- Rapidly changing technology mean significant and growing hybrid threats
- Our systems and institutions are not equipped to deal with what’s coming
- Transformation needed in resilience and response planning `
Terrorism will increasingly involve hybrid physical/cyber attacks, a new report says, and we need to be ready for situations we may not have faced before.
We live in an increasingly interconnected, interdependent world. The rate of technological change has been phenomenal over the past 20 years and shows little sign of slowing down. We have become very dependent on new kinds of critical infrastructure, including internet networks and ubiquitous hardware and software. This rapid change means things aren’t as secure as they should be, and a range of hostile forces are quick to exploit weaknesses in ways we perhaps have not even begun to imagine.
So finds a September analysis published by the International Centre for Counter-Terrorism – The Hague of hybrid threats and resilience planning by William C. Banks, a professor at Syracuse University and founding director of its Institute for National Security and Counterterrorism, and Dr. Katja Samuel, an international expert in counterterrorism and resilience planning.
Coordinated and synchronized cyber attacks come without warning. They can be fiercely difficult to identify and attribute in the short term. Because usually there is no loss of life or even physical damage, they often do not generate the immediate security response of a conventional terrorist act.
When we face combined cyber and real-world attacks – for instance, a cyber attack combined with the terrorist strike on an element of Critical National Infrastructure (CNI) – our response mechanisms will be challenged beyond what they have been designed for. They may prove inadequate.
Our security institutions and response planning may be unsuited to the new challenge. The report focuses on these areas of weakness:
- “Putting new wine into old wine skins” was how the report puts it. For instance, the International Maritime Organization, the traditional international regulator for ocean trade, may be ill-equipped to regulate the emerging use of autonomous, remotely controlled vessels.
- All relevant factors are often not considered. For instance, we may not be keeping up with new vulnerabilities – the report mentioned a recent case in which computer cables were found to have been maliciously modified to include extra components, allowing hacking.
- Short-termism: Both business and state entities are vulnerable to short-term, response-and-cope cycles for major crises. But hybrid threats may not be on the radar. Everyone will need to consider factors and potentialities that previously did not arise.
- Poor integration between different types of threats: Which country’s authorities are fully prepared for dealing with a major cyber attack occurring while a response to a physical terrorist act is underway? How can one prepare for a cyber attack from embedded malware activated remotely without warning?
- Overreliance on technology/hardware: Using technology to combat technology will always be critical, but only if used in the context of a robust strategy. “Whilst undoubtedly hardware and software solutions have a pivotal role to play, including in response to hybrid threats,” writes Banks, “their potential effectiveness is likely reduced if they are not utilized within a context of coherent, integrated and dynamic resilience planning.”
Hybrid attacks are coming, whether from state or nonstate actors. They will comprise both physical and electronic assaults. The direction to move in, the report recommends, is a much higher level of integrated resilience planning across all areas.
“Technology-rich and highly dynamic circumstances can be exploited by those with criminal and malicious intent, including terrorists, with potentially extensive and catastrophic consequences,” states Banks.
The solution lies in “more dynamic, integrated and innovative resilience planning solutions beyond those that currently exist.”
