Conversations on Strategy Podcast

The remarkable life of early-twentieth-century British adventurer Gertrude Bell has been well documented through her biographies and numerous travel books. Bell’s role as a grand strategist for the British government in the Middle East during World War I and the postwar period, however, is surprisingly understudied. Investigating Gertrude Bell as both a military strategist and a grand strategist offers important insights into how Great Britain devised its military strategy in the Middle East during World War I—particularly, Britain’s efforts to work through saboteurs and secret societies to undermine the Ottoman Empire during the war and the country’s attempts to stabilize the region after the war through the creation of the modern state of Iraq. As importantly, studying the life and work of Bell offers a glimpse into how this unique woman was able to become one of the principal architects of British strategy at this time and the extraordinary set of skills and perspectives she brought to these efforts—particularly, her ability to make and maintain relationships with key individuals. Bell’s life and work offer insights into the roles women have played and continue to play as influencers of grand strategy.Read the monograph here.Episode Transcript: On The Grand Strategy of Gertrude Bell: From the Arab Bureau to the Creation of IraqStephanie Crider (Host)You’re listening to Conversations on Strategy. The views and opinions expressed in this podcast are those of the authors and are not necessarily those of the Department of the Army, the US Army War College, or any other agency of the US government.Conversations on Strategy welcomes doctors Heather Gregg and Jim Scudieri. Gregg is a professor of irregular warfare at the George C. Marshall European Center for Security and the author of The Grand Strategy of Gertrude Bell: From the Arab Bureau to the Creation of Iraq.Scudieri is the senior research historian at the Strategic Studies Institute. He’s an associate professor and historian at the US Army War College. He analyzes historical insights for today’s strategic issues.Heather, Jim, thanks so much for being. Here I’m really excited to talk to you today.Dr. Heather S. GreggIt’s great to be here. Thank you so much.Dr. James D. ScudieriLikewise, thank you for taking the time to meet with us.HostWhat did the Middle East look like in the lead up to World War I? Who were the major players in the region?GreggUnlike the Western Front, the war was very different in the Middle East. And I would say this was a big game of influence. And you had major European powers. You had a declining Ottoman Empire. You had the rise of Arab nationalism. And all of this kind of came into a very interesting confluence of events during World War I.ScudieriAnd complicating that amongst major players are … the British don’t have a unified position, so if you look at stakeholders, you need to distinguish between the British leaders in London, those in Cairo, and those in India.GreggThat’s a huge point that there is a great power struggle between these three entities over who should be controlling the Middle East and why. And this becomes important for the story of Gertrude Bell.HostThe manuscript is divided into three periods—during World War I, the period of British military occupation of Mesopotamia, and Britain’s creation of the State of Iraq during the mandate era. Let’s discuss British military and grand strategy in each period. What was British military strategy in the Middle East during World War I?ScudieriSo, there’s still a lot of historical debate on exactly what the strategy was. Some would say there wasn’t much of a strategy, but part of that is strategic games changed as the war progressed, and the war was not going well for the Allies in the early years. And even through 1917 there was a concern that they might lose. So those strategic objectives in the Middle East change as they determine that they will not lose. And not only that, but if you win, what do you want the post-war world to look like?GreggSo yeah, I would add to this that there were some really interesting constraints on Britain and other actors. They didn’t have the manpower to put into the Middle East because it was all being dedicated to the Western Front—or most of it was. They weren’t entirely sure, I would echo Jim’s comments here, about what the strategy should be, just that they wanted to frustrate and try to undermine Ottoman authority in the region. They devised a strategy that worked with and through the Arab population to try to undermine Ottoman authority. So, this is what we would call an unconventional warfare strategy today. But that was supposed to be cheaper and require less manpower than actually deploying British troops, and this is particularly true after what happened at Gallipoli, (which was) for all intents and purposes, a pretty colossal failure.HostSo, this whole podcast is built on your monograph about Gertrude Bell. Let’s talk about her a little bit. How did Gertrude Bell contribute to the unconventional warfare strategy Britain created?GreggGertrude Bell is a fascinating individual. She was a British national. She was one of the first women to go to university at Oxford University. She got a First Class in modern history. She spoke languages. She traveled throughout the region. And she was hired first by the British Admiralty but then became part of a small group in Cairo called the Arab Bureau. And their job was to devise some sort of strategy to undermine Ottoman authority. And there she worked with someone we all know—T. E. Lawrence, known as Lawrence of Arabia. And together, with a small team of between 7 to 15 people, they helped devise this unconventional warfare strategy of working by, with, and through local Arab leaders to try to undermine Ottoman authority.ScudieriShe’s a fascinating character because it reminds historians that you cannot predict the future. You cannot predict it with regard to strategy; you also can’t predict it, with regard to some individuals’ career paths.HostWhy did the initial plan not succeed? How did they adjust it?GreggSo, there was this effort to work through the Sharif of Mecca. This was a family that was in charge of the two holy sites in Mecca and Medina. The father’s name was Hussein, and he had two sons that were very active in trying to foment an uprising within the Ottoman military with Arab officers. Hussein promised that there were hundreds and hundreds of Arab officers that were part of secret societies that he could encourage to rise up against the Ottoman Empire. And it ended up that this just wasn’t true. He over promised what he could achieve. The strategy was largely unsuccessful, this initial strategy.ScudieriThis experience highlights how nothing is easy, and things are hard.HostSo true.ScudieriThe ability to have British support brings not only weapons and equipment, but it brings lots of money.GreggAnd with that, the potential for corruption, making promises to get money to get weapons. And Britain promised, in a series of correspondence between McMahon and Hussein that he would have his own independent Arab state after the war in exchange for this uprising, which, in about a year’s time, did not succeed.So, the second approach was T. E. Lawrence and Hussein’s son decided to engage in basically sabotage against lines of communication, particularly railway lines. And this is what the famous movie Lawrence of Arabia captures. And this was more successful in combination with other things that were dragging down the Ottoman Empire.ScudieriThe success of the strategy underlines how sometimes a better approach is counterintuitive because by focusing on the sabotage, they wanted to starve the Turkish forces in the area of resupply versus the more traditional trying to focus on annihilating the