Conversations on Strategy Podcast

Every day, malicious actors target emerging technologies and medical resilience or seek to wreak havoc in the wake of disasters brought on by climate change, energy insecurity, and supply-chain disruptions. Countering Terrorism on Tomorrow’s Battlefield is a handbook on how to strengthen critical infrastructure resilience in an era of emerging threats. The counterterrorism research produced for this volume is in alignment with NATO’s Warfighting Capstone Concept, which details how NATO Allies can transform and maintain their advantage despite new threats for the next two decades. The topics are rooted in NATO’s Seven Baseline requirements, which set the standard for enhancing resilience in every aspect of critical infrastructure and civil society. As terrorists hone their skills to operate lethal drones, use biometric data to target innocents, and take advantage of the chaos left by pandemics and natural disasters for nefarious purposes, NATO forces must be prepared to respond and prevent terrorist events before they happen. Big-data analytics provides potential for NATO states to receive early warning to prevent pandemics, cyberattacks, and kinetic attacks. NATO is perfecting drone operations through interoperability exercises, and space is being exploited by adversaries. Hypersonic weapons are actively being used on the battlefield, and satellites have been targeted to take down wind farms and control navigation. This handbook is a guide for the future, providing actionable information and recommendations to keep our democracies safe today and in the years to come. Click here to read the book.Click here to watch the webinar. Episode Transcript: “Space Critical Infrastructure” from Countering Terrorism on Tomorrow’s Battlefield (NATO COE-DAT Handbook 2) Stephanie Crider (Host) You’re listening to Conversations on Strategy. The views and opinions expressed in this podcast are those of the authors and are not necessarily those of the Department of the Army, the US Army, War College, or any other agency of the US government. I’m here with Frank Kuzminski, today, US Army officer and strategist, and author of “NATO Space Critical Infrastructure” from Countering Terrorism on Tomorrow’s Battlefield: Critical Infrastructure Security and Resiliency. Thanks for making time for this today, Frank. Frank Kuzminski Thank you for having me. Host Space is a relatively new operational domain. Since 2019, you note in your chapter. Through the lens of those core missions of deterrence and defense, what do our listeners need to know about space? Kuzminski Space is relatively new in terms of the overall history of the alliance. And that really stems from the NATO ministerial meeting in December 2019, where they declared space as an operational domain. And then, more importantly, in June 2021, NATO issued a communique after the NATO summit that the mutual defense provisions of Article 5, which treats an attack on one as an attack against all, would apply to the space domain as well. And they specifically mentioned that any attack to, from, or within space could be as harmful as a conventional attack, and therefore warrant an Article 5 response. And that’s important because space really touches nearly every aspect of daily life in modern society, (including) commercial activities, economic activity, information, communications, and especially national security and defense. And so today, more than ever, NATO as an alliance, depends more than ever on space-critical infrastructure for its core missions of deterrence and defense. Host Let’s talk a little bit more about space critical infrastructure. Can you give us an overview? Kuzminski So, space critical infrastructure comprises the physical systems, the orbital platforms, and the data transmission networks and the people that work across the four segments of a space system to provide the space domain capabilities that we rely on. There is this space segment, which consists of the satellites, spacecraft, and technical payloads that occupy the different orbits. There’s a user segment, which refers to any user or person or system that relies on satellite information or satellite signals to function. This includes military forces as well as ordinary people—businesses, organizations, countries, people who use smartphones, etc., or the Internet. There’s the ground segment, which includes the physical elements of space infrastructure on Earth, everything from launch facilities to Mission Control centers, to tracking stations around the world. And then finally, there’s the link segment. And this is the data transmission networks that connect the other segments together and through which we derive the systems. And so the space domain operations and space-based capabilities require all four segments of space critical infrastructure to provide the core functions and capabilities that the alliance and that the world relies on. Host You talked about in your article, these five core capabilities. Let’s walk through them. Let’s start with secure communication. Kuzminski Satellite communications, or SATCOM for short, is vital for the effective command and control of military forces today across large areas, regardless of terrain. It really helps overcome the line-of-sight problem, but also facilitates the use of remote weapon systems such as drones. It’s also important to note that secure communications is where the space and cyber domains intersect because the data transmissions on the link segment that we talked about that provide this space capability by transmitting data utilize the communications protocols that have been derived from the cyber domain and the Internet. And so the vulnerabilities that exist in the cyber domain are also inherent to the space domain for that reason. Host Positioning, navigation, timing, and velocity. What do we need to know? Kuzminski So simply speaking, this is GPS. We know it as plugging an address into our phone and letting it direct us to our destination. But for military forces who rely on PNT for short for targeting and precision strike, advanced conventional munitions rely on GPS to precisely strike a target. Military forces also rely on time reference from GPS satellites for encryption purposes. It’s also important to note that GPS (Global Positioning System) is an American military system that the Department of Defense provides for everyone’s use. There are other systems out there that other countries operate, for example, the European Union has a global navigation satellite system called Galileo. The Russians use a system called GLONASS, and the Chinese recently have deployed a system called Baidu, and they all generally provide similar functions, but it’s important to note who kind of manages these constellations. Host The next step is integrated tactical warning and threat assessment. Kuzminski Space systems are important for detecting missile launches and, therefore, providing the earliest possible warning of a missile attack. We’re talking about strategic nuclear attack, intercontinental ballistic missiles—the kind of broad early warning networks that were common during the Cold War but are still very important today to deterrence and defense today. These space systems are a really integral part of that and help provide ballistic trajectories and provide the decision space for senior leaders. Host How does environmental monitoring fit into the picture? Kuzminski This is commonly known as weather forecasting, but space systems enabled meteorological operations and the kind of weather forecasting that’s important because weather, of course, can affect military operations on land, sea, and in the air. Accurate environmental forecasting also can help reveal longer-term climate trends that might affect agriculture or food supplies in different parts of the world, which may have security implications for NATO and the alliance. Host Intelligence, surveillance, and reconnaissance. Kuzminski ISR for short. Space-based ISR, we think about satellite imagery. So again there are commercially available options such as Google Earth, but this goes back to the earliest days of the space age when the United States and the Soviet Union deployed a variety of satellite intelligence platforms and photo reconnaissance platforms to not only provide detailed mission planning and help forces understand the effects of terrain on land-based operations but also to provide indications and warnings of potentially threatening behavior. I mean, one of the reasons the alliance in the United States were able to anticipate Russian aggression in Ukraine last year was because they were able to monitor force movements through the use of space-based ISR. Host What are some examples of threats and vulnerabilities that need to be addressed? Kuzminski Space systems are especially vulnerable to both kinetic and non-kinetic threats. So in the chapter we talk about how terrorists and hackers might possess some of these capabilities that could affect one or more of the space segments. But the overall impacts to a terrorist attack on space critical infrastructure would be pretty low. The real threat here is state actors, specifically, the great powers, who both possess the kinetic and non-kinetic destructive capabilities and the capacity that could seriously damage space critical infrastructure. In terms of non-kinetic threats, we talked about the intersection of the space and cyber domains. And so many of the vulnerabilities, cyber vulnerabilities, that an adversary could exploit through hacking or other malicious software or malware could also be deployed against this space system and disrupt a particular satellite capability. In terms of the kinetic capabilities, the most obvious ones are direct-assent anti-satellite weapons or ASATS. And this is, effectively, a missile that’s launched from the Earth that would be targeting a satellite in orbit, destroy that satellite and then render a large debris field that could pose risks to other space systems. As of today, there are only four countries that have demonstrated an actual ASAT capability. That’s the United States, China, India, and Russia. There are also orbital intercept and satellite capture technologies out there through what we call rendezvous and proximity operations, or RPO for short. The nature of orbital mechanics makes it that satellite trajectories are predictable, and, therefore, targetable. There is also the technology either exists or might soon exist for some kind of directed energy or laser weapons on orbital platforms. Now, we haven’t seen evidence of an active system as of yet, but this goes back to the 1980s in the Strategic Defense Initiative that envisioned the constellation of orbital lasers to shoot down incoming intercontinental ballistic missiles. So, it’s not a new idea, it’s just something that people are talking about. I’d also like to mention the problem of orbital debris, or space junk. This is more of a space safety issue than a space security issue, but it’s very real and it is a pernicious problem that affects everybody indiscriminately. There are over 30,000 pieces of space junk ranging from the size of a softball to larger than a school bus. Basically, anything that gets thrown up into orbit kind of stays there and decays over years—decays in orbit. The reality is that there just hasn’t been enough of a problem to really warrant any kind of multilateral action. And so ,it’s one of those problems that we’ll just wait and see what happens. Host I’m glad you mentioned Ukraine a little bit earlier because you used Russia as a case study in your paper, and I would love to hear more about that. Kuzminski We already talked about our state actors are the biggest threat, and Russia really has been the most active and threatening actor in this space domain in recent years. For the current war in Ukraine, there was a very specific example. In February of last year leading up to the attack, Russian hackers disrupted the commercial ViaSat satellite communications network, which is a commercial satellite communications provider that the Ukrainian military and Ukrainian government was contracting for their communication purposes. It was part of a coordinated effort to disrupt Ukrainian command and control and defensive operations leading up to the Russian attack. There are two other examples that are worth mentioning. In November of 2021, Russia conducted an ASAT test that we talked about, and it targeted one of its derelict satellites in orbit. But this event created a substantial debris field that threatened the International Space Station to the point where NASA actually had to wake up the astronauts and tell them to get into their emergency escape capsules in the event that there was some sort of catastrophic collision. Thankfully nothing happened, but this reveals the kind of potentially nefarious effects of an ASAT—even if it’s not targeted against an opponent system. And then lastly, I just wanted to mention that in 2018 the French government accused Russia of spying on one of their military communications satellites in geosynchronous orbit, which is the farthest out orbit. The French space agency had observed what they called a Russian “inspector satellite” that had maneuvered and changed its orbits to within a few 100 meters to drops of communications. Geosynchronous orbit is a stationary orbit. So the fact that these satellites had maneuvered into place was really indicative of some sort of potentially hostile behavior. And this is an example of these rendezvous and proximity operations that we spoke about earlier. Host Lots of scenarios here, lots of threats, potential vulnerabilities. Kuzminski We talked about how states such as Russia and China remain the greatest threat to space critical infrastructure. Increasing resilience across all the space segments is probably the best way to enhance deterrence by denial. And what I mean by that is ensuring that the specific capabilities that we discussed have enough redundancy in systems, whether in orbit or on the ground through different pathways and through different partners, not just American systems. But partnering with our allies and also through commercial operators is the best way to ensure that these critical functions will remain online in the event of an attack. There’s also an opportunity for some degree of international partnership or multilateral initiative to help prevent the rampant weaponization of space or some sort of new arms race. This was a problem in the 80s because the reality is that the only space treaty that’s been ratified in the international community is the Outer Space Treaty, which was signed in 1967. And although that prohibits the deployment of nuclear weapons in space and on the moon, it hasn’t really been updated to reflect some of the more current threats that we talked about. There have been a few ongoing efforts to limit weapons proliferation in space under the auspices of the United Nations, but they’ve been problematic and generally weak. True progress will really require commitment and leadership by the great powers, not only the US and its European partners, but also Russia and China. And the current situation right now doesn’t look like there’s any prospect for that. Host Give us your final thoughts before we go. Kuzminski I think it’s important to remember that space critical infrastructure, like all critical infrastructure, is something that we all tend to take for granted. We don’t really think about it. It’s just kind of there and we just use it. But we already talked about how vulnerable it is. And it’s important to remember that it wouldn’t take a whole lot for an adversary or some sort of malicious actor to disrupt the capabilities that we rely on on a daily basis. This isn’t specifically for military forces, but also just for everyday people and large segments of modern society. I think it’s worth thinking about how someone might react if their smart board stops working or the credit card stops working or the Internet stops working or the planes stop flying, not only for individuals but also for states. But I don’t want to be super pessimistic. I do think that the future is exciting and offers a lot of potential for the benefit of mankind because the threshold for access to space and space-based capabilities is being lowered every day, especially through the growth of commercial operators and service providers. And I really think that the more access to these capabilities that exist and the more people that have access to these capabilities, it just helps level the playing field, not only in the security dimension, but also in economic and societal and commercial spheres. And I think that translates to better economic opportunities, especially for the developing world. And generally, a higher quality of life for most people. And I think that’s a good thing. I think there’s definitely a lot of things to be optimistic about when it. Comes to space this. Host This a very full chapter about critical infrastructure, security and resiliency. Listeners, if you’re interested, you can download it at press.armywarcollege.edu/monographs/957. Thanks for sharing your insights with us today, Frank. Kuzminski Thank you for having me. Host If you enjoyed this episode of Decisive Point and would like to hear more, you can find us on any major podcast platform. About the author: Frank J. Kuzminski is a US Army officer and strategist. A native of Poland, he emigrated to the United States in 1990. He graduated from the United States Military Academy in 2004 with a bachelor of science degree in electrical engineering and was commissioned as an Infantry officer. After serving in multiple operational assignments worldwide, Kuzminski was assigned to the Army Staff at the Pentagon, and he later served as a strategic plans officer with I Corps at Joint Base Lewis-McChord, Washington. He is currently a doctoral candidate in international studies at the University of Washington. He holds a master of public administration degree from Harvard University. He is married with two children and speaks Polish and French.

Wuraola Oyewusi Medical resilience is a key critical infrastructure in a nation’s preparedness against vulnerabilities. Pandemics such as COVID-19 are potent disruptors of this infrastructure. Health systems that are considered low-resourced have adapted and deployed seemingly simple but effective methods to survive such disruptions.Read the collaborative study here.Episode Transcript: Medical Resilience in PandemicsStephanie Crider (Host)The views and opinions expressed in this podcast are those of the authors and are not necessarily those of the Department of the Army, the US Army War College, or any other agency of the US government. You’re listening to Conversations on Strategy.Today, I’m talking with Wuraola Oyewusi, author of “Medical Resilience and Pandemics,” in Countering Terrorism on Tomorrow’s Battlefield: Critical Infrastructure and Resiliency Handbook Two (Countering Terrorism on Tomorrow’s Battlefield: Critical Infrastructure Security and Resiliency Handbook 2). Welcome to Conversations on Strategy. I’m really glad you’re here.Wuraola Oyewusi Thank you, Stephanie. I’m glad I’m here too.Host Your chapter explores medical resilience as a component of critical infrastructure as well as using low-resourced health systems to build resilience. Will you please briefly expand on that?Oyewusi The work on this chapter focuses on a low-resourced health system (that) has managed to build a resilience against a disruption—this time around, a pandemic—uh, specifically, (coronavirus disease 2019 or) COVID-19. We explored Nigeria as a system that . . . it’s definitely not high resourced. The health-delivery system is not high resourced. And we explored some of the things that were done during the COVID-19 pandemic.Host Let’s talk about that in a little bit more detail. Like you said, your case study focused on Nigeria and COVID-19. How did Nigeria handle COVID-19?Oyewusi So, I’m going to give a bit of context.The first COVID-19 case—recorded one, I think we should emphasize that—was in February . . . February 27, 2020. Right when the whole world was finding out, that was when we found out about that in Nigeria, too.Another clear context that we should have as we go into our discussion is that Nigeria’s epidemic response is carried out in the context of a fragile and underresourced, existent health-delivery system. That means that, even before the pandemic, the system was overstretched, there was a lot of people. There were challenging fault lines already, and then we now had the disruption like COVID-19.So to help you understand this use case, one of the indexes that was used to gauge a country’s preparedness during the pandemic was the number of (intensive-care unit or) ICU beds to the population. Germany had about 29 beds to 100,000 people. The US had about 34 to 35 ICU beds to 100,000 people. Turkey had 48 beds to 100,000 people. But in Nigeria, we had about 0.07 beds to 100,000 people.So, I think that would lay down a context for why we are discussing this and how a disruption to critical infrastructure, like a pandemic, was done in Nigeria.Host What are some key lessons learned from Nigeria on managing pandemics?Oyewusi I’m going to discuss that on the three key items. The first one: There was leveraged experience and infrastructure. The second one: There was civilians, data analysis, and public data sharing. And the third one, which is probably one of the most interesting, are the nonpharmacological interventions. We have established that the system is overstressed. And, given the proportion of ICU to 100,000 people, the country knows; the people know. We had a vague idea of what we were in for, and, you know, it is one of the most interesting things that we did.One of the experiences that help us as a country—despite this fragile health system, this low-resourced health system—was we have some experience managing pandemics (for example, the Ebola of 2014 [Ebola outbreak of 2014–16]). So, the preparedness wasn’t just from the side of the health system professionals. The country had an idea. We have experienced with Lassa fever. We have experienced with cholera. So, one of the key things that happened there: There was a coordinated national effort by the national center for disease control, the Federal Ministry of Health, and the state ministry of health.And then, for example, for data collection and analysis, there was a software that was used during Ebola called SORMAS—SORMAS is Surveillance Outbreak Response Management (and Analysis System). A very interconnected system that was used to collect data from smaller places to bigger places and tracked preparedness for things like, you know, we had anticipated that there would probably be no light. There is usually a lot of outages. There is a lot of issues like that. But this system had been tested during Ebola, so it was like the country spun it up again now that we have another pandemic.The third one is nonpharmacological intervention. For example, there were things like hand washing and face mask. Even though I know it’s global, people had hand sanitizers. There was lockdown. There was restrictive public gathering. There was social culture communication. You know, for example, more than 500 languages are spoken. That means that in villages and religious houses, people were talking about COVID-19, “We think we should wear your mask,” through those channels.In public places, you could wash your hands outside. That means if you are going to the bank—it might not be the prettiest setup—but every public place, public parks, there was “You need for you to wash your hands.” And then, like I said, people remembered from Ebola. That means that there was general knowledge about it and (people knew) to prepare hand sanitizers. “We think there is something dangerous out there. We have heard about it and, you know, just like the other times, we should wash our hands often. We should wear our mask.” You know, there were makeshift masks because a mask (availability) hasn’t happened yet, and, you know, some were made from fabric. Some of them were not the prettiest, but people were wearing their mask in many places. The bulk would put a makeshift bucket. You know, in some public places, it would just be a makeshift bucket with a tap, some soap to wash our hands. But this scaled across the country because they were easy to deploy.And then, information through radio. People were hearing about COVID-19. I remember, in the textbook, I put some examples of the flyers that went around that “This is dangerous.” “We are not always confident that you have the support that you need in the health system, but if you can try those things, if you can stay at home more . . .”Of course, there was the economic downside of people staying at home, but if you don’t have to be out . . . Some states were running, “We’re not closing finally, but can you be home by six?” “Clubbing.” “No parties.” Uh . . . “No big church gatherings.” “No big religious gatherings.” “Can you just pray at home?”This may be for people who could read, but then there was the daily updates by the disease control center. You know, you would know the number of people that died, the number of people that were diagnosed. “What should you do if someone is infected?” “If you suspect there is . . .” It was in public places. “Someone has been coughing, sneezing . . .” “We think this person may have this . . .” The nearest health center.So those are some of the nonpharmacological solutions that kind of worked well for us.Host Do you have any final thoughts that you want to share about this before we go?Oyewusi I have experienced working in a low-resourced health system. You know, I have gone on to other things. But I have always been a believer of, uh, in every pandemic—in every disruption, especially—learning from the experience of where we already know that this is low. It’s not bad because there was pandemic; that was all happened . . . Also, there are usually the low-hanging fruits; countries should embrace them. There is also NATO. NATO should embrace them. Tell people on the radio. Help everybody in their language.I understand that—even in countries where people speak the same language—there are regional nuisances. You know, for example, in Nigeria, local leaders were telling their communities about these. I’m not saying that, “Oh, everyone did that,” but it was common . . . So it’s common knowledge that we should do that.In pandemics, everyone is as confused. It’s not like everyone knows what to do. But for every disruption, one of the key learnings from a low-resourced system like that is that there are the low-hanging fruits, and they should be embraced.Host Thank you for being here today and sharing your ideas and your insights.Oyewusi Nice to be here.Host Listeners, find out more about managing pandemics at press.armywarcollege.edu/monographs/957. Read about it in chapter six.If you enjoyed this episode and would like to hear more, you can find us on any major podcast platform.About the author: Wuraola Oyewusi is a Nigerian pharmacist and data scientist with expertise in clinical health care and the application of data-science methods. Her research spans a range of use cases from natural language processing (NLP) to health care and data curation. She lives in the United Kingdom and is the recipient of the Global Talent Visa in AI, Machine Learning, and Data Science.

