This article is part of a series of papers that resulted in the new report:
First Resort: An Agenda for the United States and the European Union
Societal resilience, particularly with respect to critical infrastructure and functions, faces the greatest challenges and threats seen in the last 75 years. Some of them are internal and inherently systemic in nature, but there exist real external threats with a demonstrated ability to significantly impact key systems and structures nations and societies rely on. At the same time, a growing understanding of the complexity of the “System of Systems” we all rely on to support everyday life, and the vulnerabilities therein, has led to specific actions and initiatives that are cause for optimism.
Defining Resilience
There are many different definitions of resilience, but for the purpose of this paper, we will use the following definition: “Resilience is the ability of a system to absorb an upset (whether internal or external) and minimize the negative impacts of that upset and the time it takes the system to return to pre-upset levels of performance.” Put more simply, any system has a normal level of operational performance, be it an electric grid or the staff of a hospital emergency room. When something abnormal happens, that performance suffers and drops below the norm, perhaps by a fraction of a percent or potentially a complete shutdown. That degradation might last for milliseconds or it might last for days or weeks depending on the severity of the upset.
The overloaded electric grid might have a temporary brownout or partial blackout until additional generators can be brought online, thus preventing a total blackout. The emergency room staff might be overwhelmed by the number of patients arriving during a mass casualty incident and might close to new patients until additional staff can be recalled to the hospital increasing the ER’s capacity. In both cases, the measure of the system’s resilience is the ability to minimize the depth and duration of operational degradation before the system returns to normal performance levels.
Challenges and Threats
The statement “We live in an interconnected world” has become so common so as to almost become cliché, but there is a fundamental truth to that statement that even those who use it do not fully comprehend. While the interconnectedness of the Global Information Grid (GIG), of all information technology and telecommunications systems, is understandable on a conceptual level, only by diving deeper at the systemic interdependencies can we really understand how this web of connections are mutually supportive and dependent down to the third and even fourth order level.
For example, modern economies are absolutely dependent on fully interconnected financial institutions which process transactions in milliseconds, with electronic trades moving millions of dollars every second supporting everything from the world’s stock exchanges to your local ATM and debit card payment at a grocery store. But that entire system is completely dependent on several external systems, most notably the GIG (with at least part of that transaction data running over commercial internet circuits), and electric power supporting the entire information technology pathway.
But when we dig deeper, we note that the GIG’s inherent design (which fundamentally relies on the original TCP/IP protocol developed to create a nuclear-attack resistant ARPANET back in the 1960’s) means the system is resilient because it will seek to find a complete pathway to the destination utilizing any portion of the network, which also means that that pathway may jump countries and even continents in its quest to complete the transaction. At the same time, all those routers and switches and data centers are reliant on electricity, which creates a dependency on the electric grid. Even backup generators are reliant on fuel for those generators, and that fuel is reliant on a system of trucks and tank farms able to deliver more fuel to keep the generators running, and the tank farms are reliant on pipelines able to deliver additional fuel, which are reliant on pumps and industrial control systems which rely on electricity. These vulnerabilities became obvious during the extended power outages in and around New York City after superstorm Sandy in 2012 – gasoline was scarce because gas stations had no power for their pumps; businesses across three states lacked the ability to process credit or debit card transactions; at the same time that cash became scarce because ATMs stopped working.
This very simple example exposes a fundamental truth – every aspect of our critical infrastructure is so interconnected with other pieces of critical infrastructure that a failure anywhere in the system, indeed potentially anywhere in the world, has the potential to create a cascading series of casualties that create ever-widening and potentially exponentially worse consequences as system operators work to understand what is happening, why it is happening, and how they can restore the system.
While the Global Information and Electric Grids are two examples, these interdependencies and relationships spread across nearly every system…from the agricultural system which grows food and delivers it to your local market to the transportation system which moves goods and materials supporting a global supply chain infrastructure made increasingly fragile as companies increase efficiencies and profits while cutting costs through concepts such as “just in time logistics.” In fact, the typical major European or North American city only has enough resources to support itself for a few days at best before scarcity becomes a very real problem. There are major automotive factories that literally only have enough parts and raw materials on hand to support six hours of operations before they are in danger of shutting down production. The drive for efficiency has led to consolidation and elimination of duplication and redundancy which creates a fundamental fragility in critical infrastructure that few fully understand.