enemy army, which they did not have the power to do.GreggA really interesting observation. And a lesson that still holds today.HostThe British military successfully captured Baghdad in March of 1917, along with Basra, which it captured in 1914. It put two of the three Ottoman vilayets of Mesopotamia under its control. How did Belle help shape British military strategy to address this reality?GreggSo, I would like to echo back Jim’s point that, fascinatingly enough, it seemed that Britain had not devised a strategy for military occupation, even though this became their goal—to take Baghdad. And then they already had Basra. And so, Bell, together with someone named Percy Cox, had to very quickly devise a strategy of, essentially, occupation. And this also didn’t go necessarily well, and I think it forced them (until the mandate era) to really try to keep things in line rather than make things prosper. I don’t know, Jim, what your thoughts are on that.ScudieriSo, mine would be very similar. It’s interesting in some of the primary sources we can see how relatively rapidly the British put together an occupation plan and also tried to pool available talent. And they get by in the course of the war. But the challenges associated with long-term occupation and that transition to mandate, and then some missteps, really blow up after the war.HostWhat were some of the challenges and opportunities in this period?GreggI would say some of the really interesting challenges were also opportunities that might have been missed. So, there was some local leadership and local talent that I think could have been very useful had the British reached out and engaged some of that leadership. From my read of Gertrude Bell, she was rather suspicious of the Shia population and Shia leaders. So, there were some missed opportunities to try to engage the Shia population, which was a good chunk of the population that they controlled. And so, for me, both the big challenge and the missed opportunity was what to do with the local population (and) how to engage the local population and harness local leadership.ScudieriThere’s also some confusion associated with thinking in terms of Arab kingdoms because there’s no unitary Arab nationalism right now. The Kingdoms of British support in the post-war period are really Hashemite. And that doesn’t take account of a very conflicting sense of loyalty to various different tribes and ethnicities, and so on and so forth. And perhaps the biggest one is a difference between the Hashemites and the House of Saud.GreggJust to build on this, and this is an excellent point . . . this was a really interesting decision that Gertrude Bell and T. E. Lawrence actually made, which was to engage Faisal, who was the son of Hussein. And to promote him to be the first king of Iraq. And as Jim just mentioned, he was a Hashemite. He had never actually been to Iraq and was given this leadership position. The British gave him that, and this ended up being a really difficult thing . . . so bypassing local leadership and choosing to engage the leaders they knew as opposed to the leaders, the local people knew.ScudieriThe British also confronted a major problem in the post-war discussions, and that was as they now win the war, and they’re trying to come up with these friendly kingdoms, they have big issues with what are those borders going to look like with France. Their long wartime ally is now going to be a post-war if not adversary, there’s some major post-war disagreements, and you can see that by looking at the documents that talk about (1) The Mosul vilayet, which had unclear borders. At first it wasn’t even clear if that area would be part of Iraq, and if so, where the border would end. And likewise with the borders with Palestine.GreggThis is a really excellent point because then you had the birth of the Republic of Turkey and Atatürk, who also made claim to Mosul. So, you add a really interesting scramble over borders. Over territory. Overlapping claims and rights to it. This was a huge mess that took, in many cases, decades to sort out. Some would argue some of this is still being sorted out.ScudieriA good example of what kind of a wicked problem all of this became was most folks will talk about the Treaty of Versailles, but it took five treaties to end the First World War and it took two with Turkey because Turkey refused to sign the first one.GreggI think this is a fascinating story, too, that you had the collapse of four empires in World War One, right? The Ottoman Empire was just one that collapsed. You had the Ottoman Empire, the Austro-Hungarian, the Hapsburg, and the Prussian empires all collapsed as a result of World War I. And Europe was left trying to sort out what to do with all these lands and their colonies. And it was a huge challenge.ScudieriAnd some of the Allied discussions included Russia, and Russia is now off the table because of the Bolshevik revolution.HostLet’s talk about the third period from the monograph. The war ends in 1918 and the 1919 Paris Conference and Versailles Accords created the mandate system, which required European powers to transition most former colonies and territories of the Ottoman Empire into self-ruled states. How did Gertrude Bell help shape Britain’s vision for transitioning Mesopotamia into the state of Iraq?ScudieriI would suggest that using the term vision might be a bit premature given how quickly events change from trying not to lose the war to figuring out how to win the war and then trying to sort out what the post-war world would look like. But Gertrude Bell is an especially fascinating individual case study because she immersed herself in the culture, in the local conditions, and tried to translate that into the strategic vision for Iraq, which was a very unclear path, in large measure, because of the disagreements between the French and the British, and what that post-war world would look like in the region.GreggI think for me, the thing that was so puzzling about what Gertrude did in this period was, I believe she cared deeply about the people and the region. And you know, she ends up dying in Iraq. She’s buried there to this day. And I believe she cared about the people in the region. However, some of the decisions she made in this period just seem very counterintuitive to me. And the biggest one was creating a Kingdom and putting a foreign individual on the throne as the king. And this was against many Shia leaders wishes. There was an individual named Sayyid Talib (al Naqib). He was deported to Ceylon, which is Sri Lanka today. They got rid of him because he didn’t agree with this decision, and I think, at the end of the day, Gertrude Bell had to weigh, on the one hand, what it meant to be a British national and serve British interests, and, on the other, what was in Iraq’s interest. And I think being a British national was what won in the end.ScudieriAnd for us to understand that I think we should avoid a clear black-and-white dichotomy because it was a lot more complicated than that. And I would return to the post-war competition between Britain and France because that Arab Kingdom was supposed to be in Syria. But the French dug their heels in.GreggThey actually were able to create a kingdom, but it lasted less than a year in Damascus. And then Faisal was deposed by the French and then the British. And it’s, I think, this is a big question of debate, but the British then embraced him to be the king of Iraq.HostWhat were the priorities? What was at stake.GreggSo there’s a big debate on this, too, a big, hot debate on this, that I’ve learned. In the primary source documents, I identified two or three big things at stake. The first is military bases. Britain wanted a seaport, but also wanted air bases. The British Air Force was created in 1918. The first Air Force. They needed a land route in which to