Every day, malicious actors target emerging technologies and medical resilience or seek to wreak havoc in the wake of disasters brought on by climate change, energy insecurity, and supply-chain disruptions. Countering Terrorism on Tomorrow’s Battlefield is a handbook on how to strengthen critical infrastructure resilience in an era of emerging threats. The counterterrorism research produced for this volume is in alignment with NATO’s Warfighting Capstone Concept, which details how NATO Allies can transform and maintain their advantage despite new threats for the next two decades. The topics are rooted in NATO’s Seven Baseline requirements, which set the standard for enhancing resilience in every aspect of critical infrastructure and civil society.As terrorists hone their skills to operate lethal drones, use biometric data to target innocents, and take advantage of the chaos left by pandemics and natural disasters for nefarious purposes, NATO forces must be prepared to respond and prevent terrorist events before they happen. Big-data analytics provides potential for NATO states to receive early warning to prevent pandemics, cyberattacks, and kinetic attacks. NATO is perfecting drone operations through interoperability exercises, and space is being exploited by adversaries. Hypersonic weapons are actively being used on the battlefield, and satellites have been targeted to take down wind farms and control navigation. This handbook is a guide for the future, providing actionable information and recommendations to keep our democracies safe today and in the years to come.Read the Book: https://press.armywarcollege.edu/monographs/957/Watch the Webinar: https://ssi.armywarcollege.edu/2022/european-security/nato-transatlantic-relations/countering-terrorism-on-tomorrows-battlefield/Download the full episode transcript here: https://media.defense.gov/2023/Nov/15/2003341253/-1/-1/0/COS-14-PODCAST-TRANSCRIPT-LOHMANN-COUNTERING-TERRORISM.PDFKeywords: counterterrorism, NATO, critical infrastructure, hypersonics, drones

For over a quarter century the United States and the European Union have been diligently planning and implementing policies and procedures to protect the critical infrastructure sectors that are vital to the prosperity and security the majority of their citizens enjoy. Given the evolving nature of threats against critical infrastructure, recent US and EU efforts have focused on enhancing collective critical infrastructure security and resilience (CISR) posture. The core objective of these CISR initiatives is to strengthen their ability to deter, prevent, reduce the consequences of, respond to, and recover from a broad array of vulnerabilities, hazards, and threats to critical infrastructure. Any such disruptions to or destruction of these critical infrastructure systems and assets can have damaging impacts on individual nations, the transatlantic economy and security environment, and the ability of the North Atlantic Treaty Organization (NATO) to fulfill its core tasks.This podcast is based on Chapter 10 in Enabling NATO’s Collective Defense: Critical Infrastructure Security and Resiliency (NATO COE-DAT Handbook 1). The goal of this chapter ultimately is to help Allies and partners better understand these two frameworks and apply their key principles and tenets to enhance the CISR posture in their respective countries.Click here to read the book.Click here to watch the webinar.Episode Transcript: “Comparing Policy Frameworks: CISR in the United States and the European Union”Stephanie Crider (Host)You’re listening to Conversations on Strategy. The views and opinions expressed in this podcast are those of the authors and are not necessarily those of the Department of the Army, the US Army War College, or any other agency of the US government.Conversations on Strategy welcomes Dr. Alessandro Lazari, coauthor of “Comparing Policy Frameworks: CISR in the United States and the European Union.”Lazari’s been working as a specialist in critical infrastructure protection, resilience, and cybersecurity since 2004. He is currently a senior key account manager at 24 AG (F24 AG), focused on incident and crisis management in Europe.Alessandro, welcome to Conversations on Strategy. I’m glad you’re here.Alessandro LazariThank you very much indeed for inviting me over. It’s a pleasure to be here.HostYou recently contributed to the book Enabling NATO’s Collective Defense: Critical Infrastructure Security and Resiliency. The chapter you worked on compares policy frameworks of critical infrastructure security and resiliency in the US and the EU. The US (critical infrastructure security and resilience or) CISR framework: What do we need to know?LazariI mean, thanks for asking about this. This has been part of my PhD studies—to go on deep between the lines about everything that the US has built in the past decades—and I have to say that this is really considerable. If you think that the (Presidential Decision Directive 63 or) PDD-63, just to give an example . . . presidential directive signed by (Bill) Clinton in May ’98 still stands as one of the brightest examples of CISR policies for a while—if you look at it nowadays, after so many years, you see how very well defined is the problem, how very well defined the mechanism to tackle it and to, you know, deal with it and to improve the overall posture of US against the threat of, you know, any potential attack to national critical infrastructure.I mean, there is many examples in . . . in the US policies of things that really worked. I can tell that they constitute a milestone to which many, many countries are looking at because of the comprehensiveness. Because I can tell also that due to its particular system, (the) US has experienced a wide range of events that span across all the potential threats of critical infrastructure in the 50 states and as a federal system, so they’ve really wanted to organize something that is really very, very big.Last but not least, the US has also considerable experience in maintaining the infrastructure. One of the greatest examples is the renovation that the US government did in the old railroad . . . you know, riverways in the ’40s and ’50s and ’60s is one . . . also a considerable milestone of the experience in the US. So, it’s very much worth looking at it because there is many countries that are now in the condition of tackling those challenges nowadays. So really, throughout the entire lifespan, you know, a lot of things that are really, you know, in use nowadays that really can provide example to the way the countries should deal with CISR nowadays.HostLet’s go into a little bit more detail. What currently guides the US CISR policy?LazariOne of the latest milestones in . . . in the US CISR policy is (Presidential Policy Directive 21 or) PPD-21, signed by Barack Obama in 2013. I mean, that can be considered one of the examples of the maturity of the policy in the US. You know, in announcing all the functional relationships among the very stakeholders involved in the life cycle of critical infrastructure security and resilience, there’s so many from both public and private side. From the public side, you have (the Department of Homeland Security or) DHS and all the departments that are involved, all the agencies, and from the other side, all the operators and the critical nodes within the country and so on and so forth. So, there is a considerable amount of stakeholders that need to talk to each other to be really aligned to do better. And here, we come to the second pillar that is information sharing.Once you have identified all the functional relationship nodes, you absolutely need to cut short the distance between them. So they need to become closer and closer because they need to talk to each other, and in a country like (the) US, it’s very difficult because it’s a very big country with a big number of stakeholders involved. So for sure, this is also a challenge. And last but not least, after you have enabled, you know, the recognition of the functional relationship and the improvement of the information sharing, you then need to enable one very important pillar that is always mentioned in PPD-21: that is analysis of incident threats and emerging risk. Because you do not only deal with today, you also deal with the future. So you need to understand with . . . how, you know, uh, risks are evolving, so the emerging one . . . and you need to analyze all the incidents and threats constantly because the threats evolve as much as the society because, you know, we have new enemies, new ways to attack the systems, and history evolves; we all know that. So once you put together really this critical mass of activities and knowledge, you can say you are really structuring well all your policy on . . . on CISR.HostTell me about the EU framework: European Programme for Critical Infrastructure Protection.LazariThe EU, it’s based on the membership of the member states that are part of the EU. There were 28, and, after the Brexit, now it’s 27. You know, every time, the negotiation of each steps of the policy is something that really seeks for the involvement of them all on proposal from the European Commission that is normally proposing new pieces of policy and regulation in this field. But this entails every time that member states are involved because they have a stake, they take a joint decision. But the European Programme for Critical Infrastructure Protection is really the very first milestone. As much as it is for PDD-63 in the case of US, it is really the very first piece of joint policy on critical infrastructure protection on the European side.And this really comes immediately after the September 11 attacks to, you know, London and Madrid in 2004, 2005. It really starts from an all-hazard approach with a clear intent of fighting against terrorism. So, financing of terrorism, all aspects of dealing with terrorism and the impact of terrorism, terrorism of critical infrastructure. Then, immediately, the EU recognized within the program that the all-hazard approach really needs to be developed because it’s not only terrorism that can threaten the continuity, you know, and the existence itself of critical infrastructure, but there is many other threats that can really disrupt or create issues. So, the European program has really put together the member states for the first time ever in discussing the critical infrastructure protection.This is still, nowadays, mainly the international level. The first thing you need: competency. It still relies on the member states that are part of the EU, but the program has, really, the 27 in the condition to discuss together all the challenges, all the state of play of each one of them. So to set new goals that are not overambitious for some of them, because you have to imagine when, in 2008, the European program was launched, there were five or six member states that really had a national framework for critical infrastructure protection, and many others that didn’t have one, or, you know, they really needed to amend it heavily because it was obsolete or not taken care of on all aspects.It can be said that the European program has really created that first spark that has enabled the EU to be in the state of play it is nowadays because, for the first time, it has really asked the member states to discuss national security outside of their own border, but in a joint, coordinated manner.HostSo, there were some significant changes to the program in 2016 and 2020. I would love to hear about them.LazariAfter a very long journey between 2008 and 2016, the EU in, um, 2016 has decided to move a little bit to focus not only on the critical, physical aspect of critical infrastructure but also on the cyber dimension. Of course, the member states were already dealing with that, but the real pro of the EU is that there is a harmonization effort going on.In 2016, we had the promulgation of the so-called Network and Information Security Directive. This really adds an important layer now on top of the CISR policy, which is very focused on cybersecurity or what we call “operator of essential services.” This new term that is different from critical infrastructure has been introduced to identify all of those services that are delivered through the mean of the network and information system. So, really, to narrow down the focus on the cyber dimension, of course, completely integrated together with the physical aspect, because these are absolutely complimentary. We cannot deal with one or just the other. You need to deal with all of them.And it is very important to notice that even though this first NIS—Network and Information Security—Directive was promulgated back in 2020, on the 16th of December, 2020, the European Commission proposed already an amendment of this directive to launch the second directive, the so-called (Network and Information Security 2 or) NIS 2.You can see that, here, the policy life cycle has been shortened because, normally, there is a very long policy cycle between one policy and another. You have an average of eight to nine years, even 10 sometimes. Here, you see that between 2016 and 2020, you have the promulgation of the first directive, already, in 2020, the proposal. And it’s very likely that in early 2023, this will alter its course, partially substituting the first one, but adding a lot more efforts and a lot more sectors. They go from 19 to 35, so there is a huge recognition and an improvement in the terms of sector.There is also the intent to differentiate between coverage of an essential service and important service. So to create also sort of criticality assessment between the two lists of designated operators. So, I think this is very important. There is also the announcement of the cooperation among the countries, the announcement of the functioning of the EU Computer Security Incident Response Teams—so, better sharing of information regarding the incident and some support.Last but not least, also, I can tell that, uh, 16th of December 2020 can be remembered as one of the really landmark of the EU CISR because on the very same day, apart from the proposal on the NIS 2 directive, same European Commission, sending a very strong message, published the proposal also for the . . . for the so-called Critical Entities Resilience Directive.Also, here, you see a new terminology, critical entity and resilience, that goes . . . it’s very far from critical infrastructure protection. So not only we move, like, the focus is really on resilience, so in being able to withstand, to bounce back after something has gone wrong, but, also, the commission introduced the term “entity.” This is also a clear message that the type of infrastructure that we can designate is not only old style, like we only operate private operator, but entity has been used also to identify offices, departments of the public administration and the government that are really pivotal for the functioning member states and the new institution and so on, so forth.So you see that we move from operator to entities and from protection to resilience. So I think this really be remembered what . . . of the days in which really the EU has recalled the importance of the complementarity of the physical and cyber protection and resilience and the importance, also, of the states and the public administration and the governments in securing national security, EU security, and the international security because, of course, this go beyond that.HostGoing forward, what does critical infrastructure security and resilience look like for the US and the EU?LazariEven though we have this really great example of the European program for critical infrastructure protection, the PDD-63, all the executive orders, you know, every one of them in the US are very comprehensive in, you know, tackling the problem in the way it should be tackled and with all the effects that they have on the European Union, on the allied countries in NATO and so on, so forth.I think that there is some things that . . . on which we . . . we really need to improve. One of these is hybrid threats because we often talk about physical and cybersecurity, but we do not consider the hybrid threats that are all these actions below the threshold of warfare that are still to the entity or to the state or to the operator that is targeted. There is no clarity which is who’s behind these actions. It . . . these actions are also coordinated. So, there could be a state or nonstate actor that has decided to put under pressure certain systems, certain layers of our modern society, and it can be done with a combination of conventional and unconventional types of plot. And this is, for sure, one of the hot topics.The European Union has already recognized the importance of hybrid threats in 2016, and, in 2020, there is two specific documents that are being released on the point they’re working out in creating a framework for governments and public administration to try and recognize some key indicators that there is hybrid threats, that you are subject to hybrid threats, because you haveto . . . to imagine this extremely complex type of environment. It’s a number of events that are not correlated because they’re happening here and there. Therefore, you don’t have control on all of them, and, therefore, you cannot really see through the fog what’s going on. You just see the vertical events, but you don’t see the horizontal plot. Social tension, fake news propaganda—they are all part of this big element.Another thing that I think is part of the hybrid threat but is not properly dealt everywhere is that nonfinancial side. We know that all these operators of critical infrastructure, the way you want to call them, or critical entities or operators of essential services—they are companies. They may be on . . . on regulated market, on the stock exchange, on support. Therefore, someone may acquire them, part of them, part of the ownership.To me, the way we scrutinize a certain operation on national critical infrastructure is not yet clear because certain strategic infrastructure should remain of national property. I don’t mean it should be public. I mean that it should have national shareholders with minimum shareholders from abroad because they are strategic infrastructure on which, first of all, speculation shouldn’t take place, but, also, you have to imagine that once you see someone in the, you know, in the board of directors, everything is discussed there, immediately goes as to where as soon as the meeting is over. This shouldn’t really happen. And this is not only happening at the scrutiny, it’s already taking place for big infrastructure. For example, Italy has procedures for that. It’s very advanced, but the . . . the way the . . . the law is tuned on very big operations leaves every small operation outside.Here, we fall into another problem: third parties. It’s not only about critical infrastructure. Critical infrastructure relies on a constellation of third parties. Sometimes, they are also very small companies. They are very important in the supply chain. We don’t know who owns them. There is a little bit of scrutiny the company does on those other companies, third parties, but it’s not enough. So, the vetting procedure, the scrutiny procedure, they should really improve because we need to be sure that we are relying on the right people—that when something is going wrong, will help us out of the mud instead of leaving us in there. To identify friend or foe, as the . . . the military would say. So, this is, to me, among the hybrid threats, the financial aspect—also, the financial or third party. So, trustworthiness of the third party. Third-party risk assessment, to me, is fundamental.HostDo you have any final thoughts before we go?LazariOne last thing that is taking place anyway because of our footprint on planet Earth is climate change. To me, we need to work on the sustainability of critical infrastructure, and we need to do climate change risk assessments. This is something that already the Critical Entities Resilience Directive will ask to critical entities that will be designated under this directive in the future to do.So, to assess what is the impact of climate change on critical infrastructure, you have to imagine that the weather, among other things, is considerably changing. Fifteen years ago, no one could hear about, you know, medicane—that is, the . . . this Mediterranean hurricane, for example, in the Mediterranean. I come from the south of Italy, I’ve never heard about. We never heard “hurricane,” but, all of a sudden, in the last five years, we have initial glimpse of what it could look like, hurricanes. Of course, the proper hurricane, the one that you are experiencing in the US, you know, are much, much different, and their force of devastation is much higher. But, still, I can tell that these medicanes are already threatening our critical infrastructure because they have not been designed to withstand this type of event.Even though some of those that are designed for withstanding certain types of very severe weather events, they can be still disrupted, but ours are not designed at all. So, you can imagine the impact of if these hurricanes keep coming, and they keep increasing in . . . in their strength, the way they . . . we see them behave in other countries that are severely hit by hurricanes, this could really pose a threat to our critical infrastructure.So, for sure, the climate change has to be assessed. We will find ourselves with operators that have been used, like, operating extreme cold and in heat wave and the other way around. Operators used to work in extreme hot having cold wave, and, therefore, the reliabilities of these infrastructures may change, may be really threatened because they are not designed to operate in different condition or in very severe warm or cold. So yeah, that’s another thing that I would definitely take into account that will challenge critical infrastructure in the future.HostThank you for your time. Thanks for your contribution. This was a real treat to talk with you.LazariThank you very much indeed, once again, for inviting, and, uh, all the best.HostLearn more about the CISR frameworks of the United States and the European Union at press.armywarcollege.edu/monographs/955.If you enjoyed this episode and would like to hear more, you can find us on any major podcast platform.Author information: Alessandro Lazari has been working as a specialist in critical infrastructure protection, resilience, and cyber security since 2004. He is currently a senior key account manager at 24 AG, focused on incident and crisis management in Europe. From 2010–19, he provided policy support to two key initiatives at the European Commission: the European Programme for Critical Infrastructure Protection and Strengthening Europe’s Cyber Resilience. Lazari is a fellow in legal informatics at the University of Lecce’s School of Law (Italy) and a lecturer at COE-DAT’s Protecting Critical Infrastructure Against Terrorist Attacks course. He is the author of European Critical Infrastructure Protection, published in 2014 by Springer Inc. He holds a master’s degree in law and a PhD in computer engineering, multimedia, and telecommunications.

