Security and Resilience: Now Everybody’s Business

In November, just as research for a Covid vaccine was reaching its critical final phase, a string of pharmaceutical companies were hit by cyber attacks. Authorities subsequently traced the attacks to North Korea. Earlier in the year, other organisations working on the vaccine had been targeted by cyber attacks that the UK and other governments attributed to Russia. Medicine-makers would ordinarily not think of themselves as being part of national security, but they’ve unwittingly become a participant.

Indeed, so have most other parts of Western societies. With the West’s rivals targeting civil society, better resilience is becoming imperative.

“Having a strong military is fundamental to our security,” NATO Secretary-General Jens Stoltenberg declared in a speech this October. ​“But our military cannot be strong if our societies are weak. So, our first line of defence must be strong societies. Able to prevent, endure, adapt and bounce back from whatever happens.”

The former prime minister of Norway is not a fiery orator, but with his speech he caught the attention of many, and certainly of the West’s adversaries. For years, NATO and its member states have been aware that they ought to do more about resilience, countries’ ability to absorb and bounce back from blows against their civil societies. But the alliance was busy providing the military defence that is its task.

Here’s the dilemma: perhaps precisely because that military defence is so strong, the West’s rivals are increasingly using non-military aggression to weaken it. And as Stoltenberg pointed out, the military can’t be strong if the society behind it is weak. In fact, hostile states can bring a country to its knees solely by using nonmilitary forms of aggression.

Maersk, the venerable Danish firm that transports more containers than any other shipper and whose cargo vessels dock, on average, once every fifteen minutes every day of the year, discovered what such aggression means on 27 June, 2017, when its IT network suddenly went dark. ​“All end-user devices, including 49,000 laptops and print capability, were destroyed. All of our 1,200 applications were inaccessible and approximately 1,000 were destroyed. Data was preserved on back-ups but the applications themselves couldn’t be restored from those as they would immediately have been re-infected. Around 3,500 of our 6,200 servers were destroyed,” Maersk’s chief technology and information officer, Adam Banks, told an industry publication two years after the attack.

For days, Maersk could barely operate. The company had been struck by NotPetya, a virus the UK and other Western governments later found had been unleashed by the Russian military. And Maersk was not alone: NotPetya, created by the Russians to cripple Ukraine, first brought down government agencies, banks, airports and hospitals in that country, but then it travelled on and immobilised a string of multinationals including the American pharmaceuticals giant Merck and the snack conglomerate Mondelez (think Oreo cookies).

The fate of Maersk, Mondelez and assorted pharmaceutical companies is shared by businesses around the Western world: though they have for the past couple of decades been told to globalise and done so very successfully, they’re now being targeted by hostile governments because globalisation didn’t produce the peaceful world almost everyone predicted.

And companies, which today both produce and sell heavily abroad, are easy targets because they’re extraordinarily exposed and can’t hit back against a hostile state. Tech giants such as Google certainly would have the skills to do so in case of a cyber attack, but doing so would not just be illegal but would also risk a dangerous escalation.

More importantly, today’s so-called greyzone aggression – conducted in the grey zone between war and peace — goes far beyond cyber attacks. In November, for example, Australia’s winemakers were subjected to a vicious blow when China imposed punitive tariffs on Australian wine. The tariffs, of up to 212%, means that Australian vintners can no longer sell their wine to their most important export market.

The Australian vintners were targeted not because of anything they’d done to anger the Chinese authorities, but because Beijing was unhappy over Australian criticism of China, especially over its obfuscation over Covid. And Chinese threats to foreign firms don’t stop with Australia. Chinese diplomats have publicly warned, among others, Sweden and the UK that their companies will suffer consequences as a result of these countries’ decision to exclude the Chinese telecoms giant Huawei from its 5G networks.