get from the Middle East to India, and the bases in Iraq seemed to matter a lot. This came up a lot in discussions. The second thing I would add, and this is the controversial thing, is that I believe oil was a big concern. Britain converted its naval fleet from coal to oil before World War I, and they were coal rich but had no oil. So, the pursuit of oil and securing oil mattered. Everyone was fighting over Mosul because they suspected there was oil. There and that proved to be true. But oil became a major concern. There’s a third argument, which is that markets mattered and being able to have yet more people that could be markets for the British Empire seem to matter. Last, but not least, and I think this is the one piece, hopefully, maybe Jim and I will agree on, is that Britain was an empire and it managed to survive World War I, and it wanted influence in that region. A lot was at stake for Britain, just as an empire, and its ability to wield influence.ScudieriHeather’s made some interesting points there, because those RAF bases are part of having a system that goes hand-in-hand with friendly regimes because the mandate system aren’t going to become long-term colonies. They did understand that at the time. Oil is another interesting point about how priorities change. In 1914, oil wasn’t such a big deal, but the British already did have interest with the Anglo Persian oil company. But war sometimes accelerates change, and the First World War accelerated the importance of oil because the prewar British conversion of the Royal Navy to oil had barely begun . . . about 100 ships, none of the battleships in 1914, are fired on oil in the new class that will come in in 1915 and later will be the first ones that are oil-fired. But the explosion and the demands of oil because of not, just the Royal Navy conversion, but the motorization from horse transport, means oil will have a far more central role in the post war world than it did in the prewar. And even during the war.HostSo let’s Fast forward a little bit. How did it unfold?GreggWell, it didn’t go great. I think it’s fair to say, and, I think for me, this was a very humbling story about you can have good intentions, you can have experts, but this is extremely difficult to do. And obviously, as an American, in the back of my mind is always what happened between 2003 and 2011 and beyond and our efforts to try to stabilize Iraq as part of Operation Iraqi Freedom. But you end up having a major uprising in Iraq that was actually put down by the persisting presence of the Royal Air Force. You have challenges to Faisal’s leadership. You end up, by 1958, the entire royal family is murdered, and Iraq becomes a Republic. You have lingering political instability and ethnic tensions that I think were not a done deal but got exacerbated. By a lot of the decisions made during this period.ScudieriAll of this turmoil is on top of the turmoil going on in the rest of the world. Most people don’t realize how much fighting around the world continued after 1918. There’s still a lot of instability and unreconciled issues around the world. The US has gone largely isolationist. The French, who though determined that they would stay in Syria, if not Lebanon, are really focused on European security because they do not want to allow Germany to rise again. So that’s your primary concern—just trying to contemplate the sheer losses of the war and what came from it. And I’m not sure to what extent they could have forecast in that region, how Arab would be fighting Arab, such as between the Saudis and the kingdoms of Transjordan and/or Iraq.HostWhat are the takeaways? What can we learn from Bell and the British military and grand strategy during this period?GreggI think there’s a lot of really, really valuable lessons here. Some of the positive things . . . I go back to the Arab Bureau; I appreciate that the British military was not afraid to bring in civilians and get a civilian voice. They built a really agile, small, and diverse team. They would bring experts in for certain questions and then send them home and bring other experts in. I think there’s a really interesting story there about team building and problem solving. I think that there are a lot of other very humbling lessons to learn. For me, an eerie similarity to, perhaps what the United States did, was not including the population enough in the stabilization process and in the postwar peace, I think that really undermined British efforts. And needing to work by with them through the population, not just during the war but after is deeply important.ScudieriI would echo Heather’s comments as well as the fact that Gertrude Bell is a fascinating case study in talent management. She had no specialization or training in terms of Mesopotamia, per se. She was brought in as an outsider based on some of her educational background that she might be able to help think through the problem set, and then she winds up becoming a subject matter expert on Iraq.GreggAlthough I would add a little caveat to that, which is that she had traveled through the Middle East in 1911-12 time frame, and she had mapped the human terrain. This is something that we also tried to do in both Iraq and Afghanistan. And so, she had gained attention because she had made this trip. That doesn’t make her an expert, I agree. But she had some on-the-ground knowledge of the population’s tribal dynamics that no one else seemed to have. And then that was a great starting point from which then she built her expertise.ScudieriSo that’s an interesting learning point on how, in the midst of war, you can still pull talent management to try to get the biggest bang for the buck and save some effort.GreggThat’s a great point. I love that.HostAbsolutely. I’m just going to plug the monograph right here. You can download it at press.armywarcollege.edu/monographs. Thank you both so much. What a treat. I’m sorry we had so little time to cover such an expansive and interesting topic.GreggThank you so much for this opportunity. It was, it’s great to be with you both. Thank you, Jim for a wonderful conversation.ScudieriWell, Many thanks for the ability to share this time together.HostIf you enjoyed this episode and would like to hear more, you can find us on. Any major podcast platform.About the authors:Gregg is a professor of irregular warfare at the George C. Marshall European Center for Security and the author of The Grand Strategy of Gertrude Bell: From the Arab Bureau to the Creation of Iraq. Gregg earned a PhD in political science from the Massachusetts Institute of Technology, a master’s degree in Islam from Harvard Divinity School, and a bachelor’s degree (with honors) in cultural anthropology from the University of California at Santa Cruz. She is the author of Religious Terrorism (Cambridge University Press, 2020), “Religiously Motivated Violence” (Oxford University Press, 2018), Building the Nation: Missed Opportunities in Iraq and Afghanistan (University of Nebraska Press, 2018), and The Path to Salvation: Religious Violence from the Crusades to Jihad (University of Nebraska Press, 2014) and coeditor of The Three Circles of War: Understanding the Dynamics of Modern War in Iraq (Potomac Books, 2010).Scudieri is the senior research historian at the Strategic Studies Institute. He’s an associate professor and historian at the US Army War College. He analyzes historical insights for today’s strategic issues. He holds a Bachelor of Arts degree in History from Saint Peter’s College, now University (1978); a Master of Arts degree in History from Hunter College, City University of New York (1980); a Master of Military Art and Science degree from the U.S. Army Command and General Staff College (1995); and a Doctor of Philosophy degree in History from the Graduate School and University Center, City University of New York (1993).