This very fragility creates vulnerabilities that are not only subject to upsets such as the afore-mentioned natural storms and disasters, but also potential attack and exploitation by individuals and organizations seeking to do harm, be they terrorists, criminals, or foreign states. When we talk about hybrid warfare or hybrid attacks, cyber immediately comes to mind because of the ability for actors to operate across the GIG and the great difficulty in proving attribution or enforcement when the actor may reside in a hostile state halfway across the globe. Recent examples include attacks against the Georgian government in 2019 and the United States electoral system in 2020.
At the same time, the system’s very structure creates additional fragility and potential attack vectors. The recent debates over use of Huawei technology in building out 5G infrastructure in the UK as well as the rest of Europe and the US expose concerns at allowing a foreign company with ties to a potentially hostile power to provide key technology that is fundamental to the operations of the GIG. But the Chinese Belt and Road initiative is about more than just the sale of chips, routers, and switches to the telecommunications network. Over the last five years, Chinese companies have purchased all or significant ownership stakes in 16 of the largest commercial seaports in Europe, with similar investments taking place in the Middle East, Africa and even the United States. By its very nature, ownership provides a degree of control and that control provides a means to deny service that is cause for concern.
Waking Up and a Reason for Optimism
While these interdependencies, systemic fragility, vulnerabilities and potential attack vectors are not fully understood, there is a growing realization that lack of oversight, regulation and a wholistic view of the entire system of systems necessitate action, particularly in the transatlantic context when facing challenges from both Russia and China. Organizations such as The Cybersecurity & Infrastructure Security Agency (CISA) in the US and European Union Agency for Cybersecurity (ENISA) have been created to address the problem holistically. In 2016, the NATO Warsaw Summit released a declaration on resiliency affirming the member states’ need to be resilient to ensure they can meet their Article III commitments under the Washington Treaty. Since then, NATO has engaged in both classified and public activities to encourage resilience and enhance Allied and Partner nations’ capacities through the baseline guidelines and requirements, a standing Advisory Support Team, and public diplomacy aimed at projecting and encouraging stability.
Perhaps more encouraging in a transatlantic context is that NATO and the European Union have been actively collaborating, enabling engagement of multiple states who are only members of one body. Nations across the Atlantic have been working to implement standards and best practices not only on a national basis, but also on a bilateral/cross-border, regional, continental, transatlantic, and even world-wide basis because so much of the critical infrastructure is built and operated in such a way that national borders are almost invisible to the system.
As of this writing, the global COVID-19 pandemic has killed over 1.4 million people and exposed systemic fragility in global supply chains of medical equipment, vaccines, pharmaceuticals, and national healthcare systems. It has led to a somewhat coordinated, worldwide response to a global emergency, and hard lessons are being learned about a system teetering on the brink of collapse.
Experts have been ringing alarm bells about resilience and systemic fragility for the last decade, often to an indifferent response from political leadership. One reason for optimism in the coming years is the multiple failures and increased attacks that impacted daily life and national stability over the last few years are waking up political leadership across the Atlantic at all levels of government and in international organizations resulting in concrete actions, regulation and collaboration that are the only way to effectively meet these challenges.
Author
Global Europe Program
The Global Europe Program is focused on Europe’s capabilities, and how it engages on critical global issues. We investigate European approaches to critical global issues. We examine Europe’s relations with Russia and Eurasia, China and the Indo-Pacific, the Middle East and Africa. Our initiatives include “Ukraine in Europe”—an examination of what it will take to make Ukraine’s European future a reality. But we also examine the role of NATO, the European Union and the OSCE, Europe’s energy security, transatlantic trade disputes, and challenges to democracy. The Global Europe Program’s staff, scholars-in-residence, and Global Fellows participate in seminars, policy study groups, and international conferences to provide analytical recommendations to policy makers and the media. Read more