And when a company is attacked, the wider public will suffer along with it. When Maersk was brought down by NotPetya, it couldn’t deliver the goods local businesses depend on every single day to service their customers – and because most companies operate on a just-in-time model, even a small disruption can be disastrous. During the first weeks of the Covid crisis, consumers all over the (Western) world got a taste of what such disruption looks like, when panic-buying of key items such as pasta, canned goods and toilet paper led to empty supermarket shelves.

This all doesn’t mean we should individually turn into preppers. But it does mean that, as Stoltenberg said, Western societies should be able to prevent, endure and bounce back from non-military attacks against them. Because globalisation can’t – and shouldn’t – be undone, companies will always be at risk of aggression. If they’re targeted by cyber attacks or their supply chains disrupted, they should have a back-up supplier at the ready.

And if those daily goods don’t arrive, or if power or the internet is cut, ordinary citizens should know what to do. Here’s a challenge: stress-test yourself for such situations by going without power or the internet (or, if you’re brave, both) for an hour. Two hours. Six hours. It’s harder than you think. But if we as societies don’t demonstrate that we can cope with disruptions to daily life, we practically invite the West’s adversaries to cause precisely such disruption.

Instituting back-up suppliers in case of supply chain disruption is more challenging. Because modern goods can comprise thousands of different components – a typical car, for example, includes some 30,000 components — manufacturers use a range of different suppliers. The suppliers, in turn, have subcontractors, and often the subcontractors have subcontractors of their own.

It’s impossible for the manufacturer to know the complete supply chain.

Indeed, in most cases the manufacturer will only discover its weak spots when its supply chain is disrupted. That makes it even more imperative for customers to be able to carry on in case of brief disruptions. The 2011 Fukushima earthquake left car manufacturers worldwide without the pigment that creates car paint’s shimmery tone, for which they’d relied on a small number of firms in Fukushima prefecture. After the earthquake, they switched from that single-source system to one featuring several suppliers.

Going from single-source to multiple-source involves more money. So does increasing the warehouse capacity that would allow retailers and others to protect themselves from the risks of just-in-time. But disruptions will come. The challenge for governments: how to incentivise companies to try to prevent disruptions that may or may not hit them, when even the costs of a direct attack on a company may be less than the accumulated expense of shielding the company against such an attack?

Hint: it’s not just about the immediate bottom line. Governments can encourage companies to think of themselves as having a role in keeping themselves – and their home countries – safe by regularly briefing top executives about national security threats. With businesses already being in the firing line of geopolitical aggression, they have an interest in helping make themselves and society more resilient, but only if it’s not simply a compliance exercise along the lines of the UK’s muchparodied health and safety regulations.

Governments could also initiate exercises against greyzone threats. The exercises, carried out by armed forces, select businesses as well as the blue light services, would collectively prepare a country for such attacks – and like traditional military exercises, such greyzone exercises would also signal to would-be attackers that the country is prepared. Greyzone exercises, a concept developed by me and presented in a September paper, is now being implemented by a NATO member state.

Crucially, resilience also includes the wider public. And it goes beyond individuals stress-testing themselves, though that’s a good start. Before Covid hit the UK, the government was reluctant – as I discovered in a number of meetings – to inform the public about disruptions that might come its way because the public might panic. Then Covid struck, and the public was unprepared. That’s not good for the country, and it’s indisputably the wrong signal to send to our adversaries.

In 2018, the Swedish Civil Contingencies Agency sent a leaflet called If Crisis or War Comes to every household in the country, by post of course, as an internet link is of no use if the internet goes down. In not-a-few other countries the leaflet was ridiculed and considered too alarmist.

Covid, of course, demonstrated the value of precisely such a leaflet. Lithuania has published a similar leaflet, as has Latvia. It’s an example for other countries to follow. The message should be: we’re in this together, and together we can handle most disruptions to our open societies.

Our societies have the potential to be resilient; they’ve just forgotten that everyone has a role in making them so. Military defence involves a small segment of society, but resilience involves everyone. And without societal resilience, military excellence is useless.