We live in an inter-connected, inter-dependent world, not only in digital spaces, but increasingly between the physical and digital worlds. While our inter-connectedness and the accompanying rapid technological change bring with them widespread societal benefits, they can also deepen existing vulnerabilities and create new ones, such as in relation to critical infrastructure interdependencies. These technology-rich and highly dynamic circumstances can be exploited by those with criminal and malicious intent, including terrorists, with potentially extensive and catastrophic consequences, as the 2017 WannaCry cyber-attack with global reach, which nearly brought the United Kingdom’s National Health Service to its knees, illustrated.
We will illustrate this ironic confluence of good news/bad news by focusing on hybrid threats posed by cyber technology to critical national infrastructure. Our op-ed begins by briefly examining the concept of hybrid threats, before examining how they are materialising in the cyber world. The discussion then turns to examining how best to counter hybrid threats to our Critical National Infrastructure (CNI). We propose the development of more dynamic, integrated and innovative resilience planning solutions beyond those that currently exist.
The Concept of Hybrid Threats
Hybrid threats posed by state and non-state actors are expected by many to increasingly challenge countries and institutions globally. In 2016, this recognition led to the creation of the European Centre of Excellence for Countering Hybrid Threats (Hybrid CoE), which recognises diverse and wide-ranging forms of terrorism as a potential source of hybrid threats. The Hybrid CoE has defined a hybrid threat in the following terms:
- Coordinated and synchronised action, that deliberately targets democratic states and institutions systemic vulnerabilities, through a wide range of means;
- The activities exploit the thresholds of detection and attribution as well as the different interfaces (war-peace, internal-external, local-state, national-international, friend-enemy);
- The aim of the activity is to influence different forms of decision making at the local (regional), state, or institutional level to favour and/or gain the agent’s strategic goals while undermining and/or hurting the target.
As the broad parameters of this definition reveal, hybrid threats can take a multitude of diverse forms. They can pose many practical and legal challenges too, such as how to detect, investigate, and attribute them in order to identify and bring to account their perpetrators, whether state or non-state actors.
In some sense, state and non-state terrorists have long engaged in a range of terrorist activities for political, economic, social, and other ends, in line with technological and especially digital developments. That said, the more recent categorisation of such activities as hybrid threats, and the increased focus being afforded to them, is helpful in giving sharper clarity and attention to just what those threats are. Some examples identified by the Hybrid CoE include 'influencing information; logistical weaknesses like energy supply pipelines; economic and trade-related blackmail; undermining international institutions by rendering rules ineffective; terrorism or increasing insecurity.' Hopefully, the higher profile being afforded to hybrid threats will be accompanied by commensurate investment to ameliorate some potentially critical gaps and vulnerabilities. Current national approaches to the protection of CNI, for example, cry out for a rethink of current approaches to resilience planning, especially in relation to security threats and disaster risk factors.
Hybrid Threats, Terrorism, and Cyber Vulnerabilities
A cyber-based hybrid threat might take a number of forms in the context of terrorism. For instance, it might be a direct, planned attack against pre-determined CNI; or it may be more opportunist, e.g., exploiting a temporary weakness in CNI security measures in the wake of a ‘na-tech’ scenario (where a natural disaster, such as an extreme weather event, triggers technological risk such as power grid failures, often with concurrent or cascading effects, explained further by the UN Office for Disaster Risk Reduction (UNDRR) in Section 9 on Natech Hazard and Risk Assessment of its 2017 National Disaster Risk Assessment report).
One of the critical tools of terrorist organisations is surprise—the event or events they plan and carry out come without notice to the impacted state or private firm. With such lack of notice or lack of transparency as their backdrop, terrorists also know that non-kinetic intrusions into most states or CNI will not trigger a full-on response. Military assets and expertise may remain on the side-lines because no one is (yet) injured or dead. Police and other law enforcement resources await evidence of the commission of crimes. Traditional emergency and disaster response teams and mechanisms may not be alerted or deployed either, at least not until the malware causes cascading CNI failures. Even worse, if the malware is placed and then operationalised transboundary, all of the above tendencies to wait or stand by will be exacerbated by the complications of international cooperation and coordination.