In most urbanized societies, water is taken for granted and little thought is given to how fragile the supply of this vital resource can be. A water emergency, however, such as a treatment plant outage, a water source contamination event, or natural disaster has the potential for significant disruption to society and the infrastructure that depends on water to function. Most other sectors of critical infrastructure, as well as activities of daily living, are highly dependent on the water sector. As a result, consequences of a water emergency can be significant and may occur immediately without notice depending on the nature of the event. Thus, the security and resilience of the water sector is a key component of a nation’s civil preparedness that can have military and international implications as well. Terrorist threats to water delivery or contamination of water sources as a terrorist act can impact a nation’s ability to move and sustain its military forces and project military power when required. From the perspective of the North Atlantic Treaty Organization (NATO), threats to the water sector in one member state could have ripple effects that limit or diminish NATO’s military mobility and force projection in support of its essential core tasks.Therefore, it is important to understand water sector risks and find ways to effectively mitigate them. While this chapter focuses on the US water sector and uses a case study from one of its most important metropolitan areas, the chapter provides a helpful framework for other Allies and partners to understand, adapt, and employ to their specific circumstances.This podcast based on Chapter 8 in Enabling NATO’s Collective Defense: Critical Infrastructure Security and Resiliency (NATO COE-DAT Handbook 1) provides a foundation from which to better understand the criticality of water sector resilience. While this chapter focuses on the US water sector and uses a case study from one of its most important metropolitan areas, the chapter provides a helpful framework for other Allies and partners to understand, adapt, and employ to their specific circumstances.Watch the webinar: https://youtu.be/G1OD24HEh94Read the book: https://press.armywarcollege.edu/monographs/955/Keywords: critical infrastructure, crisis management, security risk assessment, water sector resilienceEpisode Transcript:“Water Sector Resilience in the Metropolitan Washington Case” from Enabling NATO’s Collective Defense: Critical Infrastructure Security and Resiliency (NATO COE-DAT Handbook 1)Stephanie Crider (Host)You’re listening to Conversations on Strategy. The views and opinions expressed in this podcast are those of the authors and are not necessarily those of the Department of the Army, the US Army War College, or any other agency of the US government.Conversations on strategy welcomes Steve Bieber, author of “Water Sector Resilience in the Metropolitan Washington Case.” Bieber has more than 30 years of experience in leading development and reform and water security, public policy, and environmental regulation. He’s currently the water resources program director for the Metropolitan Washington Council of Governments.Welcome to Conversations on Strategy, Steve. Thanks for joining me today. You recently contributed to the book Enabling NATO’s Collective Defense: Critical Infrastructure Security and Resiliency. Your chapter is about water sector resilience. Give us an overview of the water sector, please.Steve BieberSure, so thanks for having me on. You know, water includes both water you drink and (water) you use for bathing and cooking and so on. But obviously when you’re done doing all of that stuff, it has to go somewhere—which is down the drain and to a wastewater treatment plant. But probably the other part that folks don’t think about a whole lot is the source of the water in the first place. When you think of the water system and working with water utilities, usually the three biggest components are the source of it, collection and treatment of that, distributing it, and then treatment at the end when you’re done using the water.Just to give folks a little bit of perspective, here in the Metro Washington region, the average daily demand for drinking water (and it goes up and down depending on the time of year) is close to 500 million gallons a day. We’ve got over 14, 500 miles of water mains (so that’s more than the miles of roads we have in the region) and almost 120,000 fire hydrants. So if you ever think about the challenge of maintaining something like that … you know, and over 1,000,000 metered accounts and a little more than 5 million people who are served by public water and sewer.HostTalk to me about the risks and threats of the water sector.BieberYou know, I’m sure people have seen in the news lately—especially with what happened in North Carolina (electrical substation attack in Moore County on December 3, 2022)—you know, a lot of terrorism and Black Sky events are in the news. Those things can be a threat to the water sector as well. So there’s physical security threats like that but also things like climate change, rising sea level, aging infrastructure, you know. We have some infrastructure here in the Metro Washington region that dates back to the 1800s, and there are instances that sometimes they find pipes made out of wood when they’re doing main break repair.You can imagine trying to keep up with operations maintenance. And just repairing things like that over such a vast network is pretty hard. And so, from the utility perspective, you’re dealing with all sorts of threats. You know, natural threats, man-made threats, accidents that happen (whether it’s a contractor striking a pipe and breaking it or an oil spill in your source water, all sorts of things) and you have to be prepared to deal with all of it.HostSpeaking of dealing with it, what are the key steps in resiliency planning?BieberSure, so I’ll start out maybe by saying a little bit about what resiliency is. So for the water sector, broadly, you can define it as the ability for a water utility to maintain their operations despite a challenge like, say, a water main break, and recover from the event as soon as possible. And we already talked about the stressors. Whether it’s weather, accidents, or some kind of intentional act, the idea is to be able to bounce back as quickly as you can.The other thing to be mindful of is resilience extends beyond just the utility and encompasses dependent and interdependent sectors, so things like the energy sector, health care. A big one in our region here is data centers, which are very dependent on water for cooling. All those local and regional assets are connected. And sometimes seemingly distant threats to resilience in another region can affect utilities here. So, for example, a spill in West Virginia could affect our water supply here in Metro DC, just as one example. And a lot of times these cross-sector dependencies are deep and complex, so it’s really important to think about those when you’re looking at doing resiliency planning.So here in the Metro Washington region, we actually do studies routinely to look at things like adequacy of our water and wastewater infrastructure to meet demand. So say we’re forecasting out to 2050. Do we have enough treatment? Enough distribution? Enough collection system to meet growing population and employment and all of that?We’ve historically looked at things like drought, which we know happens from time to time. And we do studies on that every five years to see do we have adequate infrastructure in place to be resilient against the drought of record. But one thing we decided to do a few years ago is expand that and take more of a system resiliency approach to look at other threats and hazards, not just drought, and see where we maybe have vulnerabilities and also see where we could make investments to buy down the risk from certain threats.So we got some federal grant money to do that. And let’s say you could kind of break down the steps into five phases. So, the first one was data collection and establishing system capabilities. So that was working with all the water utilities in our region. We held a series of workshops and determined, sort of, what do you have in terms of water treatment? Where do you get your source water from? How much distribution capacity do you have? Collect that all into one database, so we have a good baseline of what’s the capability that we have now. And then the second step was establishing a risk framework and defining a level of service. So basically, thinking about different failures events, how likely are they to happen, and what level of service do we want to have in the event that those things did happen? That’s really an important driver because I’ve seen utilities that use as their level of service in an emergency one gallon per person per day. I’ve seen others that have planned around 20 percent of your average daily demand. So as an example, if the average household uses 100 gallons a day, being able to provide 20 gallons a day, well, that’s 20 times more than one gallon.We used here, for our planning purposes, Average Winter Day demand, which would be even more than that. So as you can imagine, when things are changing by 20 times or 30 times, you’re planning assumption the capability you need to have to meet that demand is going to be vastly different, too. So once you’ve defined, you know kind of your level of service, the different failure events or scenarios you’re planning around (whether it’s intentional events, accidental events, weather events), you need to look at all of those and define what would the consequence be if those different things happen. For our purposes, we measured as how many days would people be out of water, and we called it people outage days. So it’s a combination of how many customers are affected? How many days would they be out before you could restore the water? And you can also use that to figure out an economic impact using some figures that FEMA and others put out. What would the cost to the region be under those different scenarios? So you can put a dollar amount on it.There’s other ways that you could quantify consequence. It could be things like, is there some critical mission in your region that if this happened you wouldn’t be able to fulfill? So say like for a military installation or something, or a nationally significant piece of critical infrastructure, and if the water was out it would impact that nationally significant infrastructure. So there’s other ways to measure it, but that’s the way we went about it.Once we had the scenarios we’re planning around, the likelihood of those things happening, and the impact, basically, if they happened, we identified different improvements you could make to mitigate those risks. So, it could be anything from interconnections between the different water systems and improving those to building more storage so you’re not dependent, say on just one water source, but you have storage, say in our case, like we use the Potomac River as a major source of our drinking water, having more storage off the Potomac River so if for some reason it wasn’t available, you’ve got an alternate source you can go to for a long period of time or a longer period of time. And then we used some simulation modeling to figure out which combinations of improvements (so whether it’s storage, interconnections, other types of improvements), which ones actually buy down the risk the most? Are there combinations of things you could do that buy it down even more? And you can basically put things into what I would call different buckets of combinations of scenarios, compare the benefits of one to the other, you can also see if there’s synergies of doing things in a particular sequence. And then you can find out which one basically has the best benefit-cost ratio. And once you have that information, you can come up with a plan for improvements of how you want to make your infrastructure more resilient.We kind of put ours into three categories. One was what we called “no regrets” improvements. So those would be things that the benefit-cost ratio is very high. It’s probably something you could get done quickly, and there’s an operational benefit to it. So even if the scenario you were planning around, say, a spill event or some kind of an attack, never happened the benefits to it still make it worth doing anyway. And then we had some that were more short-term—so things that had a high benefit-cost ratio and could be accomplished pretty quickly just because either the cost was low or there’s just not a long lead time to plan it and execute the improvement. And then there were other things that were sort of longer-term. If you’re looking at, say, building a new reservoir or something like that. That’s a major capital project. It’s not going to happen quickly, and you have to build that into your risk modeling. If it’s going to take 10 years to build something, you’re carrying the risk for that 10-year period until it’s built. And so you have to factor that in in determining which things you’re going to pursue. But we ended up with a mix of things that could happen quickly, kind of medium-term and longer-term.HostYour chapter uses Washington DC as a case study. I would love to hear more about this.BieberYou know the Metro Washington region, I think we’re the 6th largest metro region in the country, and, of course, on top of that, the home of our nation’s capital, a lot of the federal agencies, and we have a number of military installations in the region, too, and some nationally significant critical infrastructure. And we also have a long history of cooperating among the water and wastewater utilities here. We have agreements that go back several decades, cooperative water supply, cooperative wastewater treatment—different things like that. So we’re used to working together in the water sector to solve big problems.Especially since 9/11, everyone’s had more of a focus on security. But I would say in the last five or so years, that’s really shifted to not just security but security and resilience. And so that’s why we wanted to work together to look at what opportunities are there, not just at one utility alone but as a system in the region to collaborate and make improvements so that the system that serves the whole region is more resilient as a whole. And so that’s what drove us to take the systemresilience approach I talked about a moment ago—looking at things that are cross-cutting across the region, and that we could collaborate on together, which complements the individual utility vulnerability assessments and planning they’ve each done on their own. So, it was kind of another layer on top of that to identify things that are more regional system-wide, and bigger impact. And things that also, you know, you could work with your neighbor, maybe, to buy down the risk and be more resilient. More so than doing something on your own.HostYou talked about simulations and planning and resiliency. How do you test for this? Do you have to wait for an event to happen? Is there a way to do a test run?BieberYeah, that’s a really good question. So no, you don’t have to wait for an event to happen. Most risk-based approaches, whether it’s the one we used, or there’s some slightly different ones that are used in other sectors, but they have a lot of things in common. And one of those things is getting a group of subject matter experts together.In this case, it was our utility companies together, talk about scenarios of events they’re concerned about. In some cases, this is things that have actually happened before. So, say, like an oil spill or a water main break or a failure of equipment—like a pump failure or something like that. And they have a pretty good idea of how often does that happen? How likely is it to happen? If it happens, what are the consequences of it happening? And so those are real events that we have data on, and we can put a pretty good number to it. But then there’s other things that you also want to look at that are more hypothetical.So how likely is it that a rail car could fall in the Potomac River? Or how likely is it that you’d have a terrorist attack? You know you can go down the list (not an endless list of scenarios, but of scenarios that are things that maybe keep utilities up at night). You know it could happen and it would be, even though it’s a low probability, a very high impact event. And using this same group of subject matter experts, kind of put a number to each of those.So, in our case, we kind of had bins of things of like, “it happens once every 10 years,” “it happens once every 30 years,” “It happens once every 100 years.” Or maybe it’s less than one every 100 years, but you can get an idea of sort of how you would figure out how likely is it to happen. And then you can combine that with your estimate of if event A happened, how many people would be out of water? How long do we think it would be before we’d be back on our feet, and we’d restore water service? And then you can combine those things. So, the likelihood of it happening, the consequence of it happening. And you can get a sense of between those two things how worried are we about that and begin to come up with a list of which things are the most concerning, which things are the least concerning, and a bunch of stuff in between.And you can also put costs to all of that, which allows you to get to the benefit-cost of here’s how much it would cost. Here’s how likely it is to happen, (and) the impact of it, and you can calculate a benefit-cost ratio that. We used a pretty sophisticated modeling approach, but my point of bringing this up is if you’re a smaller utility or you just don’t have the resources to do that right away, it’s not like you need to throw up your hands and go, “Oh well, I can’t do anything.” Because you can get a group of your own employees together and just use your best professional judgment on which things are we most worried about? How likely do we think they are to happen one relative to the other? What would the impact be if it happened? How much would it cost us to bounce back from it, or to mitigate it? And what’s the cost to our customers, even if it’s just how long they would be out of service? And you can use that to come up with a pretty good list of priorities that’s probably going to be very close to what you would come up with if you used the more sophisticated modeling approach. And at least it gets you started.HostWhat are your recommendations for water security and resilience?BieberI’m a big proponent of data-driven decision making and using a risk-based approach. In the water sector— all public utilities—they’ve all been required already to do a vulnerability assessment to come up with security plans, different things like that. So, you already will have a lot of the data you need to get started, but, of course, the landscape is dynamic. It’s always changing. You know you may have the vulnerability assessment you did a year ago. Maybe it was five years ago. But it at least gives you a starting point. And then I would say take that, get a group of subject matter experts together, and just start going on developing a risk-based approach to planning. And there are a lot of good resources available online.American Water Works Association actually has standards for the J 100 standard for doing this kind of planning. So that’s one standard that’s widely followed in the water industry, but there’s also tools that are available for free. So, if you go search US EPA and water resilience, you’ll find a couple of tools they have online that you can get started with today. It will ask you questions. You fill it in as you go along, and you’ll get some recommendations out at the end. They have one that’s specific to climate change and building in resilience to that and another that’s more generic and more geared toward the types of events like we’re talking about, you know, whether it’s intentional or accidental events.Yeah, you do a little poking around online, you’ll find more tools, too. Another good resource that a lot of the utilities here in our region have taken advantage of, and if you’re in the US is available to you for free, is connecting with your protective security advisor. So, the DHS cyber and Infrastructure Security Administration they have protective security advisors in every state. In our case here in the DC metro region, we actually have three. They will come out and do a risk and resilience assessment of your infrastructure at no cost. And they can cover all sorts of things from physical security, other types of events like spill events, or other things like that. They can even come out and do a cyber assessment if you’re more worried about cyber risk and how to mitigate that. They’re free. It’s a good way to get started, rather than waiting and not doing anything.Whether it’s online, someone coming out for free, hiring a contractor, getting started with your own employees, there’s lots of ways to get going and take a risk-based approach and see where the opportunity is to make yourself more resilient. You know, buy down the risk on things you think are either most impactful or most likely to happen.HostWhat a great list of resources. Thank you for sharing that. Also, thank you for your time today.BieberYeah, I appreciate having the chance to talk today and look forward to working on more of this in the future.HostLearn more about water sector resilience at press.armywarcollege.edu/monographs.If you enjoyed this episode and would like to hear more, you can find us on any major podcast platform.Author information: Steve Bieber has more than 30 years of experience in leading development and reform in water security, public policy, and environmental regulation. He is currently the water resources program director for the Metropolitan Washington Council of Governments (MWCOG) and is responsible for managing its water resources programs, including the regional Anacostia Restoration Partnership, water security programs, drinking water and wastewater planning, drought management, urban stream restoration, and other related environmental programs for local governments and water utilities in the Washington, DC, area. Bieber holds a bachelor of science degree in zoology from Michigan State University, a master of science degree in oceanography from Old Dominion University, and a master of public administration degree from the University of Baltimore.