Every day, malicious actors target emerging technologies and medical resilience or seek to wreak havoc in the wake of disasters brought on by climate change, energy insecurity, and supply-chain disruptions. Countering Terrorism on Tomorrow’s Battlefield is a handbook on how to strengthen critical infrastructure resilience in an era of emerging threats. The counterterrorism research produced for this volume is in alignment with NATO’s Warfighting Capstone Concept, which details how NATO Allies can transform and maintain their advantage despite new threats for the next two decades. The topics are rooted in NATO’s Seven Baseline requirements, which set the standard for enhancing resilience in every aspect of critical infrastructure and civil society. As terrorists hone their skills to operate lethal drones, use biometric data to target innocents, and take advantage of the chaos left by pandemics and natural disasters for nefarious purposes, NATO forces must be prepared to respond and prevent terrorist events before they happen. Big-data analytics provides potential for NATO states to receive early warning to prevent pandemics, cyberattacks, and kinetic attacks. NATO is perfecting drone operations through interoperability exercises, and space is being exploited by adversaries. Hypersonic weapons are actively being used on the battlefield, and satellites have been targeted to take down wind farms and control navigation. This handbook is a guide for the future, providing actionable information and recommendations to keep our democracies safe today and in the years to come. Click here to read the book.Click here to watch the webinar. Episode Transcript: “Space Critical Infrastructure” from Countering Terrorism on Tomorrow’s Battlefield (NATO COE-DAT Handbook 2) Stephanie Crider (Host) You’re listening to Conversations on Strategy. The views and opinions expressed in this podcast are those of the authors and are not necessarily those of the Department of the Army, the US Army, War College, or any other agency of the US government. I’m here with Frank Kuzminski, today, US Army officer and strategist, and author of “NATO Space Critical Infrastructure” from Countering Terrorism on Tomorrow’s Battlefield: Critical Infrastructure Security and Resiliency. Thanks for making time for this today, Frank. Frank Kuzminski Thank you for having me. Host Space is a relatively new operational domain. Since 2019, you note in your chapter. Through the lens of those core missions of deterrence and defense, what do our listeners need to know about space? Kuzminski Space is relatively new in terms of the overall history of the alliance. And that really stems from the NATO ministerial meeting in December 2019, where they declared space as an operational domain. And then, more importantly, in June 2021, NATO issued a communique after the NATO summit that the mutual defense provisions of Article 5, which treats an attack on one as an attack against all, would apply to the space domain as well. And they specifically mentioned that any attack to, from, or within space could be as harmful as a conventional attack, and therefore warrant an Article 5 response. And that’s important because space really touches nearly every aspect of daily life in modern society, (including) commercial activities, economic activity, information, communications, and especially national security and defense. And so today, more than ever, NATO as an alliance, depends more than ever on space-critical infrastructure for its core missions of deterrence and defense. Host Let’s talk a little bit more about space critical infrastructure. Can you give us an overview? Kuzminski So, space critical infrastructure comprises the physical systems, the orbital platforms, and the data transmission networks and the people that work across the four segments of a space system to provide the space domain capabilities that we rely on. There is this space segment, which consists of the satellites, spacecraft, and technical payloads that occupy the different orbits. There’s a user segment, which refers to any user or person or system that relies on satellite information or satellite signals to function. This includes military forces as well as ordinary people—businesses, organizations, countries, people who use smartphones, etc., or the Internet. There’s the ground segment, which includes the physical elements of space infrastructure on Earth, everything from launch facilities to Mission Control centers, to tracking stations around the world. And then finally, there’s the link segment. And this is the data transmission networks that connect the other segments together and through which we derive the systems. And so the space domain operations and space-based capabilities require all four segments of space critical infrastructure to provide the core functions and capabilities that the alliance and that the world relies on. Host You talked about in your article, these five core capabilities. Let’s walk through them. Let’s start with secure communication. Kuzminski Satellite communications, or SATCOM for short, is vital for the effective command and control of military forces today across large areas, regardless of terrain. It really helps overcome the line-of-sight problem, but also facilitates the use of remote weapon systems such as drones. It’s also important to note that secure communications is where the space and cyber domains intersect because the data transmissions on the link segment that we talked about that provide this space capability by transmitting data utilize the communications protocols that have been derived from the cyber domain and the Internet. And so the vulnerabilities that exist in the cyber domain are also inherent to the space domain for that reason. Host Positioning, navigation, timing, and velocity. What do we need to know? Kuzminski So simply speaking, this is GPS. We know it as plugging an address into our phone and letting it direct us to our destination. But for military forces who rely on PNT for short for targeting and precision strike, advanced conventional munitions rely on GPS to precisely strike a target. Military forces also rely on time reference from GPS satellites for encryption purposes. It’s also important to note that GPS (Global Positioning System) is an American military system that the Department of Defense provides for everyone’s use. There are other systems out there that other countries operate, for example, the European Union has a global navigation satellite system called Galileo. The Russians use a system called GLONASS, and the Chinese recently have deployed a system called Baidu, and they all generally provide similar functions, but it’s important to note who kind of manages these constellations. Host The next step is integrated tactical warning and threat assessment. Kuzminski Space systems are important for detecting missile launches and, therefore, providing the earliest possible warning of a missile attack. We’re talking about strategic nuclear attack, intercontinental ballistic missiles—the kind of broad early warning networks that were common during the Cold War but are still very important today to deterrence and defense today. These space systems are a really integral part of that and help provide ballistic trajectories and provide the decision space for senior leaders. Host How does environmental monitoring fit into the picture? Kuzminski This is commonly known as weather forecasting, but space systems enabled meteorological operations and the kind of weather forecasting that’s important because weather, of course, can affect military operations on land, sea, and in the air. Accurate environmental forecasting also can help reveal longer-term climate trends that might affect agriculture or food supplies in different parts of the world, which may have security implications for NATO and the alliance. Host Intelligence, surveillance, and reconnaissance. Kuzminski ISR for short. Space-based ISR, we think about satellite imagery. So again there are commercially available options such as Google Earth, but this goes back to the earliest days of the space age when the United States and the Soviet Union deployed a variety of satellite intelligence platforms and photo reconnaissance platforms to not only provide detailed mission planning and help forces understand the effects of terrain on land-based operations but also to provide indications and warnings of potentially threatening behavior. I mean, one of the reasons the alliance in the United States were able to anticipate Russian aggression in Ukraine last year was because they were able to monitor force movements through the use of space-based ISR. Host What are some examples of threats and vulnerabilities that need to be addressed? Kuzminski Space systems are especially vulnerable to both kinetic and non-kinetic threats. So in the chapter we talk about how terrorists and hackers might possess some of these capabilities that could affect one or more of the space segments. But the overall impacts to a terrorist attack