We all have a part to play in modern defence
In July last year an enormous malware attack hit Maersk, the world’s largest container shipping company. The virus disabled virtually all of the logistics giant’s IT infrastructure. After ten days IT specialists managed to restore the system but in the meantime Maersk had lost close to $300 million.
Attacks on companies like Maersk matter not just to their shareholders but to governments and to all of us. Or rather, they should matter to us. Eighty per cent of the world’s trade travels on ships. A Maersk freighter docks every 15 minutes, delivering 10,000 to 20,000 containers carrying food and other necessities. If Maersk or another shipping company were hit by an attack more powerful than the NotPetya malware that targeted Maersk, we consumers would quickly feel the consequences.
Britain, for example, imports half its food and because the retail sector operates what is known as a just-in-time model, an attack on shipping companies, ports or distribution centres would rapidly result in empty shop shelves. According to statistics from the Department for Environment, Food and Rural Affairs, between 2010 and 2015 52 per cent of suppliers reduced distribution-centre stock levels. Only 22 per cent increased their stock.
If this is not sufficient warning, consider the fate of several thousand commuters in the region around Düsseldorf. Last month left-wing radicals cut railway signals cables, leaving travellers stranded. A more sophisticated attack could wreak havoc on a western country, especially since a great number of us commute long distances to work. Or attackers could target the electrical grid, the network that sustains our daily life. The US grid has already been attacked by hackers reportedly operating as proxies for foreign governments. European power plants have been targeted too.
Western democracies present an attractive target. We have open societies and relatively small governments that mostly do not own companies in strategic sectors. And while we are increasingly discussing hybrid warfare, we have so far failed to realise that it could cripple us.
It can do so even though we have skilled armed forces. If Russia launched a military attack against a Nato country tomorrow, the alliance would eventually defeat it. Sure, most European countries could increase military spending, but even at current defence spending levels our combined forces are stronger than those of Russia. But what if the attacker does not use military means? That is exactly what is happening now.
The NotPetya attack that crippled Maersk was initially targeted at Ukraine, where hospitals, banks and utilities were laid low by the virus. It was traced to Russian military hackers. A report by the US Senate foreign relations committee said that between 1992 and 2006 Russia cut off energy 55 times in other countries. If you were a government with aggressive intentions, would you not use similar tactics? Releasing computer viruses risks the lives of no soldiers and requires no expensive military hardware. For the most part, hybrid warfare cannot even be traced, unless the attacker wants to send a signal.
The West has woken up to the increased military threat facing us. But so far we have failed to beef up our defence against attacks that could arguably harm us much faster. The good news is that our societies have the potential to defend themselves against these vicious threats. What we need is modern deterrence: deterrence by resilience. If we combine it with traditional, military deterrence, we will be able to face adversaries with the knowledge that they cannot bring us to our knees. And knowing of our strengthened resilience, our adversaries will be less inclined to attack or threaten us.
Developing a new defence model may seem overwhelming: it requires us to acknowledge our acute vulnerability to non-traditional warfare. But there is strength in allies sharing their wisdom. All western countries face the same challenges and several of them have partial solutions. Next month many of them will convene, along with business leaders and British officials, at the inaugural conference of Royal United Services Institute’s modern deterrence programme.
A Danish defence ministry official will share his experience with regular crisis management exercises involving cabinet ministers and CEOs. A Swedish official will talk about his country’s new total defence planning, which teaches residents how to stock up for emergencies and how to detect disinformation campaigns. An Estonian official will describe how Estonia coordinates defence and national contingency planning: two very separate tasks.
Armed with ideas like these we can develop a plan for deterrence that involves governments coordinating with private companies and involving the population. Yes, getting involved in our countries’ defence, whether it be CEOs participating in government-led crisis management exercises, companies pooling information about similar cyber attacks or residents stocking up, may be an inconvenience, but it is a lot less inconvenient than facing a national emergency unprepared.