Communications form the critical backbone of the modern world, connecting more people and more devices more completely than ever before. The benefits of this hyper-connected society drive ever-increasing reliance on secure, reliable, and resilient communications. Potential adversaries to the North Atlantic Treaty Organization certainly understand the importance of communications—those they seek to target and those they use themselves—so it is critical to fully understand the sector, the risks it faces, and the best ways to mitigate those risks.This podcast based on Chapter 9 in Enabling NATO’s Collective Defense: Critical Infrastructure Security and Resiliency (NATO COE-DAT Handbook 1) provides a foundation from which to better understand the criticality of communications for national security and emergency preparedness and common important characteristics of the sector and their implications for security and resilience.Click here to read the book.Click here to watch the webinar.Keywords: communications, critical infrastructure, cyber threats, crisis management, security risk assessmentEpisode transcript “Communications Resilience” from Enabling NATO’s Collective Defense: Critical Infrastructure Security and Resiliency (NATO COE-DAT Handbook 1)Stephanie Crider (Host)You’re listening to Conversations on Strategy. The views and opinions expressed in this podcast are those of the authors and are not necessarily those of the Department of the Army, the US Army War College, or any other agency of the US government. Conversations on Strategy welcomes Chris Anderson, author of “Communications Resilience.” Anderson’s, an incident management and infrastructure protection expert with three decades of government, military, and private-sector experience. He’s currently the principal advisor for national security and emergency preparedness at Lumen.Welcome to Conversations on Strategy, Chris. I’m glad you’re here.Chris AndersonThanks for having me.HostYou recently contributed a chapter to Enabling NATO’s Collective Defense: Critical Infrastructure Security and Resiliency. Your chapter talks about communications resilience, the backbone of the modern world, in your words. Give us an overview of the communication sector, please.AndersonIt’s really hard to overstate how important commercial communications is to government and military communications of all kinds. So, sort of the traditional national security kinds of things—command-and-control networks, intelligence sharing. Even highly classified information typically travels over commercial networks for a big part of its lifespan. But then as you start thinking even in more detail, things like civil preparedness, police, fire, EMS discussions, how you issue civil defense alerts to the civilian population, et cetera. On top of all that, communications is critical to economies and the citizenry in general.In the US, we’ve started this concept called national critical functions, which sort of distinguishes the inherently governmental functions from the other things the nation needs to be able to do in order to have a vibrant economy and support the government and keep citizens safe, et cetera. And comms is really central to a lot of those national critical functions.The sector itself is incredibly diverse. So when we talk about communications, and in the book chapter I talk about sort of the breadth of communications as encompassing sort of the traditional wireline services. You know, twisted pair copper and fiber optic cables that make up the old, you know, Bell telephone kind of networks that have now become the broadband connections that we all use in homes and businesses throughout the world. It also includes wireless communications. So wireless, you know, everyone thinks of 4G point-to-point5G cellular communications, but wireless also includes things like point-to-point, microwave and other uses of the radio frequency spectrum.There’s the cable business, which is in some ways very similar to wireline. I like to stress cable in particular because I think there used to be a civil defense perspective of like, well, that’s not really critical infrastructure. You know, if somebody can’t watch Game of Thrones for a day or two, that’s not a big deal. But increasingly, the cable companies provide the same sort of broadband backhaul, for example, that enables wireless communications. So they’re really critical too.Similarly, with broadcast. Broadcast TV and radio, not just about entertainment, but in some ways that is the most survivable, giving you that one-to-many communications capability to reach a large number of people. One of the things I like to say is, you know, “you can hand crank a radio. And so a citizen on their own, with nothing more than a radio with a hand—crank you can communicate with that person in a pinch.”And then, of course, satellite networks which are themselves undergoing a massive transformation right now.Across all five of those segments, though, there are a couple of things that I think are important to keep in mind as we think about communication resilience. Probably the biggest one is really over the last 20 years, the massive transition of communications technology from primarily analog to primarily digital. So the transition to Internet Protocol packets for voice, for video. Almost everything that’s pumped over radio frequency is now packetized, digitized, and then reassembled on the other end. That meshed and packetized network is, by its nature, resilient. The packets can travel multiple paths, and, in fact, that’s the whole design of the Internet. It was designed to be resilient, and if that path is no longer available, now I’ll go this path, and I’ll still get the packets there in time.The market itself is highly competitive the different carriers and cross modes and within modes are fiercely competitive with each other. But at the same time, the nature of the business requires that we work closely together as well. So it’s this strange sort of coopertition (cooperation + competition) model that makes it all work.You know, for example in interconnection, the whole point of communication networks are to be able to communicate with whomever you want. And so that means we have to exchange traffic with each other from carrier to carrier, from mode to mode, in order to get those packets where they need to go. And that interconnection implies a couple of really critical things. One is the importance of international standards so that things will work across these vast and disparate networks, (for example) the need for very big companies to work seamlessly with very small companies who have very different perspectives on how to operate their networks. And it also means that we’re generally interconnected with potential adversaries. So the network of networks that is the Internet has a lot of players on there and not all of them have our best interests at heart.The last thing I think is important to understand about communications is just how tightly integrated we are with other critical infrastructures. Pretty much every other critical infrastructure relies on comms for it to be able to function in its normal capacity. And comms is itself reliant on other critical infrastructures—in particular, heavily reliant on commercial electric power. And where commercial electric power is either out because of a temporary disturbance or is simply not available, then the continued availability of liquid fuels for on-site generation becomes really, really important.HostLet’s talk about threats to communications. What are the ways in which the integrity, availability, or confidentiality of communication systems might be degraded or compromised?AndersonIn the book, I talked through the “Big Three” set of things that can impact communications infrastructure. The first one is natural disaster and there’s physical attack. And I’ll lump in there industrial mishap kinds of accidental damages. And then same thing on the cyber front. There is cyberattack and cyber misconfiguration mistake kind of issues. There are some similarities across those three and some differences to tease out among them.So in terms of natural disaster, you know, sort of the gamut of bad things Mother Nature can throw at us also damage information systems and communication networks. So that’s storms, hurricanes and tornadoes, and derechos and you name it. Those can variously cause different types of physical damage either to key facilities (central offices, Internet exchange points, or to conduits, either underground cabling or aerial fiber. Stuff that’s not aerial, tends to be more susceptible to things like flooding or even to things like train derailments, or things that can damage the conduits—earthquakes for example). The other thing that natural disasters tend to do is impact the availability of commercial electricity. So if commercial electricity isn’t available then access to alternate fuel sources becomes really important.There’s also Mother Earth’s environment. So there’s geomagnetic storms and space weather that can impact satellites and can impact, depending on the frequency bands, radio frequency spectrum to varying degrees.Transitioning more to sort of the man-made attacks. Physical attacks. Either attacks or mishaps. As I mentioned, that sort of meshed packetized network makes these harder to be impactful, but there are still areas of concern around, for example, choke points. So things like undersea cable routes often have either one viable path (the cheapest shortest path where you’ll see a lot of cable stacked up) or they’ll be natural choke points. You know, for example, in the eastern Mediterranean Sea, there is a pretty tight choke point just off the coast of Egypt. A bunch of undersea cables run through there and then run down through the Red Sea on their way to wherever they are. They also have other concentration points like Internet exchange points and sort of massive data centers, which all by themselves can be huge and massive and important assets, but they often cluster together. Thinking about physical attacks, bombs and cutting of the cables, there’s also the less-nefarious accidents that can accomplish the same thing. Whether that’s, you know, construction facilities and a backhoe tearing through your fiber optic cable. And then finally, there’s, in the radio frequency world, spectrum-based attacks, so spoofing and jamming are also ways that you can physically, I’m doing air quotes here that you can’t see because it’s a podcast, but it’s a similar kind of attack vector.And then finally there’s cyberattack vector. So comms is an interesting character in this realm because we’re both a conduit for those attacks. But we’re also a target. And so those targets, in turn, target exactly as you teed up the confidentiality, the integrity, the availability of networks and data through a range of methods.I mean from an availability perspective, there are distributed denial-of-service attacks, where you flood the target system with so many requests for service that the system just can’t answer all those requests and it becomes unavailable to legitimate use. There’s ransomware where you’re able to, you know, get the ransomware on a system (and) shut it down so now it’s unavailable for its normal uses.Or disruptive malware. In terms of confidentiality, you have, you know some of those same players . . . ransomware, destructive malware, also routing attacks that target the ability to how packets determine where they move and the path that they take to get from the originating server to the destination server. If you can hijack that route, you can put a man in the middle and either listen in on those packets as they transit or potentially reroute them to somewhere else.And then finally, there’s integrity attacks on communications. Again, ransomware, advanced persistent threats. And I think integrity, in particular, with the book’s focus on critical infrastructure with respect to terrorist attacks, thinking through the potential complex attack scenarios where adversaries may seek to harm the integrity of communications so that they can control messaging. So that’s attacks on broadcast networks, on social media, on the places people will go for “reliable” sources of news that if the adversaries are able to track the integrity of those, they can amplify the effects of, say, a physical attack that’s coupled with, you know, social media and misinformation/disinformation.HostWhat are your suggestions for improving communications resilience against terrorist attacks or other threats?AndersonWell, I think in the interest of time, I’m going to limit it to sort of three things that I would talk about in terms of lessons learned. The first one is blue Sky relationship building. If you think back to even the way that I described how communication systems work, comm providers need to work with other comm providers who need to work with first responders who need to work with national security and national defense experts. And those relationships can’t just happen after “Boom” has happened. And now you need to figure out how to work together. It’s really important under blue-sky scenarios. To establish those relationships, work through how are you going to coordinate flow of information? Flow of request? What’s the disaster reporting process so people know in advance here’s what kind of information the government is going to need. And here’s the format I’m going to give it to them. And oh, by the way, what’s the definition for this one esoteric thing that actually means something different and different contexts. It builds those cross-sector relationships. Not just from comm provider to comm provider but making sure that we’re working with other infrastructure providers, especially energy, but not only energy. And then exercising and testing how all that stuff will work. So when the black-sky day comes, you have mechanisms that you’ve built out that you’ve practiced. That you know how to use. With people you’re used to talking to. You just can’t overstate enough how important that is in this public-private partnership.The second suggestion I would have is, you know, really methodically, look to identify and mitigate risk. So I talked earlier about those sort of choke points and concentration points. Make sure if you have mission-critical communications that you understand what that path diversity is. That it’s not just logical path diversity, but it’s physical path diversity, depending on your resilience needs. It doesn’t maybe necessarily buy you all that much to have two redundant circuits if they both go through the same central office or over the same undersea cable, et cetera. And then using, on the cyber front, you know, whatever baseline practices are most appropriate to your communications network, know them and use them. In the US, we use the NIST cybersecurity framework. The sector itself has done a huge amount of work to tailor what the NIST framework means to the different subsets of communication. But really, those cyber best practices are the really important resilience builders upfront.And then the third thing is to think through what will be the likely post-incident resilience enablers? How do you get comms back up and on its feet quickly so that the impacts of any disaster or any attack are minimized? And the big three that always come up, whether it’s an attack whether it’s a natural disaster are access, fuel, and security. So access. How are first responders or the military or whomever going to control who gets in and gets out to the disaster area. And making sure that commercial providers understand where they are in that hierarchy (and) what they need to do in order to be properly credentialed to get in at the point at which it’s appropriate and safe for them to do so.The second one is fuel, so it’s not just, “Hey, how do we prioritize commercial power.” But in a disaster where commercial power has been significantly impacted, suddenly the demand for those alternate fuel sources is going to be huge. And thinking through how that prioritization is going to work, which doesn’t even necessarily mean comms should be at the front of the line because there are going to be hard decisions to make. Does the hospital get that truckload of fuel? Does the state Emergency Operations center get it? Does the central office facility that’s routing everyone’s communications get it? But you need to think through those things in advance because that’s gonna be a critical decision point, a critical resilience enabler for post-disaster preparedness.And then the last one is security. After a big, particularly a broad (in terms of geography) disaster or attack, security is going to be an issue. So communication providers are going to be very concerned about putting personnel in harm’s way where it may or may not be safe. They’re going to be nervous about putting expensive equipment out in a field somewhere if they can’t secure it. And certainly, in this sort of a post-disaster environment, we’ve unfortunately seen that generators are pretty high-value commodities. And a generator that’s sitting on its own in a field next to a cell tower is a pretty tempting target. So thinking through how our government and industry going to work together to identify what’s safe. What’s appropriately safe for communications providers to put people and equipment out in the field, and then what are the ways that we can work together to make sure those are kept safe over the course of their response?Those are the big three—blue-sky relationship building, identify and methodically mitigating the risks that you see, and then thinking through what post-incident resilience enablers are and how you’re going to function them. And if you can do those three things, you’ll go a long way towards building communications resilience for your nation.HostSo much food for thought here. Thank you so much for your time and for spending it with us today.AndersonGreat, thanks for having me.HostLearn more about enabling NATO’s collective defense and communications resilience at press.armywarcollege.edu/monographs/955. If you enjoyed this episode and would like to hear more, you can find us on any major podcast platform.Author information: Chris Anderson is an incident management and infrastructure protection expert with three decades of government, military, and private-sector experience. He is currently the principal adviser for national security and emergency preparedness at Lumen, a US-based global network provider and tech company. He previously held various senior leadership positions in emergency management and national security at the US Federal Communications Commission and US Department of Homeland Security. Anderson began his career as a US Navy helicopter pilot, completing 24 years of active and reserve service. He holds master’s degrees in national security strategy from the National War College and in management information systems from Bowie State University, and he received his undergraduate degree from the University of Virginia.

