The growing awareness – across government, business and society more broadly – of the need for greater resilience is very encouraging. Resilience First and other organisations have played a key role in building this awareness. Inevitably, much of the focus is on resilience against what one might call natural factors – climate change and its effects (warming, greater prevalence of storms etc), demographic changes (population growth in some countries, ageing societies in others), and technological changes (growing reliance on digital technologies). There is some focus on resilience to terrorism and crime. I would like to put the spotlight on another aspect – resilience to the malign behaviour of other states. This gets less attention outside national security communities. For me, it was a constant theme of my last few years as a senior official in the Ministry of Defence.
As you read this, we will be approaching the sixth anniversary of the annexation of Crimea by Russia – the first change to international borders in Europe by force since the Second World War. It was an eye-opening insight into what appeared to be a new way of conducting competition between states. In fact, many features were not that new – but they seriously challenged Western conventional wisdom about peace and war. We have tended to draw a sharp distinction between the two. Wars – or, more accurately, armed conflicts – have been between armed forces, often using precision weapons. Of course, these conflicts have had a huge impact on the civilian populations of the countries where they took place. But the people were not (or should not have been) the deliberate target of military action – international humanitarian law and Western defence doctrine draws a sharp distinction between (military) combatants and (civilian) non-combatants.
Other states think differently. The Russian annexation of Crimea (and subsequent intervention in the Donbas) were examples of a doctrine which draws no such distinctions. Russia has a continuum doctrine, with the deployment of unbadged units (and proxy forces) at one end and threats to fire nuclear missiles at the other – from 'little green men' to big green rockets. Ukraine, sadly, has been the main laboratory of what some Russian pundits call 'New Generation Warfare'. But it takes different forms in different places – and it’s not unique to Russia. Since 2014, we’ve seen increasing cyber-attacks across Europe undertaken by groups which we know are 'front' or 'false flag' bodies for the Russian military intelligence service, the GRU. We’ve seen efforts to manipulate the media in many countries, with the planting of false stories – and interference in elections, not least in the US. We’ve seen subversion (albeit thwarted by the authorities) in Montenegro in 2016. And we’ve even seen the use of a toxic nerve agent on British soil, in Salisbury in March 2018. Such behaviour continues – with the aim of undermining public trust in our institutions and unsettling our societies so that the perpetrating states can get their way at our expense but without crossing the line into overt armed conflict.
Traditionally, we have relied on the concept of deterrence to protect us from nuclear or conventional military attack. Put simply, deterrence involves making clear to any potential aggressors that any benefits that they may seek by attacking us will be outweighed by the costs that we can impose on them. Deterrence is still working at the harder, more obviously military end of the continuum – our armed forces, working with those of our Allies, see to that. But it’s not so apparent that it’s working elsewhere – in the ongoing contest in the 'grey zone' between war and peace. Hence the work that a number of us have been doing – inside and outside government – to update deterrence to meet new threats: what we call 'Modern Deterrence'. Resilience is a key element of that.
But, first, what else is involved in Modern Deterrence? I would highlight four elements. First, improving our understanding of potential adversaries using all the analytical tools available. Second, maximising the potential of the full range of government instruments, ranging from economic sanctions to law enforcement powers to kinetic military effects. This is at the heart of the government’s 'Fusion Doctrine'. Our prospective responses to unfriendly acts do not need to be symmetrical – the response to a cyber-attack could be diplomatic or legal action. Third, even closer coordination with international Allies and partners – the deterrent impact of any measures that we take is magnified if others join us. The worldwide expulsions of Russian diplomats after the Salisbury incident is a good example. Fourth, building broader public awareness of the malign activities undertaken by other states inside our societies. This means, unlike previous custom and practice within our security community, loudly “calling out” the mischief and the mischief-makers: the first main example of this was the then Government’s decision in early 2017 publicly to attribute the so-called NotPetya attack on Ukraine (which had massive spill-over effects elsewhere) to agents of the Russian state.
Deterrence by denial
But greater resilience is key – and is thus at the heart of the Modern Deterrence programme run by Elisabeth Braw at the Royal United Services Institute (RUSI). Deterrence has always encompassed two broad approaches – deterrence by the imposition of costs onto the aggressors ('deterrence by punishment') as well as deterrence by making it very difficult and expensive for aggressors to achieve their aims ('deterrence by denial of benefit'). In 'Modern Deterrence', the emphasis shifts more to the latter – and, in practice, 'denial of benefit' and 'resilience' add up to much the same thing.
Enhancing resilience is not straightforward and can be very expensive – which is why British deterrence doctrine in the past put more weight on 'deterrence by punishment'. But it’s not impossible – and the good news is that increasing our resilience to everyday (but growing) risks and hazards can help us deter calculated threats by adversarial states or their proxies.
So everyone knows that electrical power systems can be 'tripped' by abnormal loading, lightning strikes or other apparently random factors, leading to black-outs, transport chaos, etc. Remember the late afternoon of Friday 9 August 2019 – one million consumers left with no electricity, plus widespread disruption to rail services, when two large power stations disconnected after a lightning strike. The government was quick to reassure the public that the outage was not the result of 'foul play' but, conceivably, the same effects could have been achieved by deliberate cyber-attacks on control systems. The impact (and thus the 'benefit' to an adversary) of any such attacks can be reduced by making our digital infrastructure more resilient, ensuring closer compliance with minimum standards, and better contingency planning. Cyber risks generally, whether from parastatal stooges or plain old-fashioned criminal hackers, can be reduced by basic cyber hygiene.
And it’s not just cyber. States have used threats to cut off energy supplies – whether reducing flows through pipelines or intercepting super-tankers at sea – to coerce other states. We can reduce our vulnerability to such behaviour by diversifying supplies (including greater use of wind- and solar power) and through maximising energy efficiency – so reducing our contribution to global warming at the same time.
There is another key conceptual similarity between resilience (broadly understood) and Modern Deterrence. In the past, people thought of deterrence in binary terms – you either deter a (nuclear) attack or you don’t. But, in a contest in the 'grey zone', you are unlikely to deter all malign behaviour completely – because the actors and their methods are constantly evolving. There are too many variables. For the same reason, the electricity industry cannot completely prevent power cuts but it still tries to reduce their incidence and impact on consumers. Just reducing or mitigating threats can be beneficial, as can reducing the impact of climate change even if it can no longer be halted completely.
The big question is how far should we go to deter malign activities by other states inside our societies. Some, such as Elisabeth Braw, have argued cogently for a more 'Total Defence' approach as increasingly pursued by the Nordic-Baltic countries. Other commentators are sceptical about whether such an approach would work in the UK for cultural and historical reasons. There isn’t space to go into that debate now. But two things are not in doubt. The first is the need to enhance awareness and understanding of what is happening – and of the vulnerabilities that are being exploited. The second is that the 'front line' in this contest is not a traditional military one – it is the civilian and private-sector organisations responsible for telecommunications, media, energy, transportation, etc.
So the businesses and organisations linked to Resilience First have a direct interest in not only understanding their own vulnerabilities but also building wider awareness – and taking the practical steps that should follow.
Peter Watkins was Director General Security Policy and then Director General Strategy & International in the UK Ministry of Defence (MOD) from April 2014 to November 2018. The views expressed here are personal and not necessarily representative of those of the MOD or other organisations to which the author is now affiliated.