on space critical infrastructure would be pretty low. The real threat here is state actors, specifically, the great powers, who both possess the kinetic and non-kinetic destructive capabilities and the capacity that could seriously damage space critical infrastructure. In terms of non-kinetic threats, we talked about the intersection of the space and cyber domains. And so many of the vulnerabilities, cyber vulnerabilities, that an adversary could exploit through hacking or other malicious software or malware could also be deployed against this space system and disrupt a particular satellite capability. In terms of the kinetic capabilities, the most obvious ones are direct-assent anti-satellite weapons or ASATS. And this is, effectively, a missile that’s launched from the Earth that would be targeting a satellite in orbit, destroy that satellite and then render a large debris field that could pose risks to other space systems. As of today, there are only four countries that have demonstrated an actual ASAT capability. That’s the United States, China, India, and Russia. There are also orbital intercept and satellite capture technologies out there through what we call rendezvous and proximity operations, or RPO for short. The nature of orbital mechanics makes it that satellite trajectories are predictable, and, therefore, targetable. There is also the technology either exists or might soon exist for some kind of directed energy or laser weapons on orbital platforms. Now, we haven’t seen evidence of an active system as of yet, but this goes back to the 1980s in the Strategic Defense Initiative that envisioned the constellation of orbital lasers to shoot down incoming intercontinental ballistic missiles. So, it’s not a new idea, it’s just something that people are talking about. I’d also like to mention the problem of orbital debris, or space junk. This is more of a space safety issue than a space security issue, but it’s very real and it is a pernicious problem that affects everybody indiscriminately. There are over 30,000 pieces of space junk ranging from the size of a softball to larger than a school bus. Basically, anything that gets thrown up into orbit kind of stays there and decays over years—decays in orbit. The reality is that there just hasn’t been enough of a problem to really warrant any kind of multilateral action. And so ,it’s one of those problems that we’ll just wait and see what happens. Host I’m glad you mentioned Ukraine a little bit earlier because you used Russia as a case study in your paper, and I would love to hear more about that. Kuzminski We already talked about our state actors are the biggest threat, and Russia really has been the most active and threatening actor in this space domain in recent years. For the current war in Ukraine, there was a very specific example. In February of last year leading up to the attack, Russian hackers disrupted the commercial ViaSat satellite communications network, which is a commercial satellite communications provider that the Ukrainian military and Ukrainian government was contracting for their communication purposes. It was part of a coordinated effort to disrupt Ukrainian command and control and defensive operations leading up to the Russian attack. There are two other examples that are worth mentioning. In November of 2021, Russia conducted an ASAT test that we talked about, and it targeted one of its derelict satellites in orbit. But this event created a substantial debris field that threatened the International Space Station to the point where NASA actually had to wake up the astronauts and tell them to get into their emergency escape capsules in the event that there was some sort of catastrophic collision. Thankfully nothing happened, but this reveals the kind of potentially nefarious effects of an ASAT—even if it’s not targeted against an opponent system. And then lastly, I just wanted to mention that in 2018 the French government accused Russia of spying on one of their military communications satellites in geosynchronous orbit, which is the farthest out orbit. The French space agency had observed what they called a Russian “inspector satellite” that had maneuvered and changed its orbits to within a few 100 meters to drops of communications. Geosynchronous orbit is a stationary orbit. So the fact that these satellites had maneuvered into place was really indicative of some sort of potentially hostile behavior. And this is an example of these rendezvous and proximity operations that we spoke about earlier. Host Lots of scenarios here, lots of threats, potential vulnerabilities. Kuzminski We talked about how states such as Russia and China remain the greatest threat to space critical infrastructure. Increasing resilience across all the space segments is probably the best way to enhance deterrence by denial. And what I mean by that is ensuring that the specific capabilities that we discussed have enough redundancy in systems, whether in orbit or on the ground through different pathways and through different partners, not just American systems. But partnering with our allies and also through commercial operators is the best way to ensure that these critical functions will remain online in the event of an attack. There’s also an opportunity for some degree of international partnership or multilateral initiative to help prevent the rampant weaponization of space or some sort of new arms race. This was a problem in the 80s because the reality is that the only space treaty that’s been ratified in the international community is the Outer Space Treaty, which was signed in 1967. And although that prohibits the deployment of nuclear weapons in space and on the moon, it hasn’t really been updated to reflect some of the more current threats that we talked about. There have been a few ongoing efforts to limit weapons proliferation in space under the auspices of the United Nations, but they’ve been problematic and generally weak. True progress will really require commitment and leadership by the great powers, not only the US and its European partners, but also Russia and China. And the current situation right now doesn’t look like there’s any prospect for that. Host Give us your final thoughts before we go. Kuzminski I think it’s important to remember that space critical infrastructure, like all critical infrastructure, is something that we all tend to take for granted. We don’t really think about it. It’s just kind of there and we just use it. But we already talked about how vulnerable it is. And it’s important to remember that it wouldn’t take a whole lot for an adversary or some sort of malicious actor to disrupt the capabilities that we rely on on a daily basis. This isn’t specifically for military forces, but also just for everyday people and large segments of modern society. I think it’s worth thinking about how someone might react if their smart board stops working or the credit card stops working or the Internet stops working or the planes stop flying, not only for individuals but also for states. But I don’t want to be super pessimistic. I do think that the future is exciting and offers a lot of potential for the benefit of mankind because the threshold for access to space and space-based capabilities is being lowered every day, especially through the growth of commercial operators and service providers. And I really think that the more access to these capabilities that exist and the more people that have access to these capabilities, it just helps level the playing field, not only in the security dimension, but also in economic and societal and commercial spheres. And I think that translates to better economic opportunities, especially for the developing world. And generally, a higher quality of life for most people. And I think that’s a good thing. I think there’s definitely a lot of things to be optimistic about when it. Comes to space this. Host This a very full chapter about critical infrastructure, security and resiliency. Listeners, if you’re interested, you can download it at press.armywarcollege.edu/monographs/957. Thanks for sharing your insights with us today, Frank. Kuzminski Thank you for having me. Host If you enjoyed this episode of Decisive Point and would like to hear more, you can find us on any major podcast platform. About the author: Frank J. Kuzminski is a US Army officer and strategist. A native of Poland, he emigrated to the United States in 1990. He graduated from the United States Military Academy in 2004 with a bachelor of science degree in electrical engineering and was commissioned as an Infantry officer. After serving in multiple operational assignments worldwide, Kuzminski was assigned to the Army Staff at the Pentagon, and he later served as a strategic plans officer with I Corps at Joint Base Lewis-McChord, Washington. He is currently a doctoral candidate in international studies at the University of Washington. He holds a master of public administration degree from Harvard University. He is married with two children and speaks Polish and French.