This podcast based on Chapter 1 in Enabling NATO’s Collective Defense: Critical Infrastructure Security and Resiliency (NATO COE-DAT Handbook 1 answers the questions: What is critical infrastructure? Why is it important? What is the difference between critical infrastructure protection (CIP) and critical infrastructure security and resilience (CISR)? What are some of the key terms defined in national CISR policy? What are the core areas of activity or work streams involved in implementing CISR policy in and across the North Atlantic Treaty Organization nations?The answers to these specific questions provide the contextual basis for understanding why CISR is a quintessential societal task for maintaining national security, economic vitality, and public health and safety in a world filled with increasing levels of risk. For NATO member states, building and enhancing CISR at the national level is necessary to safeguard societies, people, and shared values and also provide the foundation for credible deterrence and defense and the Alliance’s ability to fulfill its core tasks of collective defense, crisis management, and cooperative security.Click here to read the book.Click here to watch the webinar.Keywords: CBRNE, critical infrastructure, cyber threats, crisis management, security risk assessment, CISREpisode transcript “Understanding Critical Infrastructure” from Enabling NATO’s Collective Defense: Critical Infrastructure Security and Resiliency (NATO COE-DAT Handbook 1)Stephanie Crider (Host)You’re listening to Conversations on Strategy.The views and opinions expressed in this podcast are those of the authors and are not necessarily those of the Department of the Army, the US Army War College, or any other agency of the US government.Conversations on Strategy welcomes Ronald Bearse, author of “Understanding Critical Infrastructure,” featured in Enabling NATO’s Collective Defense: Critical Infrastructure and Resiliency. Bearse is an expert in critical infrastructure protection and national preparedness, with more than 23 years of experience in the US Department of Defense, Homeland Security, and Treasury.Ron, welcome to Conversations on Strategy. You recently contributed to a book, Enabling NATO’s Collective Defense: Critical Infrastructure Security and Resiliency. I’m looking forward to hearing about your chapter, but first, thank you for being here.Ronald BearseWell thanks Steph. Yeah, I’m happy to discuss that with you today.HostWhat is critical infrastructure?BearseAlthough there’s no real global or standard or universal definition of critical infrastructure, most, if not all, European and NATO nations, which have a national CIP or CISR policy or national plan, define critical infrastructure as those physical and cyber systems, facilities, and assets that are so vital that their incapacity or their destruction would have a debilitating impact on a nation’s national security, economic security, or national public health and safety.We kind of understand them (and most people do) as those facilities and services that are so vital to the basic operations of a given society 9like the one we live in) or those without which the functioning of a given society would be greatly impaired. In our book, for example, we talk about critical infrastructure sectors. Here in the United States, for example, we have 16 critical infrastructure sectors where assets and systems and networks, whether they’re physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on our national economic security or public health and safety. Those sectors include, here in the United States, and for most Western nations, the same types and same sectors, such as the chemical sector or the dam sector, commercial facilities. Communications sector. Critical manufacturing. The defense industrial base. Emergency services obviously is one. Energy. Financial services sector, food, agriculture, government facilities, healthcare and public healthcare sector. Information. Information and technology. Nuclear reactors, materials and waste sector. The transportation infrastructure sector is huge as well. As well as water and wastewater systems. So there are a number of economic areas, and we call them sectors, that have critical infrastructure, the loss of which would really be a problem.Within NATO, Allied Command Operations defines critical infrastructure as a nation’s infrastructure, assets, facilities, systems, networks, and processes that support the military, economic, political, and/or social life on which a nation and/or NATO depends.NATO mission readiness depends on the assured availability of critical infrastructure. Let there be no mistake about that. Critical infrastructure, which I should mention is mostly owned by the private sector. For example, during large NATO operations for exercises, about 90 percent, and that’s nine zero percent, of military transport, relies on civilian ships and civilian railways or civilian aircraft.HostWhy is critical infrastructure important?BearseCritical infrastructure is vital because it enables a nation’s productivity and quality of life and economic progression by driving economic growth and creating jobs and improving efficiency. It also provides essential services, such as energy and water, electricity, and transportation. It also connects communities via transport and communications networks, which enables the flow of goods and information—not just across the country but between countries and across the world.Another reason why it’s vital has to do with the fact that it’s highly interconnected today, Stephanie, meaning that critical infrastructure systems often depend on other areas or other critical infrastructure to operate. If it is severely disrupted or destroyed, it can cause severe catastrophic consequences, locally, regionally, nationally, and even globally. And also, if it happens in one sector, you can have cascading events that can cross over into other sectors as well. An increasing number of nations depend on critical infrastructure located in another country, or worse, controlled or operated or owned directly or indirectly by a foreign adversary. And yet another reason is that millions of critical infrastructure systems and the gazillions of devices which connect to them are connected to the Internet. And because of that, you know, we see that there is that vast increase of vulnerability attached with those devices.We’ve all witnessed how COVID-19 and the ongoing Russian invasion of Ukraine have impacted critical infrastructure. The critical infrastructure of NATO and partner nations—those nations face a rising, unprecedented wave of malicious cyber activities and destabilizing and devastating consequences—and public and private entities that are indispensable to the functioning and well-being and cohesion of allied societies (such as energy providers and telecommunications operators and banks and hospitals). And we’re certainly aware of the current situation, hybrid warfare and real actual warfare at the conventional level. And Europe and Ukraine and seeing how critical infrastructure is being targeted that way.HostIn the context of keeping critical infrastructure safe and functioning, what’s the difference between critical infrastructure protection and critical infrastructure security and resilience?BearseHumankind has been protecting critical infrastructure for thousands of years, Stephanie. It goes back a long time. In the Peloponnesian Wars, infrastructure then that nations fought over included ships and grain and ports and brick walls around the cities, if you will. And wells where water was. And you know, 1,000 years later you had the fall of Rome. And with the fall of Rome, you had the contribution of the aqueducts falling apart for a variety of reasons. But again, critical infrastructure in the Roman Empire. The shift that has happened over the last 20 years alone is due to the fact that stakeholders have learned that it’s almost impossible to protect critical infrastructure from all the growing risk factors that they face—where we are moving from the protection of critical infrastructure to securing it and making it more resilient against threats. For example, when we talk about security. Security in the CISR, the S, if you will, means reducing the likelihood of successful attacks against critical infrastructure with the effects of natural or man-made disasters through the application of physical means or defensive cybersecurity measures. And resilience is the ability of critical infrastructure to resist, absorb, recover from, or successfully adapt to changing conditions, including attacks.The concept of critical infrastructure security and resilience is particularly useful to inform policies that mitigate the consequences of such events and speak to the vital need, again, for nations to develop and implement a comprehensive risk-management strategy.Karen McDowell, who 10 years ago was an information security analyst at the University of Virginia, said something that still haunts me and should actually haunt everybody listening in today. I believe she said, “public opinion isn’t going to lead the push to better protection of critical infrastructure since most people aren’t aware of the security issues and don’t even know that they are at risk, let alone understand the risks to critical infrastructure.”HostWhat are the core areas of activity or workstreams involved in implementing CISR policy in and across the North Atlantic Treaty Organization nations?BearseThere are really three essential tasks—assess the risk, improve security, enhance resilience, right? It’s all in those three. That’s the basic process. But the process of accomplishing those three tasks can be extraordinarily complex and a continuing challenge because it requires numerous what I call “streams of work” to be performed by a number of stakeholders—such as government agencies, (whether they’re federal, state, regional, other types of government agencies), the owners and operators in the private sector themselves of critical infrastructure, academicians, people who do research, subject matter experts, international organizations, technology vendors, people that run the ISACS (information sharing and analysis centers). I mean, there’s just many, many, many stakeholders out there. But what’s really, really important is that the major work streams basically include the following. All these are discussed in the book and how they are applied at different levels and case studies and whatnot. But we need to establish very clear roles and responsibilities for all stakeholders. That’s a major workstream just doing that—identifying and determining the criticality of a nation’s infrastructure. The protection of critical infrastructure is a national responsibility. NATO doesn’t go out and identify what’s critical for other nations. It’s up to that nation to do that. It’s up to that nation to figure out what they’re going to do. NATO can certainly help them. The nations help each other as well, and we certainly want to help our partner nations.So another big workstream here is mapping critical infrastructure dependencies and interdependencies. Determining critical infrastructure vulnerabilities . . . I can’t say enough about that as a workstream. Using applicable risk management, risk analysis, and risk management tools, if you will. Risk assessment tools and approaches. A lot of different critical infrastructure sectors have defined some very good tools to use to do risk-based assessments. They are available to NATO and NATO partner nations.Establishing crisis management capabilities is important. Another key workstream is establishing public-private partnerships between government and private-sector owners and operators of critical infrastructure Establishing and implementing collaboration and information-sharing mechanisms between government and the owners and operators is also important. Developing and exercising continuity of operations and information technology, disaster recovery plans, and providing physical and cyber security and resilience measures is a big workstream, if you will. Ensuring the integrity and security and continuity of critical infrastructure supply chains is huge. Expanding opportunities to deliver CISR education and training. Another key workstream, this one it’s dear to my heart, is implementing a robust (and when I say robust, I mean thorough) test training and exercise program to determine the extent to which a nation’s current CISR policy or legislation or plans, procedure, systems, research and development efforts, you name it, are either meeting, falling below, or exceeding prescribed requirements and established standards.Another key part of the workstream that’s vital to this is fostering the local, regional, national, and international cooperation, collaboration, coordination, communication, and concentration that is required to produce results. So, one of the reasons why this book was actually published is because more nations need to be developing and implementing a national CISR policy.There are many reasons, again, why countries haven’t started down this road, Steph. Let me just share with you the top five really quick. The top three basically, and I believe these are in the correct order, are money, money, and money. The fourth reason is that most countries have been protecting things that they deem important or critical the same way for many years. The military protects W and X. The minister of interior protects Y. And the Department of beta protects Z. And rarely do they coordinate their efforts due to turf, territory, and tradition. And the fifth reason revolves around the realization that CISR is complex, and it is one of the most difficult things a country can do. Even if it had the money and resources to do it.The good news in this, Steph, is that the book that we are discussing today and it’s follow-on book provides several lessons to be learned as I call them. Good practices. Case studies, methods, tools, (and) approaches and experiences that are designed to promote the security and resilience of all NATO populations and strengthen their ability to function in a way that most people want them to during crisis management and to support collective defense or external operations. Failing to achieve CISR goals or objectives is going to reduce NATO’s mission capability and adversely impact member states’ collective societies because critical infrastructure is the foundation on which vital society and economic functions depend.HostThank you so much for your time today, I really appreciate it.BearseThanks, Steph. It’s been a pleasure talking to you and your listening audience. And again, it’s a hot topic. It always will be. And it’s a great way for nations to strengthen their capabilities and for the avid reader in national security, if he really or she really wants to, wrap their head around why things are happening in today’s world and how we could get a better grip on preventing some of those bad things from happening, these books also represent good reads, so with that take care.HostSame to you, thank you.Learn more about critical infrastructure, why it matters, and how to protect it in the monograph visit press.armywarcollege.edu/monographs/955.If you enjoyed this episode and would like to hear more, you can find us on any major podcast platform.Author information:Ronald Bearse is an expert in critical infrastructure protection and national security preparedness, with more than 23 years of experience in the US Departments of Defense, Homeland Security, and Treasury. He is an adjunct professor at the Massachusetts Maritime Academy and an adviser to NATO’s Centre of Excellence for the Defence Against Terrorism (COE-DAT), where he teaches in COE-DAT’s Critical Infrastructure Protection Against Terrorist Attacks training program. Bearse earned an undergraduate degree in political science and Soviet studies from the University of Massachusetts at Amherst and a master of public administration degree from George Washington University. He is a distinguished graduate of the US National Defense University and a former senior fellow at George Mason University’s Center for Infrastructure Protection and Homeland Security

In 2014 NATO’s Centre of Excellence-Defence Against Terrorism (COE-DAT) launched the inaugural course on “Critical Infrastructure Protection Against Terrorist Attacks.” As this course garnered increased attendance and interest, the core lecturer team felt the need to update the course in critical infrastructure (CI) taking into account the shift from an emphasis on “protection” of CI assets to “security and resiliency.” What was lacking in the fields of academe, emergency management, and the industry practitioner community was a handbook that leveraged the collective subject matter expertise of the core lecturer team, a handbook that could serve to educate government leaders, state and private-sector owners and operators of critical infrastructure, academicians, and policymakers in NATO and partner countries. Enabling NATO’s Collective Defense: Critical Infrastructure Security and Resiliency is the culmination of such an effort, the first major collaborative research project under a Memorandum of Understanding between the US Army War College Strategic Studies Institute (SSI), and NATO COE-DAT.The research project began in October 2020 with a series of four workshops hosted by SSI. The draft chapters for the book were completed in late January 2022. Little did the research team envision the Russian invasion of Ukraine in February this year. The Russian occupation of the Zaporizhzhya nuclear power plant, successive missile attacks against Ukraine’s electric generation and distribution facilities, rail transport, and cyberattacks against almost every sector of the country’s critical infrastructure have been on world display. Russian use of its gas supplies as a means of economic warfare against Europe—designed to undermine NATO unity and support for Ukraine—is another timely example of why adversaries, nation-states, and terrorists alike target critical infrastructure. Hence, the need for public-private sector partnerships to secure that infrastructure and build the resiliency to sustain it when attacked. Ukraine also highlights the need for NATO allies to understand where vulnerabilities exist in host nation infrastructure that will undermine collective defense and give more urgency to redressing and mitigating those fissures.Click here to read the book.Click here to watch the webinar.Keywords: critical infrastructure, cyber threats, crisis management, weaponizing critical infrastructure, security risk assessmentEpisode Transcript: Enabling NATO’s Collective Defense: Critical Infrastructure Security and Resiliency (NATO COE-DAT Handbook 1)Stephanie Crider (Host)You’re listening to Decisive Point, a US Army War College Press production focused on national security affairs.The views and opinions expressed in this podcast are those of the authors and are not necessarily those of the Department of the Army, the US Army War College, or any other agency of the US government.Decisive Point welcomes Dr. Carol V. Evans, editor of Enabling NATO’s Collective Defense: Infrastructure Security and Resiliency, which was published by the US Army War College Press in November 2022.Evans is the director of the Strategic Studies Institute and the US Army War College Press. She brings 30 years of expertise in the areas of mission assurance, crisis and consequence management, asymmetric warfare, terrorism, maritime security, and homeland security. Since 2014, Evans has been a lecturer at the NATO Center of Excellence for the Defense Against Terrorism in Ankara, Turkey, where she teaches its Critical Infrastructure Protection Against Terrorist Attacks training program. She holds a Master of Science degree and a Doctor of Philosophy degree from the London School of Economics.Thanks so much for joining me. I’m really excited to talk with you today.You recently edited a book for NATO, Enabling NATO’s Collective Defense: Critical Infrastructure Security and Resilience. Why this book? Why now?Dr. Carol EvansWell, let me take a step back and that is explain to our audience why NATO? The SSI (Strategic Studies Institute) has had and enjoyed a very strong relationship with the NATO Center of Excellence (for the) Defense Against Terrorism in Ankara, Turkey. This book is the result of a joint research project between the two organizations. COE-DAT (it’s acronym) really focused on looking at critical infrastructure because terrorist attacks against that infrastructure have been increasing in time. And so, when we think about critical infrastructure and why now, we also need to examine the fact that infrastructure is being increasingly targeted; you just need to take a look at the news, for example, of the Russian attacks against the Ukraine infrastructure. Or if you look at, within Europe, strategic penetration by the PRC and some of their economic investments in telecommunications, in real estate, and even in the port infrastructure. All of this portends of two things. One, using critical infrastructure as a weapon of war, weaponizing that infrastructure. And so, we really need to understand critical infrastructure and the future of warfare. It’s going to be a tool for our adversaries. So, the timing was perfect for us in this book. It took about a year and a half in the making, but it is really so current and so relevant, given what we’re seeing happening right now on the battlefield.HostWhat can readers expect from this work? Can you give us an overview, please?EvansSure, it’s a lengthy book, it’s I think, coming in at around 400 pages. First of all, I brought together a team of incredible international experts in critical infrastructure. Some of the authors come from high levels of government. Some of them are industry practitioners. Some of them come from academe. And some are from, you know, some of the most important government labs and other actual NATO centers of excellence. So, with this huge intellectual capability, we broke the book into four sections.The first one looks at the evolution of threats to critical infrastructure, and we start with the basic question “What is critical infrastructure?” Luckily, both European and US definitions are in agreement, but we need to understand why infrastructure is so important and why it is being targeted and how has that threat to infrastructure evolved over time.So that first section looks at (the) beginning with the kinetic threats to infrastructure. This is very much apropos of, sort of, terrorist means to target infrastructure, as we’ve also seen with Russia. I’m not saying they’re the same. I’m just simply saying we have states using kinetic attacks against infrastructure as well as terrorists. And then it has morphed; I guess about 10 years ago we saw increasing cyberattacks against that infrastructure, globally, and then hybrid warfare (where you have a mixture of both cyber and kinetic). So that’s sort of the first section.HostWhat does the second section cover?EvansLooking at what we call the lifeline sector. So, we wanted to provide case studies from each of the lifeline sectors, namely the energy sector, transportation sectors—so we have a chapter both on threats to civil aviation that has been often targeted, as you know, (not just airplanes but also airports). And also mass rail transit. You can harken back to Spain or the attacks against London and the underground.Following transportation, we also look at telecommunications, and this is really important, as well as water. A lot of people don’t think about the water infrastructure, but it’s really really vital for many other infrastructures. And that’s why we call them lifeline(s)—because they’re so key to the quality of our life. And if you think about, particularly, energy—all of the other infrastructures rely on energy, so there is massive interdependencies between these infrastructures.So each of the authors in those chapters really give some good case studies of both cyber and kinetic threats to that infrastructure and also discuss some of the measures, maybe to try and build that resiliency in our book, as you referenced, Critical Infrastructure Security and Resiliency. So both, how do we protect that infrastructure? But we know it’s going to go down at a certain point. Therefore, how do we build the resiliency back?HostWhat does the latter part of the book bring to the conversation?EvansIt’s the tools and measures to build security and resiliency. What’s nice about this book is it’s not a US perspective. It is not a European perspective. We have authors from around the globe. And so they’re bringing their different backgrounds and subject matter expertise to help owners and operators or governments that have an infrastructure responsibility to think about what those tools might be. So, we first start with looking at both US and European frameworks—critical infrastructure, security resiliency frameworks—and what are then, sort of, the key policies. What are some of our key organizations? For example, here in the United States, it’s the Department of Homeland Security (and) CISA is the key organization. And then what are some other types of best practices that we can use, such as information and intelligence sharing? So, policies, practices, organizations, and how those frameworks have really helped incentivize both the government and private sector to work together to build security and resiliency.Some other tools are modeling and analysis of critical infrastructure interdependencies. As I mentioned before, you know, energy, water—all of those sectors are very interrelated and interdependent. And so we need to understand if you’re going to lose, say, one part of your grid, what are the cascading impacts? You need to have a good sense of that situational awareness because dollars are scarce. So where can, if you’re an owner of infrastructure, or if you’re a government that needs to incentivize private owners, where are you going to put those dollars?So you have to understand where the risks are greatest to that infrastructure failing. And that, the whole subject of risk, is another category that we look at in terms of the tools. How do you conduct security risk assessment(s)? How do you develop a risk management approach? And that particular chapter provides people, government, and industry with some of those best practices to develop their own risk programs.And then, finally, of course, you have to talk about infrastructure and protecting it from cyber risk. So, cybersecurity is a big chapter, and that chapter focuses on the need for really good cybersecurity hygiene when it comes to industrial control systems, also known as SCADA systems. Here, the author does a really great job of explaining why SCADA is subject to such vulnerabilities. Often companies or infrastructure are using their business enterprise networks and are connecting those to their operational side where the SCADA exists. So that opens up vulnerabilities for penetration and attack. So threats, you know, lifeline sectors and then the tools to build security and resilience is really what the book is all about.HostYou touched on this a little bit earlier. In addition to editing this work, you contributed a chapter as well: “Hybrid Threats to US and NATO Critical Infrastructure.” I’d love to hear more about it.EvansMy chapter really focused the reader on why should NATO, or why should the Department of Defense, care about infrastructure. And so my chapter really goes pretty much in-depth, looking at three potential hybrid threat vectors to critical infrastructure. And the first area that I look at in my chapter is . . . I examine how Russian penetration, as well as some of our other adversaries, have been very active in our electric grid. And as a consequence, that infrastructure can be compromised. And this is especially important when we think about particularly from US installations and bases. We are reliant on the private sector to provide our power. That was not always the case. You know, back in the 50s, a lot of our bases had our own water supply systems, our own power-generation capacity. But over time, we have privatized most of those services, and so hence, we’re now reliant on the private sector to provide those goods and services. But how well is their cyber security?So as I mentioned, the Federal Bureau of Investigation has cited Russia inside our grids. If we were to think about, for example, suddenly needing to deploy to support NATO, (if) we needed force projection into the European theater. If our bases go down, that’s going to interfere with our troop movement. Or if we’re along our rail systems. Or if we’re in ports where we know that those can be compromised, how will we successfully sustain a force-projection movement of some particular size and scope? So, I show how that’s a key vulnerability for us.The second area that I look at is how our adversaries are targeting the logistical infrastructure within NATO itself. We’ve seen in Russia how logistics have played such a crucial role in their inability to successfully invade Ukraine. We’re sort of on the back foot as well, equally, because of the penetration of some of the key infrastructure sectors within Europe. Our ability to sustain ourselves, and to mobilize within the theater can be very much compromised. So I go into quite a bit of detail there.And then the final area that I look at is the strategic investment by the People’s Republic of China into the European Defense industrial base. Chinese companies are now owning big swaths of many of the ports in Europe. There’s a lot of Chinese investment and ownership, particularly in the southern part of Europe, in their electric grids. But also, when we think about supply chain resiliency, the Chinese company Huawei has been very active in terms of trying to sell telecommunications within Europe. All of this portends, then, to when we need to fight a war with NATO in Europe, is that infrastructure going to be there when it’s largely owned and controlled by foreign adversaries? So I think this is a really important wake-up call, particularly for a number of countries that haven’t been as attentive to the strategic penetration by the Chinese in their own infrastructure.I then conclude my chapter by looking at some of the measures NATO has been doing to address some of these issues—building capacities such as NATO Center of Excellence Defense against terrorism and leading the charge there. But building other centers of excellence, for example. More recently, again, in Turkey, we have the establishment of the MARSEC (maritime security), and they, too, are looking at the protection of maritime infrastructure. So, a lot of organizational capacity, ongoing, as well as the European Union, taking a harder look and passing not so much regulation but guidance to their member countries to review purchases of their infrastructure much more carefully and with great consideration.HostYou have an upcoming launch event for this book. How can readers participate or even watch it after the launch?EvansWe’ve organized some of our key authors to provide short overviews of their chapters. We will be taking questions. I’ll be actually serving as the moderator, so we hope to have a very good discussion. Mr. Ron Pierce has written a lot on the policy frameworks. Mr. Chris Anderson is going to talk about his communications chapter. Theresa Sabonis-Helf is an expert in energy, and she’s going to be talking about the Ukraine case. And Steve Bieber is an expert on waters. So, it’s going to be a dynamic and engaging panel. And I would look forward to everyone being able to download and watch it.HostI’d like to interject listeners. You can find the webinar at ssi.armywarcollege.edu. There’s also a link to it in the show notes.There’s a lot to unpack in this book. Thanks so much for sharing it with us.EvansI appreciate the opportunity.HostIf you’d like to learn more about NATO’s infrastructure security and resilience, download the monograph at press.armywarcollege.edu/monographs. If you enjoyed this episode and would like to hear more, you can find us on any major podcast platform.Carol V. Evans is director of the Strategic Studies Institute and US Army War College Press at the US Army War College in Carlisle, Pennsylvania. The Strategic Studies Institute is the US Army’s leading think tank for geostrategic and national security research and analysis. She brings 30 years of expertise in the areas of mission assurance, crisis and consequence management, asymmetric warfare, terrorism, maritime security, and homeland security. Since 2014, Evans has been a lecturer at NATO’s Centre of Excellence for the Defence Against Terrorism (COE-DAT) in Ankara, Turkey, where she teaches in COE-DAT’s Critical Infrastructure Protection Against Terrorist Attacks training program. She holds a master of science degree and a doctor of philosophy degree from the London School of Economics.

