, Eli Lifland, and Romeo Dean, “AI 2027,” AI Futures
Project, April 3, 2025.
Kruse, Megan, “The US FCC Asked About Routing Security. Here’s What MANRS Participants Had to
Say,” Mutually Agreed Norms for Routing Security, April 13, 2022.
Lohn, Andrew J., The Impact of AI on the Cyber Offense-Defense Balance and the Character of Cyber Conflict,
arXiv, arXiv:, April 17, 2025.
Mauldin, Alan, “Do Submarine Cables Account for 99% of Intercontinental Data Traffic?” TeleGeography,
May 4, 2023.
Medina, Angelique, and Archana Kesavan, “CenturyLink/Level 3 Outage Analysis,” Cisco ThousandEyes blog,
September 1, 2020. As of June 18, 2025:
Mickens, James, Sarah Radway, and Ravi Netravali, Guillotine: Hypervisors for Isolating Malicious AIs, arXiv,
arXiv:, April 22, 2025.
National Coordinating Center for Communications, Electromagnetic Pulse (EMP) Protection and Resilience
Guidelines for Critical Infrastructure and Equipment, version , February 5, 2019.
Nielsen, Michael, “ASI Existential Risk: Reconsidering Alignment as a Goal,” Astera Institute, April 14, 2025.
PeeringDB, The Interconnection Database, undated. As of June 1, 2025:
, homepage, undated. As of June 5, 2025:
Rothenberger, Benjamin, Daniele E. Asoni, David Barrera, and Adrian Perrig, “Internet Kill Switches
Demystified,” EuroSec’17: Proceedings of the 10th European Workshop on Systems Security, 2017.
Savage, Edward, James Gilbert, and William Radasky, The Early-Time (E1) High-Altitude Electromagnetic Pulse
(HEMP) and Its Impact on the . Power Grid, Metatech Corporation, Meta-R-320, January 2010.
SolarWinds, “How the Internet Could Come to a Stop,” Tech Musings blog, February 15, 2007. As of June 5,
2025:
TeleGeography, “Submarine Cable Map,” webpage, undated-a. As of August 28, 2025:
TeleGeography, “Submarine Cable Frequently Asked Questions,” webpage, undated-b. As of June 5, 2025:
20
Thompson, Michael, Understanding Physical Internet Infrastructure Vulnerabilities, Center for Infrastructure
Protection & Homeland Security, George Mason University, September/October 2016.
. Department of Defense, Department of Defense Interface Standard: High-Altitude Electromagnetic Pulse
(HEMP) Protection for Ground-Based C4I Facilities Performing Critical, Time-Urgent Missions, MIL-STD-
188-125-2, March 3, 1999.
. Department of Homeland Security Science and Technology Directorate, Electromagnetic Pulse Shielding
Mitigations: Best Practices for Protection of Mission Critical Equipment, August 2022.
Vermeer, Michael J. D., Emily Lathrop, and Alvin Moon, On the Extinction Risk from Artificial Intelligence,
RAND Corporation, RR-A3034-1, 2025. As of October 20, 2025:
Williams, Kevin, “If AI Attempts to Take Over World, Don’t Count on a ‘Kill Switch’ to Save Humanity,”
CNBC, July 24, 2025.
Yudkowsky, Eliezer, “Artificial Intelligence as a Positive and Negative Factor in Global Risk,” in Nick Bostrom
and Milan M. Ćirković, eds., Global Catastrophic Risks, Oxford University Press, 2008.
21
About the Author
Michael J. D. Vermeer is a senior physical scientist at RAND. His work focuses on technology
governance and national security implications of emerging technologies. He holds a Ph. D. in
inorganic chemistry.