Wuraola Oyewusi Medical resilience is a key critical infrastructure in a nation’s preparedness against vulnerabilities. Pandemics such as COVID-19 are potent disruptors of this infrastructure. Health systems that are considered low-resourced have adapted and deployed seemingly simple but effective methods to survive such disruptions.Read the collaborative study here.Episode Transcript: Medical Resilience in PandemicsStephanie Crider (Host)The views and opinions expressed in this podcast are those of the authors and are not necessarily those of the Department of the Army, the US Army War College, or any other agency of the US government. You’re listening to Conversations on Strategy.Today, I’m talking with Wuraola Oyewusi, author of “Medical Resilience and Pandemics,” in Countering Terrorism on Tomorrow’s Battlefield: Critical Infrastructure and Resiliency Handbook Two (Countering Terrorism on Tomorrow’s Battlefield: Critical Infrastructure Security and Resiliency Handbook 2). Welcome to Conversations on Strategy. I’m really glad you’re here.Wuraola Oyewusi Thank you, Stephanie. I’m glad I’m here too.Host Your chapter explores medical resilience as a component of critical infrastructure as well as using low-resourced health systems to build resilience. Will you please briefly expand on that?Oyewusi The work on this chapter focuses on a low-resourced health system (that) has managed to build a resilience against a disruption—this time around, a pandemic—uh, specifically, (coronavirus disease 2019 or) COVID-19. We explored Nigeria as a system that . . . it’s definitely not high resourced. The health-delivery system is not high resourced. And we explored some of the things that were done during the COVID-19 pandemic.Host Let’s talk about that in a little bit more detail. Like you said, your case study focused on Nigeria and COVID-19. How did Nigeria handle COVID-19?Oyewusi So, I’m going to give a bit of context.The first COVID-19 case—recorded one, I think we should emphasize that—was in February . . . February 27, 2020. Right when the whole world was finding out, that was when we found out about that in Nigeria, too.Another clear context that we should have as we go into our discussion is that Nigeria’s epidemic response is carried out in the context of a fragile and underresourced, existent health-delivery system. That means that, even before the pandemic, the system was overstretched, there was a lot of people. There were challenging fault lines already, and then we now had the disruption like COVID-19.So to help you understand this use case, one of the indexes that was used to gauge a country’s preparedness during the pandemic was the number of (intensive-care unit or) ICU beds to the population. Germany had about 29 beds to 100,000 people. The US had about 34 to 35 ICU beds to 100,000 people. Turkey had 48 beds to 100,000 people. But in Nigeria, we had about 0.07 beds to 100,000 people.So, I think that would lay down a context for why we are discussing this and how a disruption to critical infrastructure, like a pandemic, was done in Nigeria.Host What are some key lessons learned from Nigeria on managing pandemics?Oyewusi I’m going to discuss that on the three key items. The first one: There was leveraged experience and infrastructure. The second one: There was civilians, data analysis, and public data sharing. And the third one, which is probably one of the most interesting, are the nonpharmacological interventions. We have established that the system is overstressed. And, given the proportion of ICU to 100,000 people, the country knows; the people know. We had a vague idea of what we were in for, and, you know, it is one of the most interesting things that we did.One of the experiences that help us as a country—despite this fragile health system, this low-resourced health system—was we have some experience managing pandemics (for example, the Ebola of 2014 [Ebola outbreak of 2014–16]). So, the preparedness wasn’t just from the side of the health system professionals. The country had an idea. We have experienced with Lassa fever. We have experienced with cholera. So, one of the key things that happened there: There was a coordinated national effort by the national center for disease control, the Federal Ministry of Health, and the state ministry of health.And then, for example, for data collection and analysis, there was a software that was used during Ebola called SORMAS—SORMAS is Surveillance Outbreak Response Management (and Analysis System). A very interconnected system that was used to collect data from smaller places to bigger places and tracked preparedness for things like, you know, we had anticipated that there would probably be no light. There is usually a lot of outages. There is a lot of issues like that. But this system had been tested during Ebola, so it was like the country spun it up again now that we have another pandemic.The third one is nonpharmacological intervention. For example, there were things like hand washing and face mask. Even though I know it’s global, people had hand sanitizers. There was lockdown. There was restrictive public gathering. There was social culture communication. You know, for example, more than 500 languages are spoken. That means that in villages and religious houses, people were talking about COVID-19, “We think we should wear your mask,” through those channels.In public places, you could wash your hands outside. That means if you are going to the bank—it might not be the prettiest setup—but every public place, public parks, there was “You need for you to wash your hands.” And then, like I said, people remembered from Ebola. That means that there was general knowledge about it and (people knew) to prepare hand sanitizers. “We think there is something dangerous out there. We have heard about it and, you know, just like the other times, we should wash our hands often. We should wear our mask.” You know, there were makeshift masks because a mask (availability) hasn’t happened yet, and, you know, some were made from fabric. Some of them were not the prettiest, but people were wearing their mask in many places. The bulk would put a makeshift bucket. You know, in some public places, it would just be a makeshift bucket with a tap, some soap to wash our hands. But this scaled across the country because they were easy to deploy.And then, information through radio. People were hearing about COVID-19. I remember, in the textbook, I put some examples of the flyers that went around that “This is dangerous.” “We are not always confident that you have the support that you need in the health system, but if you can try those things, if you can stay at home more . . .”Of course, there was the economic downside of people staying at home, but if you don’t have to be out . . . Some states were running, “We’re not closing finally, but can you be home by six?” “Clubbing.” “No parties.” Uh . . . “No big church gatherings.” “No big religious gatherings.” “Can you just pray at home?”This may be for people who could read, but then there was the daily updates by the disease control center. You know, you would know the number of people that died, the number of people that were diagnosed. “What should you do if someone is infected?” “If you suspect there is . . .” It was in public places. “Someone has been coughing, sneezing . . .” “We think this person may have this . . .” The nearest health center.So those are some of the nonpharmacological solutions that kind of worked well for us.Host Do you have any final thoughts that you want to share about this before we go?Oyewusi I have experienced working in a low-resourced health system. You know, I have gone on to other things. But I have always been a believer of, uh, in every pandemic—in every disruption, especially—learning from the experience of where we already know that this is low. It’s not bad because there was pandemic; that was all happened . . . Also, there are usually the low-hanging fruits; countries should embrace them. There is also NATO. NATO should embrace them. Tell people on the radio. Help everybody in their language.I understand that—even in countries where people speak the same language—there are regional nuisances. You know, for example, in Nigeria, local leaders were telling their communities about these. I’m not saying that, “Oh, everyone did that,” but it was common . . . So it’s common knowledge that we should do that.In pandemics, everyone is as confused. It’s not like everyone knows what to do. But for every disruption, one of the key learnings from a low-resourced system like that is that there are the low-hanging fruits, and they should be embraced.Host Thank you for being here today and sharing your ideas and your insights.Oyewusi Nice to be here.Host Listeners, find out more about managing pandemics at press.armywarcollege.edu/monographs/957. Read about it in chapter six.If you enjoyed this episode and would like to hear more, you can find us on any major podcast platform.About the author: Wuraola Oyewusi is a Nigerian pharmacist and data scientist with expertise in clinical health care and the application of data-science methods. Her research spans a range of use cases from natural language processing (NLP) to health care and data curation. She lives in the United Kingdom and is the recipient of the Global Talent Visa in AI, Machine Learning, and Data Science.