21st Century Warfare, Afghan National Defense and Security Forces (ANDSF), Afghanistan, al-Qaeda, collapse, Doha Accord, Grand Strategy, international relations, Military Change and Transformation, Military Strategy and Policy, Pakistan, Security force assistance, Statecraft, strategy, Strategy and Policy, Taliban, Ukraine, War and SocietyKeywords: urban warfare, Ukraine, Afghanistan, modern warfare, Military Strategy, 21st Century warfareEpisode Transcript: “Urban Warfare”Stephanie Crider HostDecisive Point introduces Conversations on Strategy, a US Army War College Press production featuring distinguished authors and contributors who explore timely issues in national security affairs.The views and opinions expressed in this podcast are those of the authors and are not necessarily those of the Department of the Army, the US Army War College, or any other agency of the US government.Conversations on Strategy welcomes John Spencer. Spencer currently serves as the chair of urban warfare studies at the Modern War Institute, codirector of the Urban Warfare Project, and host of the Urban Warfare Project podcast. He served over 25 years in the US Army as an infantry soldier, having held the ranks from private to sergeant first class and second lieutenant to major. He also currently serves as a colonel in the California State Guard, assigned to the 40th Infantry Division, California Army National Guard, as the director of urban warfare training. His research focuses on military operations in dense urban areas, megacities, urban, and subterranean warfare.Welcome to Conversations on Strategy, John. I’m glad you’re here.John SpencerThanks for having me.HostLet’s talk about urban warfare. The US Army War College Press has published several pieces on this topic over the years. On a recent Urban Warfare Project podcast, you note urban warfare is the hardest. Can you elaborate on that?SpencerSure. So I’m pretty adamant out of all the places you could ask military units to try to achieve strategic objectives, the urban operating environment is the hardest.Because, one, the physical terrain, right, which is complicated and hard in all areas—high elevation, you know, deep jungles—but the actual element of the urban physical terrain, the three-dimensional, the surface, subsurface, rooftops, the canalizing effect of the buildings, and the architecture of the city that reduce our military’s or any military’s ability to do what they want to do, right? So to do maneuver warfare, to use (intelligence, surveillance, and reconnaissance or) ISR and long-range strike capabilities—it doesn’t get negated; it gets degraded in the urban environment. So I think it is the hardest because of that complexity of that physical terrain.But, by definition, “urban” means there’s people present. By our definition, the US military’s definition, “urban” means that there’s man-made terrain on top of natural terrain. There’s a population, and then there’s infrastructure to support that population. So with the presence of civilians in the operating environment in which militaries will be told to achieve objectives, the presence of civilians means that there will be a limit on the use of force. Because of the law of war, the international humanitarian law, (law of armed conflict or) LOAC, the different names that we use for it—since World War II and even all the way before World War II—most people think that in urban fights, like Stalingrad and, for us, Manila and Seoul—that was just a free range. There’s always a limit on the use of force. So going into it, it’s going to be harder for the military to use their form of warfighting because there’s gonna be limits on the use of force. Of course, there’s the three-block war, where soldiers and commanders will have to be fighting a peer competitor, at the same time dealing with humanitarian approaches and trying to get civilians out of the battle area, trying to save infrastructure. General (Charles) Krulak called it “the three-block war.” And then, of course, we often, when we envision urban warfare in massive operating environments that are urban, we think the civilians are just a hurdle or a concern to protect them. But, you know, modern warfare and old warfare—I mean, the population can be either a challenge, they can be supportive of the military’s objective and actually take part. Of course, they lose their civilian status to become combatants at that point but . . . or they can be completely nonsupportive and be going against what you’re trying to do. And that just complicates it, makes it harder. Right?Next—and I think it’s hard to put, like, which one of these is really the hardest—but the information domain. I call this “the First Battle of Fallujah effect,” although—yeah, that was 2004. The level of the information domain in the application of military power in urban environments is the hardest. The fight for the truth, the ability to hide—it becomes, literally . . . like, one of the primal warfighting functions is to fight in this information domain, as no military unit in the operating environments is gonna be very challenged to hide. All actions will be viewed because every civilian is a camera, an uplink to the global community. There’s so many sensors, and we’ve seen this on the modern battlefield . . . is I can watch live combat as we speak. I can tune in to most cities in Ukraine, and I can actually watch. In war, we talk about these three populations, right: the military, the political apparatus, and the populations. Well, in the urban terrain, those all collide into what we call a “tactical compression,” where the strategic and tactical become one because of the information domain.I could go on for a while because this is my thing. I think the complexity of the urban terrain . . . unlike other areas like mountainous or Arctic warfare, when we asked militaries to conduct operations in urban environments, the complexity, as in the cause and effect of our actions . . . in the urban terrain, just presenting a military force changes the environment in unknown ways.There’s very few cities—and there are some, and there’s been some great writings . . . every city is different. And that’s the challenge of understanding urban environments.The commanders and the political leaders have to understand the risk in second-order effects of the operations. Well, in the urban train, sometimes that’s near impossible. That’s literally the definition of complexity, is “I can’t tell the second- and third-order effects of touching the system on the global supply chain, on the global economic factors, on the regional factors.”Those are just some of the highlights. I know that it’s a podcast and you want me to be brief, but I honestly believe that it’s the hardest place on Earth you could ask militaries to try to achieve political objectives.HostWe’re obviously not the only people thinking about urban warfare. How do other countries like England and Israel look at and train for urban warfare?SpencerSure. So I’ve actually spent a lot of time in England with the British Army, and, of course, I just got back from the NATO Headquarters (Allied) Rapid Reaction Corps conference on urban warfare. So there’re not really a lot of differences between the US and the (United Kingdom or) UK model. But I think, interestingly, what the UK or England has done is that they have embraced that this should be a primary area of training focus and preparations. So they actually put out a mandate saying, “We used to do 80-percent rural and 20-percent urban preparations.” Now they put out a mandate that states all units in the British Army will do 50-percent urban, 50 percent rural. You know, sometimes, that’s just words, but that’s actually translating into budget priorities and how they spend their time.So for me, that was really important. They’ve made major changes at their major training areas like Copehill Downs (Copehill Down), major investments in synthetic and physical training and distributed training. I think it’s really translating. There’s not a different way they approach it. They know combined arms maneuver is the most powerful form of maneuver. But in the urban terrain, you have to prioritize preparing for this hardest environment.Now the Israeli model—there are a lot of differences, just because it’s a different army. It’s not an expeditionary military like, uh, NATO members—you know, NATO partners. So that does actually cause changes in the approach. Plus, they know their likely environments they’re going to deploy into.But spending a lot of time with the Israeli military and security forces, there are differences on how—even their equipment. Because they actually, in their urban warfare experience, will then make immediate changes. And that’s kind of their power of their ability to adapt their technologies. So when they go into a contested urban environment, they will come in with a much more armorized force: a bulldozer in the lead, infantry compartment in their tank so the infantry can get inside of it, an active protection system on all their tanks.And not saying that we don’t have these things, but they’re very deliberate in their approach to going into a completely nonpermissive urban environment. Because that’s their assumption if they’re going in, again, because they have different—whether it’s (doctrine, organization, training, materiel, leadership and education, personnel, and facilities or) DOTMLPF or what of their force design—they can do things like have heavier equipment, have purpose-driven units designed for underground warfare, things like that. So there’s definitely some differences in both models, but there’s also some similarities.HostWould any of their methods or theories be useful for American forces?SpencerSo, absolutely. One of the challenges with urban warfare for us—especially the US military—is we don’t view it as a special task. We train offense/defense in all other military tasks, and we say the environment is a condition, and we’ll make minor changes. But look where we spend our time. We spend our time in the desert, in the woods, and that does translate into military capability. So absolutely, as, especially, the UK really pushes the envelope on “Fifty percent of my time is gonna be spent preparing for the urban environment. I’m gonna change doctrine—really, the whole DOTMLPF spectrum.” They’re on the forefront, in my opinion. And those lessons will translate to the US military. There is a lot of synergy going on between the two. But they’re really pushing.And then in the Israeli model—I think, absolutely, based on their mission sets and their environments, when they adapt to it, I would say, they’re probably at the forefront of the world in the use of information operations when it’s a known urban operating environment. So they have units that are established to do that, their acceptability of risk fighting in the information domain.The problem we get into, especially at the strategic and operational level, is that we think that we’re going to control information when we have to view it as a high a priority as actual fighting. Because we are fighting in the information domain. When Israel goes into the urban environments and does an urban operation, it’s at the top of their priorities for the commander is the fighting in that information domain—and, especially, in things like (Operation) Guardian of the Walls in 2021, where they really showed how they’re advancing the ball on that.HostUkraine and urban warfare: What are the important takeaways so far?SpencerOh, man. So there’s so much that’s going to be learned. I just got back myself from Kyiv, trying to understand the battle of Kyiv, which was . . . we have to take that, as a military, as the most decisive battle in modern era. Russia invaded Ukraine with the intent, the strategic objective of overthrowing the Ukraine political apparatus and taking the whole country. They had to penetrate the capital city. That’s nothing new, right? Like us in Baghdad, Kabul, you name it. But they were stopped by a much smaller military armed by understanding their urban environment better than the opponent. There’s so many lessons that we’re gonna take from just that one battle, when Russia, the second biggest military, was stopped by literally a brigade, and then 10s of thousands of civilians.It wasn’t that the Russians weren’t prepared to fight in urban terrain; they weren’t prepared to understand the requirements of doing large-scale combat operations on force projection, logistical needs that the urban environment puts to a test. So that’s the interesting aspect of Ukraine is that urban warfare will put your operational concepts; your doctrine; your ideals of ends, ways, and means to the ultimate test. It really does.But each one of these urban battles out of Ukraine are different, right? So Kyiv was a different fight than the battle of Mariupol, where time is important to militaries, and a small force . . . again, using the urban terrain features, all elements from information domain to the infrastructure already present were able to hold off 20,000 Russians for 80 days.Operationally and strategically, when you have a political objective you’re trying to achieve, if you can grind your opponent to a halt like that using the urban terrain, that’s powerful. This is evolving, so there’s so many lessons. And, like, Syeverodonets’k, and what urban terrain is most important?Of course, the capital city—that’s a strategic operation that has to be studied. But in my words—and Ukraine shows it—is that all roads lead to urban. “The main goal in warfare is to destroy your enemy’s military” is not true. And modern war puts that to the test. The battles of Ukraine are context, of course, but all roads lead to urban. The idea that you’re going to enter an operating environment and not at least have to secure your logistical lines through urban terrain—it’s just not reality. There’s a long list. I’ve taken a lot. The guy I went to Ukraine with, we’ll have a report on the battle of Kyiv, specifically. Which really does put to question ideals at the strategic level about, like, total defense, where your civilian population is going to rise up. But how do you do that? How do you resource it? What are the legal considerations when you turn civilians into combatants? And there’s a lot of lessons here.HostLooking forward to hearing more about those once you get it all put together. So you mentioned your trip to Ukraine and the battle of Kyiv a couple of times. You want to share any highlights of your trip with us?SpencerSure. So I think if you lay down Russia’s objective, its strategic objective, and then lay down its operational plan . . . which can be argued that they spread themselves too thin. They didn’t adhere to the elements of operational art. You know, they didn’t mass on the critical objective, which was Kyiv. But they did come hard. They did implement a joint forcible-entry objective, inserting paratroopers into an airfield that were then not backed up by enough forces, and they were defeated.They ran into not complications in fighting another military; they ran into complications of things like mobility and countermobility in the urban terrain.The battle of Kyiv didn’t happen, really, in the urban areas that people think about when they think about urban terrain. It happened in the peri-urban. Because Ukraine immediately blew 300 bridges. So we talk about, you know, wet-gap crossings. But if you have 300 wet-gap crossings to do, that’s gonna have strategic implications for your military power if you’re not able to do that.So there’s a lot of lessons here in, like, ancient siege warfare. Kyiv had to just close the castle gates. They dropped all the bridges. They flooded rivers, which was very interesting. They flooded three major rivers to take away all the avenues of approach that Russia wanted to have, right? That’s what we do, right? We have a primary massive avenue of approach, and we have other ones. And they were coming hard, but Kyiv was able, through years of planning, to understand their city to where they could make it really hard to get into the city.Because it wasn’t about destroying the Russian military; they’re never going to do that. They had to buy time. They had to prioritize strategic capabilities like TB2 drones and the limited artillery they had as they fought seven different city fights. But there’s also elements of . . . again, this is about terrain denial. Ukraine was on the defense. And they showed that . . . (Carl von) Clausewitz said that defense is the strongest form of war. Now, it’s not your politically strongest form. But I think there is lessons in Ukraine, especially the battle of Kyiv, when you have to be prepared for defensive operations.We, as in the West, can’t always be the attacker. All warfare includes both offense and defense, and some of that’s the large-scale combat operational defenses. Like the city of Chernihiv. If the city of Chernihiv in Ukraine had not held, Kyiv might have fallen because they would not have been able to fight the way they were fighting because there’s another major axis of advance. But the first Ukrainian guard division (1st Division of the National Guard of Ukraine) held all Russians from advancing south of Chernihiv.I know that the war college and other people will study this in depth. But I think we can’t wait. Some of these lessons are almost immediate to translation to the way we think about massive theater operations. You’re not going to avoid and bypass urban areas. Maybe a few, but it’s going to have implications on strategic capabilities.HostBefore we go, give me your final thoughts.SpencerSo my final thoughts is that when I ask military people about urban terrain, they think about clearing buildings. Urban warfare is not an infantry fight. It will put joint combined arms maneuver to the test. And it is the people that can bring it all together at the point of need that can succeed. But we need to think about urban warfare like it is defined: the actual city, the people in the city, and the infrastructure and how that incorporates into our joint combined arms fights.HostThank you so much. I appreciate your time, your insight, all of it. This was really good.SpencerNo—thank you.If you enjoyed this episode of Decisive Point and would like to hear more, look for us on Amazon Music, Spotify, Apple Podcasts, Stitcher, and any other major podcast platform.