Imagine that a major European urban centre is hit with a massive electric grid attack in the midst of a summer heat wave. Attackers have combined physical assaults on grid hardware, including transformers and power stations in three states with widely distributed malware that is manipulating and disabling SCADA systems that control power distribution and which are connected to the global internet (Supervisory Control and Data Acquisition (SCADA) is a control system architecture that uses computers to manage physical processes, such as electricity distribution). The assailants on grid hardware and facilities are on the loose, and the suspects were observed but not identified. The malware could not be attributed to any particular location (the computers that disseminated the software are located all over the world), nor to any state, terrorist organization, criminal group, or individual.
Such a hybrid attack is hardly fanciful. Successful physical assaults on the grid have occurred, and the digital systems that control the CNI in most countries are easily penetrated, due to dated architecture and relatively lax governmental controls. Of course, all the sectors of CNI require electricity to function. In other words, the impacts from such a hybrid terrorist attack could cascade across sectors and national boundaries. After a successful assault on California grid components in 2016, Lloyds of London reported that a serious attack on the U.S. electric grid could result in losses of $243 billion to $1 trillion in the most damaging scenarios.
Review of Current Resilience Planning Approaches
The term ‘resilience planning’ is used here in a broad sense not only in relation to an entity’s ability to absorb, respond to and recover from shocks such as a terrorist attack, but ideally also to prevent or at least mitigate disaster impacts should such a shock occur.
At present, there are a number of common weakness in public and private sector approaches to resilience planning, with potentially catastrophic implications notably in terms of preventing and mitigating disaster impacts and losses. The potential scale of such losses is starkly illustrated by a recently published policy report of the World Bank Group examining the business costs associated with unreliable infrastructure in developing countries. It estimated that a staggering US$151 billion per year losses are incurred attributable to transport, electricity, and water disruptions alone.
A number of key potential weaknesses and vulnerabilities are outlined briefly here, with proposed solutions. This is especially true in the context of novel and emerging technological risk, including cyber-related risk and vulnerabilities, where resilience planning approaches typically do not keep sufficiently up-to-date with technological developments.
(1) Putting new wine into old rather than new wineskins.
Traditionally, there have been clear lines of division between security and disaster risk mitigation/management paradigms, including in conceptual, legal, operational and policy terms. Traditionally, the security paradigm has focused on law enforcement, intelligence gathering, crime prevention and related aspects, whereas disaster risk mitigation/management has been concerned principally with crisis or emergency management, contingency planning, and business continuity considerations. Certainly, such approaches are unlikely to respond well to hybrid threat scenarios especially where the physical and digital spaces meet, though there is evidence of some progress in this regard, such as the work of the EU Commission which recognises linkages between natural and man-made disaster risk including cyber-attacks.
This conventional approach to security and disaster risk can be especially problematic in the context of hybrid threats which straddle both paradigms and, consequently, require a more integrated approach to be developed. This is illustrated by current technological developments towards remotely controlled and, ultimately, autonomous shipping. Not only has technological innovation leapt ahead the development of accompanying regulatory frameworks, but the International Maritime Organisation, as the global regulatory lead on shipping related safety and security issues, is constrained by its mandate. It is unable, therefore, to approach its regulatory review in such an integrated manner which is likely to result in potentially significant gaps and vulnerabilities, from both security and disaster risk perspectives.
The revised approach suggested here does not entail rejecting long-established and tested approaches, rather revisiting them with fresh eyes to ensure that all relevant factors are considered and that existing approaches are adapted accordingly. In this way, the ‘new wine’ of technological innovation will not be approached by existing ‘old wine’ paradigms which alone are not fit for purpose and are likely to fail; rather this ‘new wine’ will be considered through a more progressive ‘new wineskin’ paradigm which ensures that all relevant sources of threat and risk are taken into account and appropriately provided for, such as in the development of adequate systems, training, and procurement.
(2) All relevant factors are often not considered.
A resultant, recurring source of vulnerability, attributable to the paradigmatic weaknesses just described, is that often not all relevant factors are identified or included within planning approaches which impact directly and negatively upon an entity’s likely resilience, such as in the event of a terrorist attack. If the initial risk analysis is flawed, then the result may reveal the inadequacy of resilience planning measures, including through incomplete foundational planning assumptions (mis)informing systems developed, training undertaken, equipment procured, personnel recruited, among other items.
Significant, well-known vulnerabilities exist currently in relation to cyber security within often complex CNI supply chains. For example, a CNI contract would normally include minimum obligations regarding cyber security, such as the attainment of ISO/IEC 27001 on Information Security Management or a nationally recognised standard such as Cyber Essentials in the UK. However, a primary contractor is not always contractually obliged to ensure that the same is true for its sub-contractors though the position is changing.