Every day, malicious actors target emerging technologies and medical resilience or seek to wreak havoc in the wake of disasters brought on by climate change, energy insecurity, and supply-chain disruptions. Countering Terrorism on Tomorrow’s Battlefield is a handbook on how to strengthen critical infrastructure resilience in an era of emerging threats. The counterterrorism research produced for this volume is in alignment with NATO’s Warfighting Capstone Concept, which details how NATO Allies can transform and maintain their advantage despite new threats for the next two decades. The topics are rooted in NATO’s Seven Baseline requirements, which set the standard for enhancing resilience in every aspect of critical infrastructure and civil society.As terrorists hone their skills to operate lethal drones, use biometric data to target innocents, and take advantage of the chaos left by pandemics and natural disasters for nefarious purposes, NATO forces must be prepared to respond and prevent terrorist events before they happen. Big-data analytics provides potential for NATO states to receive early warning to prevent pandemics, cyberattacks, and kinetic attacks. NATO is perfecting drone operations through interoperability exercises, and space is being exploited by adversaries. Hypersonic weapons are actively being used on the battlefield, and satellites have been targeted to take down wind farms and control navigation. This handbook is a guide for the future, providing actionable information and recommendations to keep our democracies safe today and in the years to come.Read the Book: https://press.armywarcollege.edu/monographs/957/Watch the Webinar: https://ssi.armywarcollege.edu/2022/european-security/nato-transatlantic-relations/countering-terrorism-on-tomorrows-battlefield/Download the full episode transcript here: https://media.defense.gov/2023/Nov/15/2003341253/-1/-1/0/COS-14-PODCAST-TRANSCRIPT-LOHMANN-COUNTERING-TERRORISM.PDFKeywords: counterterrorism, NATO, critical infrastructure, hypersonics, drones

For over a quarter century the United States and the European Union have been diligently planning and implementing policies and procedures to protect the critical infrastructure sectors that are vital to the prosperity and security the majority of their citizens enjoy. Given the evolving nature of threats against critical infrastructure, recent US and EU efforts have focused on enhancing collective critical infrastructure security and resilience (CISR) posture. The core objective of these CISR initiatives is to strengthen their ability to deter, prevent, reduce the consequences of, respond to, and recover from a broad array of vulnerabilities, hazards, and threats to critical infrastructure. Any such disruptions to or destruction of these critical infrastructure systems and assets can have damaging impacts on individual nations, the transatlantic economy and security environment, and the ability of the North Atlantic Treaty Organization (NATO) to fulfill its core tasks.This podcast is based on Chapter 10 in Enabling NATO’s Collective Defense: Critical Infrastructure Security and Resiliency (NATO COE-DAT Handbook 1). The goal of this chapter ultimately is to help Allies and partners better understand these two frameworks and apply their key principles and tenets to enhance the CISR posture in their respective countries.Click here to read the book.Click here to watch the webinar.Episode Transcript: “Comparing Policy Frameworks: CISR in the United States and the European Union”Stephanie Crider (Host)You’re listening to Conversations on Strategy. The views and opinions expressed in this podcast are those of the authors and are not necessarily those of the Department of the Army, the US Army War College, or any other agency of the US government.Conversations on Strategy welcomes Dr. Alessandro Lazari, coauthor of “Comparing Policy Frameworks: CISR in the United States and the European Union.”Lazari’s been working as a specialist in critical infrastructure protection, resilience, and cybersecurity since 2004. He is currently a senior key account manager at 24 AG (F24 AG), focused on incident and crisis management in Europe.Alessandro, welcome to Conversations on Strategy. I’m glad you’re here.Alessandro LazariThank you very much indeed for inviting me over. It’s a pleasure to be here.HostYou recently contributed to the book Enabling NATO’s Collective Defense: Critical Infrastructure Security and Resiliency. The chapter you worked on compares policy frameworks of critical infrastructure security and resiliency in the US and the EU. The US (critical infrastructure security and resilience or) CISR framework: What do we need to know?LazariI mean, thanks for asking about this. This has been part of my PhD studies—to go on deep between the lines about everything that the US has built in the past decades—and I have to say that this is really considerable. If you think that the (Presidential Decision Directive 63 or) PDD-63, just to give an example . . . presidential directive signed by (Bill) Clinton in May ’98 still stands as one of the brightest examples of CISR policies for a while—if you look at it nowadays, after so many years, you see how very well defined is the problem, how very well defined the mechanism to tackle it and to, you know, deal with it and to improve the overall posture of US against the threat of, you know, any potential attack to national critical infrastructure.I mean, there is many examples in . . . in the US policies of things that really worked. I can tell that they constitute a milestone to which many, many countries are looking at because of the comprehensiveness. Because I can tell also that due to its particular system, (the) US has experienced a wide range of events that span across all the potential threats of critical infrastructure in the 50 states and as a federal system, so they’ve really wanted to organize something that is really very, very big.Last but not least, the US has also considerable experience in maintaining the infrastructure. One of the greatest examples is the renovation that the US government did in the old railroad . . . you know, riverways in the ’40s and ’50s and ’60s is one . . . also a considerable milestone of the experience in the US. So, it’s very much worth looking at it because there is many countries that are now in the condition of tackling those challenges nowadays. So really, throughout the entire lifespan, you know, a lot of things that are really, you know, in use nowadays that really can provide example to the way the countries should deal with CISR nowadays.HostLet’s go into a little bit more detail. What currently guides the US CISR policy?LazariOne of the latest milestones in . . . in the US CISR policy is (Presidential Policy Directive 21 or) PPD-21, signed by Barack Obama in 2013. I mean, that can be considered one of the examples of the maturity of the policy in the US. You know, in announcing all the functional relationships among the very stakeholders involved in the life cycle of critical infrastructure security and resilience, there’s so many from both public and private side. From the public side, you have (the Department of Homeland Security or) DHS and all the departments that are involved, all the agencies, and from the other side, all the operators and the critical nodes within the country and so on and so forth. So, there is a considerable amount of stakeholders that need to talk to each other to be really