The rapid collapse of Afghan National Defense and Security Forces (ANDSF) in August 2021 was widely anticipated and due to its structural constraints and qualitative decline from 2018–21. This article provides a targeted analysis of ANDSF operational liabilities and qualitative limitations, referencing often overlooked statements by US and Afghan political and military officials, data from official US government reports, and prescient NGO field analyses. The painful ANDSF experience illuminates several principles that must be considered as US policymakers turn toward security force assistance for proxy and surrogate military forces in conflict with the partners of America’s emerging great-power geostrategic competitors—China and Russia.Click here to read the review and reply to the article.Keywords: Taliban, collapse, security force assistance, Afghan National Defense and Security Forces (ANDSF), Doha AccordEpisode Transcript: “Deconstructing the Collapse of Afghanistan National Security and Defense Forces”Stephanie Crider (Host)Decisive Point introduces Conversations on Strategy, a US Army War College Press production featuring distinguished authors and contributors who explore timely issues in national security affairs.The views and opinions expressed in this podcast are those of the authors and are not necessarily those of the Department of the Army, the US Army War College, or any other agency of the US government.Conversations on Strategy welcomes Dr. Thomas F. Lynch III, Dr. Conrad C. Crane, and Dr. Todd Greentree. Lynch is the author of “Deconstructing the Collapse of Afghan National Security and Defense Forces” (“Deconstructing the Collapse of Afghanistan National Security and Defense Forces”), which was featured in the autumn 2022 issue of Parameters. Lynch is a distinguished research fellow in the Institute of National Strategic Studies (Institute for National Strategic Studies) of the National Defense University. A retired Army colonel with Afghanistan tours, Lynch publishes frequently on Afghanistan.Crane is currently a research historian in the Strategic Studies Institute of the (US) Army War College. A retired Army officer, Crane holds a PhD from Stanford UniversityGreentree is a former US foreign service officer. Currently, he is a member of the Changing Character of War Centre at Oxford University, and he teaches at the Global and National Security Policy Institute at the University of New Mexico.Thanks so much for making time for this today. Tom, would you please just give us a brief synopsis of your article?Thomas F. Lynch IIIYeah, hi, Stephanie. Thanks for having me here, and great to be with, uh, Con and Todd. I thought it was a good time to publish something that reviewed the history of why it was not surprising that the Afghan national military wound up where it is. And so my article kind of goes into that, focusing in three substantive areas. First, it’s to define the fact that the Afghan military was never designed by the US and its partners to stand alone. There were critical capabilities that it would have required to stand alone against an autonomous insurgency with external patrons that were never present and could not have been expected to be present. Second, I thought it important to chronicle the fact that the important linkages between the Afghan military and, particularly, American support military structures—these were already pulling apart as early as 2018—not in the last year, not subsequent to the Doha Accord (Doha Agreement) of February 2020, but have been pulling apart pretty visibly for those that were paying attention, starting at least in 2018. So I kind of go through what those were as well. And then, finally, I offer here this notion that it is a myth that the Afghan national military fell apart unexpectedly at the end.There were a number of government organizations, government agencies, military leaders, as well as nongovernment agencies on the ground that were reporting flaws, particularly in the morale that were very, very visible starting in 2018 and became acute subsequent to the Doha Accord (Doha Agreement)—that was an accord between the United States government and the Afghan Taliban. The government of Afghanistan was not a party to that. And, indeed, the accord that we signed in February of 2020 really committed the United States to withdraw and committed the Afghan government to negotiate with its enemy, the Afghan Taliban.And the Afghan Taliban, in response to that, gave several promises. They made a formal promise not to attack American and coalition forces, but not to stop attacking Afghan government or Afghan military forces. And indeed, this put the Afghan military forces formally in a place where they had been—at least, informally, since 2018—as the monkey in the middle without the organic, qualitative ability to fight a qualified and capable Afghan Taliban insurgency, but with the knowledge that the United States had a clock ticking, and we were going to get out, and they were going to be left alone. And therefore, it made great sense that they were already bartering and bantering behind the scenes to cut the best deal they could for them and their families and, therefore, to collapse rather quickly once the United States military was fully out of the country and the Afghan Taliban had not politically reconciled with the government of Afghanistan.HostCon, you say our approach to security assistance in Afghanistan was flawed in the very beginning by a problem with advising and assisting. Will you expand on that, please?Conrad C. CraneSure, glad to. My point is this: Since World War II, the United States has made a common mistake in its attempts to advise and assist as we always try to create indigenous security forces that are modeled like us. So we end up with a force that is heavily dependent on firepower, requires extensive sustainment that they really cannot do, which is one of the points that Tom brings up. We create forces that can’t really be maintained or sustained if we’re not there.A new twist in the model has been also an overreliance on elite units. Sir William Slim, in his excellent memoir on World War II, Defeat into Victory (Defeat into Victory: Battling Japan in Burma and India, 1942–1945), has a part where he really criticizes the creation of elite units because they take the best troops out of conventional forces and dilute the quality of those conventional forces. In Afghanistan, we did the same thing. We quickly created an Afghanistan special forces and took the best troops out of the conventional forces, which were much more important than the special forces group we set up. We also had a similar problem with the air force. We gave them the right aircraft, the Super Tucanos, which are much more appropriate and much easier to maintain than sophisticated jets. But at the same time, we set them up as a separate air force. I actually did some consulting with the leadership on trying to fix the problems of the air force, and the air force may have been configured to support the ground forces, but they wanted to fly independent missions like they had B-52s.And also it became the bailiwick at the Afghan elites. So between this idea they were gonna be an independent air force and the elite attitudes, it made any kind of joint operations almost impossible. I mean, a better model would have been US Marine Corps instead of US Air Force . . . have a Air Force was tightly tied to ground forces that independent. But you had the same thing in Vietnam. We tend to repeat these same problems with the way we structure these indigenous security forces.HostTom, what are your thoughts here?LynchFirst, as Con notes, there’s this issue we have post-World War II of trying to make ‘em look like us. But when we don’t make ‘em look like us—and there are many instances where we didn’t, to include going back with the South Korean forces prior to the North Korean attack in 1950—we tend to limit things where we think we have innate ability and where we want to constrain that side from having that ability for fear that they have a different political agenda. So in the case back in the 1940s, early 1950s with the South Koreans, we were concerned that South Korean leader Syngman Rhee would use souped-up artillery and American-style aircraft to go attack the North, which we didn’t want to happen unt il after the North attacked first. We also—early on, in South Vietnam—limited the design and things we provided them because we didn’t want them ranging north and going after the Chinese, for example, and provoking a war there.Here is a highlight in the article. There are two other things that influence the design of the Afghan military forces to, as Con says, look like us, but not all the way to the high end, which is back to my point about them not being able to just stand alone to provide their own security against neighbors in a dangerous neighborhood. The first of those is our concern over costs. We’re concerned that if we give them too much high-end stuff, it’s gonna be too expensive, too difficult. And so, as Con mentions, sometimes, we look beyond that, but other times, we find ourselves constrained by that. And I argue here that’s what we were with the Afghan national security forces, particularly in the 2000s—and we were back and forth and back and forth about “Give ‘em more.” “No, give ‘em less.” “No, we can’t afford it. So let’s us use our equipment that allows for these things that we don’t want them necessarily to have: long-range aircraft that could range into Pakistan, for example, or long-range artillery that could be threatening to other neighbors or lots of long-haul logistics aircraft. But the second piece of that has to go with the regional geopolitics, and that is the limitations imposed by the fact the United States was also conducting the Global War on Terror (war on terrorism) with Pakistan as a vital, non-NATO partner. And the Pakistanis had their own regional concerns.The Pakistanis would work with us when we were going after certain kinds of global terrorists, but, in their mind, there were other kinds of people that we call “terrorists” which they saw as indigenous quasimilitary groups that were important to their existential fight against India, the country that they see as their most worrisome security threat and a country that they felt, for decades, was always trying to find a back door through Afghanistan to produce at least mischief, if not try to topple the Pakistani government. And so it was in an appreciation of our other partner Pakistan’s interests—the fact that Pakistan not only feared India, but also kind of saw the Afghan Taliban as one of those trustworthy militant groups that would stand against Indian nefarious activity in Afghanistan. This also circumscribed the design of the Afghan military forces so they didn’t have long-range strike aircraft. They didn’t have long-range artillery. They didn’t have the kind of logistics that would allow them to campaign because not only do we not want to pay for it, but the Pakistanis didn’t want that on their doorstep, unmanaged by the Americans.So there were those limitations that were always there. Meaning you were either gonna get an Afghan government that was gonna succeed and topple the Taliban insurgency, which we really never got close to when you look, in large measure, because the Pakistanis weren’t with us in causing that to happen. They found a gray-zone area and acted like they weren’t supporting the Afghan Taliban. But, in reality, they were supporting them as a hedge against India. When push came to shove and the Taliban were still resilient and there were no clear political negotiations happening between the (Ashraf) Ghani government and the Afghan Taliban, now, the Afghan military and security forces are truly the monkey in the middle. They’re looking at a US government that said, “We’re getting out.” And they’re saying, “We can’t stand alone against this resurging group of insurgents. As a matter of fact, these insurgents are attacking us now proportionally far higher than they’re attacking the American, the coalition forces, separating us further, splitting us apart, and we can’t manage that because we’re not designed for that.”So there are two parts of this that I try to highlight in the article. There’s our own internal fiscal considerations, constraints, and ideation where we think we’re better to provide these high-end capacity things ourselves to limit the cost of building this Afghan security force modeled like us versus the Pakistani security concerns, which do not want to see those independent characteristics in the Afghan force more willing to trust us as counterterrorism partners with these high insecurities—but, in the process, making it so the Afghan military cannot stand or hope to stand against a lively, vibrant Afghan Taliban insurgency with safe haven in Pakistan when push comes to shove in 2020 and 2021.HostBack to you, Con.CraneAll excellent points. I mean the dilemma, I guess, is the fact that we were always going to leave, and that the question is for those of us involved in the security assistance, trying to create these structures, it’s nice to have an idea when that’s gonna be so you can structure the horses to do that. And, oh, I’m sure I’ll get into this later, and that’s did we really have to leave? We stuck around in Korea for 30 years waiting for democracy to appear and fought a very nasty, low-intensity conflict there in the 60s and 70s. But we still stuck around. You know, Tom’s right. We had a lot of structures there that only we could provide.Again, the question is “Should we have done a better job planning for the for the exit strategyHostTodd, we haven’t heard from you on this yet.Todd GreentreeWhat I have to say is based on experience and things that occurred to me at the time when I was in Afghanistan. I think that both Tom and Con, also, because they were involved, are not dealing from a rearview mirror perspective.I love the monkey-in-the-middle analogy because there are so many dimensions or ways to unpack that idea and see how it applies.The US-Pakistan enormously fraught, complex relationship with lots of history, and the Pakistanis with enormous history. One of the reasons that we never really got a handle on that relationship is because we were not aware enough of our own history with the Pakistanis. So another dimension of their early involvement in Afghanistan has to do with Pas̲h̲tūnistān, and this is the idea that there’s this Durand Line that the Brits drew that crossed across the Pashtun population where the Taliban insurgency came from. And Afghanistan had always tried to take advantage of that with Pakistan by stirring up cross-border sentiments.This was the reason that Pakistan started supporting early Islamic militants in Afghanistan in the early 1970s—to oppose them. But the Pakistanis sent their first Pashtun groups to create problems. Where? Into Indian-controlled Kashmir in 1948. They go way back on this issue.Going back to the security force assistance issue, which I think is a critical piece of putting together the whole strategic picture of what went wrong in Afghanistan: Adding on to Con’s comments about American way of war clashing with Afghan way of war—we also have a huge problem, which is from the very beginning, what was it that the US was focused on? It was focused on counterterrorism—basically, fighting a war. And as we got more and more involved in Afghanistan, that combat role retained its importance. So as we would expect with American way of war, combat forces—elite and not—receive priority. That left security force assistance distinctly in a second-ranked place. A couple of quick ideas from experience: One—first commander I worked for: great guy by the name of Scott Spellman. Scott Spellman is currently commander of the Army Corps of Engineers. And I realized for the first time, working with him: “Hey! Engineers make great counterinsurgents.” Because they build things in difficult circumstances, and he got that.There was, in that same command, a young (military police or) MP who was a National Guard MP who came out of state police force. He brought something to working with police forces that I hadn’t seen before. He wasn’t involved in combat, but his role was extremely important. And then, of course, the negative example which I think everybody saw a lot of: US majors who were assigned as mentors to Afghan general officers.Question for Tom: Given that the intent of the US negotiations with the Taliban was exit and not peace, would it have been possible to somehow or other preserve the integrity of Afghan security forces and maintain the role of the US as a source of stability rather than instability?LynchYeah. Excellent question, Todd. In the article, I intentionally pick up in the summer of 2018 on that point because the way in which we do start finally negotiating with the Afghan Taliban, I would argue—as I do in this article and in some previous writings—does prejudge the outcome. And in this case, the outcome was that we were not gonna have a future military-to-military role or relationship absent something directly happening, which would have been the Afghan Taliban finding a political accommodation with the democratic government of Afghanistan—or, I should say, the government of Ashraf Ghani at that time. And even if that were to happen, as I mentioned in the article, then you would have had to do some kind of combination between current constructed Afghan military forces and Taliban forces to bring those together to do some kind of disarmament, demobilization, disaggregation, stand them in position, and yet here you would be bringing together a insurgent guerrilla force with a counterinsurgent national force. And even there, it was gonna be extremely difficult to do that. The history of governments trying to make that happen is very sketchy in terms of how well it works, how well it doesn’t work, and whether it holds together politically. The bottom line here was so long as the Afghan Taliban was not defeated or neutralized, then two things were vital to understand: Either the Afghan government and its military would have to have continuing outside assistance (the United States, principally, with its coalition partners) militarily as well as to support its economics and government status or the Afghan military would have to stand alone against the Taliban, which was favored by the Pakistanis as a better alternative to a government in Afghanistan that might get too cozy with India in the absence of Big Brother America sitting over the top of everything. So you had this kind of a perfect storm here, so that once you made a decision to depart, when the Afghan Taliban was not out of the picture, you were gonna come up with two very awkward outcomes either trying to piece together a combined military of these two other militaries that were very much opposed to each other—or you’re gonna have an Afghan military that couldn’t stand alone against a well-enabled and well-motivated Afghan Taliban military arm.Once, in 2018 the Trump administration makes the decision to independently negotiate with the Taliban, the writing is on the wall. Informally, at that point, the Taliban and, I would argue, their handlers in Pakistan (meaning the intelligence services in Pakistan)—they got this, and, starting in mid-2018, when the administration signaled they were gonna move in the direction of negotiating America getting out, we see an informal drop that’s noteworthy in the number of Afghan Taliban-claimed attacks against American military or coalition military forces and, also, coalition political and diplomatic support forces. It’s palpable, starting in mid-18, as the Trump administration shifts into this negotiating phase from what had been kind of a miniature surge that was approved by the Trump administration in late 2017 to kind of go and put the Taliban on their heels.By mid-2018, the Trump administration has given up on that, and they’re announcing that they’re gonna start negotiations. And, indeed, by that fall, September of 2018, they announced Ambassador Zalmay Khalilzad, a former ambassador to Afghanistan and expat Afghan, to go and start these negotiations. From that point forward, as I chronicle in the article, you see the Afghan Taliban taking an informal, calculated step to not attack Americans but continue to put the pressure on the Afghan military.And this starts to, I argue, pull psychologically apart what had been a very close and necessarily close relationship between those two. And then, in February of 2020, you get the Doha Agreement signed between America and the Afghan Taliban. And now, it’s formally laid out. The Afghan Taliban agree, “We’re not attacking you Americans. We’re not attacking the coalition. But we’re not making any promises about anybody else.” And we went back to them, and General Scott Miller and others got a special, classified annex—which we know is there, but we can’t know for sure it was in there—but, basically saying, “Well, wait a minute now. If you guys start vigorously attacking the Afghans, then we’re gonna have the right to defend them.” We know, in retrospect, the Taliban never really agreed that that was legitimate. They just tried to step around it enough so they could continue the military campaign while they waited for America to continue to get out. And so I mentioned that because this pulling apart of a military that had to have these support structures—without a concurrent drawdown of the military capacity of the Afghan Taliban in large measure, but not solely, because the Pakistani military intelligence services didn’t wanna see the Afghan Taliban vanish, you were at the point where it was always a matter of how quickly the Afghan military forces were gonna collapse when you pulled out, as we finally did a year ago.HostCon, I’d love to hear your answer to this as well.CraneFor me, the big problem in Afghanistan is we don’t really decide to come up with a counterinsurgency strategy until we’ve been there almost a decade. And by then, it’s just too late. I mean, we have so many lost opportunities early on to try to do it right, and we just don’t.