Recently, the importance and pressing nature of such vulnerabilities in a cyber context were illustrated starkly by the discovery of legitimate looking Apple lightning cables. Though they look and initially function like normal cables, they have been modified maliciously to include extra components which allow their designer to remotely hack into personal computers. Clearly, such threats could be/are being replicated across public and private sector entities. Despite their potentially devastating consequences, however, most likely many entities do not include such supply chain vulnerabilities fully, if at all, within their organisational resilience planning considerations.
Another reason why many state and non-state entities are unlikely to consider all relevant factors that apply to hybrid threats is that typically their resilience planning is short rather than longer term in approach. Generally, business continuity planning, crisis/emergency management and contingency planning focus on preparing for, responding to and recovering from the immediate aftermath of an incident. For instance, typically a cyber security framework will focus on the elements of Identify, Protect, Detect, Respond and Recover, or a variation thereof. As a result, the business is unlikely to make the necessary investment to identify all potentially relevant threats, risks and hazards, often focussing primarily on how to respond to specific, most likely, incidents and their impacts. Therefore, in a hybrid threat scenario it may miss some important and relevant factors.
Furthermore, where organisations are more inclined to shorter-term approaches, they are unlikely to commit to or reap the potential benefits of longer-term preventative and mitigating measures. This is despite the fact that such measures are likely both to reduce the likelihood of some incidents from occurring as well as reduce their impacts should preventative measures not fully succeed. Indeed, even where incident plans and other cyber security systems are in place, their effectiveness can be undermined by such factors as insufficient awareness about cyber security or insufficient testing of systems, as a recent report of UK boardrooms revealed.
(4) Poor integration between different types of threats, risks, hazards.
As a consequence of the limitations identified above, most existing systems, processes, and frameworks for resilience planning are not (fully) multi-hazard in nature. Therefore, not only are preparedness and responses to different hazard-types unlikely to be fully integrated (e.g., in a na-tech situation, referred to earlier when introducing the concept of hybrid threats), but current plans are unlikely to (fully) embed security implications, such as the risk of a significant cyber-attack whilst responding to the immediate incidents and/or other cascading effects. This is a significant weakness for responding most effectively to different forms of hybrid threat. These are not matters confined to hybrid threats or technological risk, rather the issue of better integrating different risks and hazards, including their likely (cascading) disaster impacts, is the subject of ongoing research and review.
(5) Overreliance on technological (hardware/software) solutions.
Finally, there is a general tendency for both public and private sectors to rely heavily upon technological solutions in response to technological threats. For example, this phenomenon has been evident in the unmanned aerial vehicle (UAV)/counter-UAV world, including augments to existing airport security arrangements. Whilst undoubtedly hardware and software solutions have a pivotal role to play, including in response to hybrid threats, their potential effectiveness is likely reduced if they are not utilised within a context of coherent, integrated and dynamic resilience planning. Not only is it difficult for such developments to keep pace with malicious technological developments (including due to procurement timelines and expense), but they cannot alone provide fully comprehensive solutions. A key benefit of effective resilience planning is that it its agility allows it to respond quickly to emerging and changing threats, often at a fraction of the cost of technological solutions.
Hybrid threats—including in the context of terrorist, cyber related activity—pose significant and growing challenges, increasing in line with rapid technological innovations. It is essential, therefore, that all possible avenues in response be explored and progressed, including in the area of effective resilience planning.
The principles and relevance of dynamic resilience planning are, however, not confined to terrorism or cyber related threats; rather, they apply broadly to other forms of hybrid threats, such as radio frequency and electromagnetic attacks which increasingly pose a serious and significant threat as the suspected electromagnetic attack in Venezuela on 22 July 2019 demonstrates.
Recently, the UNDRR, Hybrid CoE and the Finnish Government announced their intention to collaborate on the “develop[ment of] a new stress tool that will help countries understand and improve their ability to reduce risk of hybrid threats and cascading disaster scenarios.” The intention of such a tool is “to measure the current capability of disaster risk reduction systems to reduce complex risk scenarios and recommend improvements and risk reduction approaches that could counteract these interacting threats”. Whilst this is certainly an encouraging development, the benefits in terms of improved, strengthened resilience planning will only be realised partially if the key weaknesses outlined here are not addressed fully.