(Carl von) Clausewitz talks about “recognize the nature of the warrior,” and we never quite figure out the great game in that area or what our real purpose is until it’s really too late.LynchYeah, Stephanie, on this point, I think it’s clear that we didn’t devise a workable counterinsurgency strategy. But I think there’s some caveats that matter here.First and foremost, in the mid-2000s, as we were focused on counterterrorism, we treated the Afghan Taliban as a defeated insurgent group. And we, particularly in the Bush administration of the 2000s, accepted the word of our counterterrorism partner, the Pakistanis, that, quote, “They got the Taliban.” They would take care of the Taliban. So that set in place a framework where, as Todd says, we kind of misunderstood the history there. We thought “take care of” meant “take out.” What (Pervez) Musharraf said and what he meant were two different things as we heard it. He didn’t mean “We’re gonna take them out.” He meant “We’re gonna take care of ‘em.” And, in his mind, it was “take care of ‘em as long as you guys are over there are doing counterterrorism stuff and until you leave us alone because we don’t trust that the Indians aren’t gonna come backdoor on us, and we think the Afghan Taliban—as difficult as they are because of Pas̲h̲tūnistān and other things that Todd mentioned—they’re a better choice than a lot of the other choices that could be in Afghanistan.” And the Pakistanis stick to that all the way through.And I have always referred to our efforts at surging in Afghanistan, as we did in ‘04 and ‘05; as we did again in the Obama administration; and as we did again to counter (the Islamic State of Iraq and Syria or) ISIS in 2014–15—I refer to all of those as, at least in some measure, an effort to test the hypothesis that if we put enough military force into Afghanistan and showed kind of a counterinsurgency blanket of Americans that somehow, the Pakistanis would change their security framework enough to say, “OK, we don’t need the Afghan Taliban or people like that. We’re OK with you guys.”And the bottom line is the Pakistanis never made that step. They couldn’t. They found their challenges with India still too dominant and too worrisome, and they didn’t trust that we’d stay there. And, in the latter point, they’re probably right. Whether they’re right about nefarious Indian activity, no matter what, unless the Afghan Taliban are in the mix for them, I don’t know that that’s true or not, but that’s their perspective. Basically, if you count our initial invasion, we took four cracks at changing that security paradigm. It didn’t change. And so, when you talk about inevitability: Were we able to ever win a counterinsurgency in Afghanistan? My answer is not without a change in the Pakistani security narrative about India and Afghanistan backdoor mistrust. And that didn’t happen, and we tested it two or three time. And as a consequence of that, we could never win an insurgency in Afghanistan. But we could succeed in both deterring and then, potentially, defeating a global terrorist network that would take advantage of the Afghan Taliban to plan, plot, and then launch credible international terror against America and our allies.The jury is not still fully in because bad things can still happen in Afghanistan. But if you look objectively at the 20 years we were involved there, you will see that we had measurable success in preventing global catastrophic terror from emanating out of Afghanistan. We have examples, multiples, of exchanges of information between us, the Afghans, even the Pakistani intelligence services allowing us to disrupt plots, plans, and activities either at the source—that is, arresting or killing those on the battlefield, we’re making those plans—or even arresting things that were about to happen, like plots against bridges in Baltimore and other things, plots against American forces in Germany, where we intercepted a guy who was an operative for al-Qaeda before that all happened.So I mentioned all that just to say Todd makes an excellent point that Con falls in on: counterterrorism versus counterinsurgency—it’s fair to say we never got that right. But it’s important to know that Pakistan played heavily in that. But it’s also true to say that if you look at the terrorist side of the ledger, arguably—you know, we can debate whether the cost was too much—but, arguably, we did achieve that particular outcome over the course of 20 years.HostTodd, do you have any comments on that?GreentreeYeah, like, maybe we should have a whole another opportunity to continue the discussion and just fall in on that costs of counterterrorism, its effectiveness, versus becoming accidental counterinsurgents because that’s what we were. Of course, Dave Kilcullen has that book that he wrote, The Accidental Guerrilla (The Accidental Guerrilla: Fighting Small Wars in the Midst of a Big One), in which the central idea is that “Hey, the Taliban are fighting us in Afghanistan because we happen to be in their space. And that’s who they are. They’re Islamic warriors who fight against foreign infidels.” We were accidental counterinsurgents by the same token. The only reason we ended up fighting the Taliban was because they helped al-Qaeda, which got into our space on 9/11—that whole trigger of contingency dragged us into this long, long war that ended up a failure.I’d like to swing back just for a minute and go back to the idea of war termination where we were talking about the problem of “Could the negotiating process have worked out in a way that ended up keeping the Afghan security forces intact and the US having a stabilizing role rather than a destabilizing one?”Start with Pakistan again. I don’t want to make this about Pakistan. But, in some ways, Carlotta Gall came up with a great title for a book about Afghanistan by calling it The Wrong Enemy (The Wrong Enemy: America in Afghanistan, 2001–2014). And, in that sense, the Pakistanis really were the key to getting a handle on this. And because we failed with the Pakistanis, we failed in Afghanistan.Quick point related to that: This was the second time that the US failed with war termination in Afghanistan. The first time was when the Soviets withdrew from Afghanistan in 1989, and we were entirely unprepared to play a constructive role, although there was an effort in actually resolving that conflict. And, again, the Pakistanis were in the middle of that. So the point to me on the second failed effort at war termination is we weren’t really trying to end the war. We were just trying to negotiate an exit. That’s what it was. And if anybody thinks that we were actually involved in war termination or peace negotiations, I think they’re fooling themselves, and we were fooling ourselves at the same time.HostTodd, you brought up some really good questions in our prepodcast discussion, and I’m just gonna throw these out here. And we have about five minutes.Was Afghanistan ever winnable? What should the aims have been? What conditions and time frame might have produced success? Tom, if you wanna start, you can just dig in and start.LynchIn terms of a counterinsurgency, Afghanistan was not winnable. And the monkey in the middle of the Afghan security forces is just a data point of evidence that that was not gonna happen. And a lot of the reason for that is the dimensions of the Indo-Pakistani security dilemma and how we could never find our way through that Gordian knot. We had tried. We hoped that Musharraf would take care of it in the early 2000s. We hoped that a big surge in ‘09 and ‘10 would show our determination and whack the Taliban so hard that they would have to be abandoned as this go-to insurgency inside of Afghanistan. But the Pakistanis looked at that and didn’t take parallel action. They didn’t have any better alternatives, and they still thought we were gonna get out, and they were right. We wound up trying to get out. And then we tried one more time in 2014–15 as ISIS started to appear there and as the Afghan, uh, military, you know, seemed to lose track of al-Qaeda types, and even that didn’t change the Pakistan security [unintelligible word].So my answer previously applies here. I don’t think that the counterinsurgency was ever winnable. Now, what about the counterterrorism aim? The original aim, the dominant one, the thing that brought us there in the first point: to prevent Afghanistan or, by extension, the Afghanistan-Pakistani border from becoming yet again, as it had on 9/11 and before that with other plans and plots by al-Qaeda or global terrorists, from being a point of successful planning, plotting, training, and then execution of global, catastrophic terrorism events on the United States and our allies and partners. There, I think the record is, at least debatably, positive. That is, we succeeded. We didn’t win, OK? We’re not done yet. Al-Qaeda is not gone. ISIS is not gone. Salafi-jihadi terrorism is not gone. But it’s been on its heels for the last 20 years, and we’ve not seen successful execution of catastrophic terror against America and its allies since 9/11 emanating from that part of the world.So I would argue that we can and did achieve success in the counterterrorism mission as defined. We could not have and did not have the ability to win the counterinsurgency. Now the fruitful debate in the future was was it worth the cost of trying to manage both a counterinsurgency and a counterterrorism effort for 20 years to get there? And I think that’s a different and legitimate question that perhaps we can address another time. Thank you.HostCon, we haven’t heard from you in a while. What do you think?CraneI just hope people are listening to this podcast and read Tom’s article because one of my favorite sayings is “We have never been able to never do this again.” So we’ll be talking about this again. I guess I just think there was so many lost opportunities early on. Victory in counterinsurgency is very hard to define. There’s a lot of times the result is a very messy one that can be interpreted either way. It usually ends up in some kind of political compromise where everybody gets something. You know, the problem is the whole campaign in Afghanistan—they were only planning about 72 hours ahead. I mean, we criticize going into Iraq in 2003 for having an incomplete plan for what happens after major conflict ended. In Afghanistan, we had none.And so we were a blind man to start with, roaming around in the dark. Again, we staggered around a decade, and I think there were so many lost opportunities. I’ve been on a couple of panels with . . . with General (David) Petraeus since, and we’ve discussed about could some kind of an American presence have created a more stable result—some kind of a different outcome? Again, victory’s very hard to define. Tom’s talked very well about the impact of when we decide we’re gonna leave, and everybody knows we’re gonna leave.So the question is “Would some kind of a longer-term presence made much of a difference?” I don’t know. Pakistan’s not gonna change. Situation’s not gonna change. I read the press reports every day about what’s going on in Afghanistan right now, and it’s so tragic. Just, is there some way that we could have moderated some of that? I just don’t know enough about if we could or not.HostTodd?GreentreeYeah. Well, I do have an opinion about that. It requires some counterfactual thinking and arguing, but it’s based in, uh, an option that actually existed at the time. And if I can mention, uh, my own article for Parameters in the winter issue: “What Went Wrong in Afghanistan?” It’s really the central point of it. So I thought that one of the things that Tom captured accurately in his article was that as the negotiations picked up steam, by the time the end game came on, the fighting was not what mattered in the Afghan security forces disintegrating. Rather, it was the negotiations that were taking place—not between the Americans and the Taliban, because those were done, but between the Taliban and the Afghan forces directly. Forget the Afghan government. And a lot of those negotiations were being brokered by local elders to get people who are gonna walk away from the army and the police and fold back into their communities or move back, move out entirely. And those negotiations work pretty well because that was one of the things that enabled the Taliban to take over so fast without a lot of residual fight.My argument is that in December of 2001—I gotta go back two decades—those conditions were reversed. The US leading coalition with, you know, the famous, CIA-supported operation with Afghan militia had just overthrown the Taliban emirate. They were done. And the Taliban at that time, in accordance with Afghan way of war, were flowing in to swear fealty to the new Afghan government, which had just been named at this conference in Bonn, Germany, with, uh, Hamid Karzai as the interim president. Local elders were complying with that as well. And very much this is the Afghan way of war. It’s basically common to tribal warfare everywhere that people who are involved in fighting are figuring not their membership in, uh, national institutions or the oath they take to a national government but where their survival is going to exist the best for them and their group, their clan of people.I got to learn very closely when I was in with the command group with 10th Mountain Division in Kandahar at the height of the Obama surge. We were very involved in the areas of traditional Pashtun strength that was both that where the Karzais and sort of the ruling Pashtun aristocracy and the government and the Taliban had their origins. Same exact place. And what the people in the Afghan government were saying—of course, this is many years after the fact—was “Wow, you should have listened to us in 2001 and 2002 because we wanted to disperse the Taliban. They were coming in. They wanted to go back to their villages. We were gonna let ‘em keep their AK-47s but nothing else. Key to this, we wanted to break the relationships with Pakistan, particularly by bringing their families back across the border and back where they had been for many years and back into their communities.” That was an option that was put to the US government during the course of the Bonn Conference. This idea of involving Taliban in negotiations, not necessarily to achieve a share of national power but just to be recognized as a part of the Afghan political process. And that was explicitly vetoed. That option was explicitly vetoed, of course, with Vice President Richard Cheney and Secretary of Defense Donald Rumsfeld calling the shots that “No, we’re nt dealing with the Taliban.” And that in my assessment on this regard—that really is what led us down this path. The enemy was al-Qaeda. They were the ones who had attacked us. They were the focus, and we essentially confused the Taliban with al-Qaeda.HostIn a few sentences, final thoughts from each of you. Con, why don’t you start?CraneI just hope people (are) listening to this podcast and reading these articles because we have never been able to never do this again and all these issues that could come up again. And we just can’t make the same mistakes. We eventually gotta learn from all this.HostTodd?GreentreeSo several years ago I wrote an article about the three movies that help us understand Afghanistan. And, really, they’re about ourselves. But the movies are, of course, The Godfather, Chinatown, and the third one is Groundhog Day.And the point of Groundhog Day is not just that you keep reliving the same day over and over again—because that’s what we’ve been doing on this, as Con says. But because in Groundhog Day, the idea is that you learn from repeating each today over and over, and you advance on that. And that’s where I think that the importance of Tom’s article lies and the three principles, the three conditions that he brings in there at the end: These are things to pay attention to. Otherwise, we’re gonna be stuck in that cycle without ever getting out of it because this is going to happen again.HostTom, will you wrap this up for us?LynchYeah, thanks. I think that’s a perfect setup, and thanks again to Con and Todd for joining in today because that’s where I wanna kind of end as well. It is one thing to go back and say “Yeah, you could see this slow-motion train wreck happening. You could see how we had set the conditions for it in terms of the (Afghan National Defense and Security Forces or) ANDSF and its challenges at the end of the day.” But the question is “To what effect do we go forward from here?” And the first thing I tried to address at the end of the article is that, as Con has said and as Todd alludes to, we’re gonna be here again. We’re gonna be at a point where we have to look at advising allies and partners in the pursuit of our national interests in a region or an area where there are conflicting, competing, or challenging political and security dynamics that don’t necessarily perfectly align with ours. And so the question is “How do you pursue those?”At the level of military forces, you know, my recommendations in the article are that we should make sure that we’re tailoring our support packages for the countries in question if they’re gonna be countries that are working with us or for groups in question if they’re going to be nonstate actors in accordance with what they can do and what they can accomplish—not build them beyond that, not build them so that they’re platinum outcomes, but do that in a way that allows that to be tailored to what they can accomplish in their area, not US-centric forces or combinations.Second is morale of fighting forces that are our partners is not just an afterthought. We have to consider that. Especially, we have to consider that at a time when maybe our political interests and theirs are diverging, right? In Afghanistan, clearly, the divergence was as we decided “We’re going to get out, and we’re going to negotiate independently.” But let’s take, for example, what’s going on right now, perhaps, in Ukraine. Right now, there’s a commonality and alignment of purpose in Ukraine, basically, as the partner/surrogate force standing against the great-power Russia’s viewpoint of domination of its periphery and, you know, establishing who is and who is not in its sphere of influence. Right now, we’re aligned, but that doesn’t mean we’re gonna be aligned necessarily going forward. So how do we plan for that so that we do not come to the unhappy event where we wind up either dislocating a partner, abandoning a partner, or setting the conditions for us to come out worse than we went in?And, finally, there’s this inherent principle agent arrangement any time you’re engaged with assisting partners, whether they be state militaries or surrogate partners that are nonstate. And so you gotta have a plan in place for what happens when you now have divergent interests or divergent ideations where they may want to go one way—i.e., maybe want to go and start, you know, attacking a great-power rival of ours and we like don’t want that because we don’t want the nuclear specter, right? What’s our plan for that and how do we implement it, understanding that sometimes you gotta have these plans quietly because saying the obvious thing out loud also can have very debilitating consequences? In Afghanistan, saying the debilitating thing would have been saying in the middle of the summer last year, 2021, that “Yeah, the government of Afghanistan is not gonna stand. Its military can’t stand. And so we’re just getting our people out of here.” Well, the problem then for the US government was to say that would almost be like assuring the outcome. And that’s what they were hearing from President Ghani and his interlocutors here in America: “No, no. Don’t start withdrawing more people fast. Don’t start taking folks out that have been helping us for 20 years to get ‘em out of the way of the Taliban. Because if you do that, we’re gonna collapse.” Now he wound up collapsing anyway. But, nonetheless, that’s kind of what happens when the principal agent dynamic diverges. And my only point in the article is, as Con says, so we don’t wind up doing this again and doing it badly, think about that going in. So thanks so much for the time, and I really appreciate the opportunity to discuss this.HostThank you to all three of you.If you’re interested in learning more about the collapse of Afghan National Security and Defense Forces, you can download the article at press.armywarcollege.edu/parameters. Look for volume 52, issue 3.If you enjoyed this episode of Decisive Point and would like to hear more, look for us on Amazon Music, Spotify, Apple Podcasts, Stitcher, and any other major podcast platform.