aligned to do better. And here, we come to the second pillar that is information sharing.Once you have identified all the functional relationship nodes, you absolutely need to cut short the distance between them. So they need to become closer and closer because they need to talk to each other, and in a country like (the) US, it’s very difficult because it’s a very big country with a big number of stakeholders involved. So for sure, this is also a challenge. And last but not least, after you have enabled, you know, the recognition of the functional relationship and the improvement of the information sharing, you then need to enable one very important pillar that is always mentioned in PPD-21: that is analysis of incident threats and emerging risk. Because you do not only deal with today, you also deal with the future. So you need to understand with . . . how, you know, uh, risks are evolving, so the emerging one . . . and you need to analyze all the incidents and threats constantly because the threats evolve as much as the society because, you know, we have new enemies, new ways to attack the systems, and history evolves; we all know that. So once you put together really this critical mass of activities and knowledge, you can say you are really structuring well all your policy on . . . on CISR.HostTell me about the EU framework: European Programme for Critical Infrastructure Protection.LazariThe EU, it’s based on the membership of the member states that are part of the EU. There were 28, and, after the Brexit, now it’s 27. You know, every time, the negotiation of each steps of the policy is something that really seeks for the involvement of them all on proposal from the European Commission that is normally proposing new pieces of policy and regulation in this field. But this entails every time that member states are involved because they have a stake, they take a joint decision. But the European Programme for Critical Infrastructure Protection is really the very first milestone. As much as it is for PDD-63 in the case of US, it is really the very first piece of joint policy on critical infrastructure protection on the European side.And this really comes immediately after the September 11 attacks to, you know, London and Madrid in 2004, 2005. It really starts from an all-hazard approach with a clear intent of fighting against terrorism. So, financing of terrorism, all aspects of dealing with terrorism and the impact of terrorism, terrorism of critical infrastructure. Then, immediately, the EU recognized within the program that the all-hazard approach really needs to be developed because it’s not only terrorism that can threaten the continuity, you know, and the existence itself of critical infrastructure, but there is many other threats that can really disrupt or create issues. So, the European program has really put together the member states for the first time ever in discussing the critical infrastructure protection.This is still, nowadays, mainly the international level. The first thing you need: competency. It still relies on the member states that are part of the EU, but the program has, really, the 27 in the condition to discuss together all the challenges, all the state of play of each one of them. So to set new goals that are not overambitious for some of them, because you have to imagine when, in 2008, the European program was launched, there were five or six member states that really had a national framework for critical infrastructure protection, and many others that didn’t have one, or, you know, they really needed to amend it heavily because it was obsolete or not taken care of on all aspects.It can be said that the European program has really created that first spark that has enabled the EU to be in the state of play it is nowadays because, for the first time, it has really asked the member states to discuss national security outside of their own border, but in a joint, coordinated manner.HostSo, there were some significant changes to the program in 2016 and 2020. I would love to hear about them.LazariAfter a very long journey between 2008 and 2016, the EU in, um, 2016 has decided to move a little bit to focus not only on the critical, physical aspect of critical infrastructure but also on the cyber dimension. Of course, the member states were already dealing with that, but the real pro of the EU is that there is a harmonization effort going on.In 2016, we had the promulgation of the so-called Network and Information Security Directive. This really adds an important layer now on top of the CISR policy, which is very focused on cybersecurity or what we call “operator of essential services.” This new term that is different from critical infrastructure has been introduced to identify all of those services that are delivered through the mean of the network and information system. So, really, to narrow down the focus on the cyber dimension, of course, completely integrated together with the physical aspect, because these are absolutely complimentary. We cannot deal with one or just the other. You need to deal with all of them.And it is very important to notice that even though this first NIS—Network and Information Security—Directive was promulgated back in 2020, on the 16th of December, 2020, the European Commission proposed already an amendment of this directive to launch the second directive, the so-called (Network and Information Security 2 or) NIS 2.You can see that, here, the policy life cycle has been shortened because, normally, there is a very long policy cycle between one policy and another. You have an average of eight to nine years, even 10 sometimes. Here, you see that between 2016 and 2020, you have the promulgation of the first directive, already, in 2020, the proposal. And it’s very likely that in early 2023, this will alter its course, partially substituting the first one, but adding a lot more efforts and a lot more sectors. They go from 19 to 35, so there is a huge recognition and an improvement in the terms of sector.There is also the intent to differentiate between coverage of an essential service and important service. So to create also sort of criticality assessment between the two lists of designated operators. So, I think this is very important. There is also the announcement of the cooperation among the countries, the announcement of the functioning of the EU Computer Security Incident Response Teams—so, better sharing of information regarding the incident and some support.Last but not least, also, I can tell that, uh, 16th of December 2020 can be remembered as one of the really landmark of the EU CISR because on the very same day, apart from the proposal on the NIS 2 directive, same European Commission, sending a very strong message, published the proposal also for the . . . for the so-called Critical Entities Resilience Directive.Also, here, you see a new terminology, critical entity and resilience, that goes . . . it’s very far from critical infrastructure protection. So not only we move, like, the focus is really on resilience, so in being able to withstand, to bounce back after something has gone wrong, but, also, the commission introduced the term “entity.” This is also a clear message that the type of infrastructure that we can designate is not only old style, like we only operate private operator, but entity has been used also to identify offices, departments of the public administration and the government that are really pivotal for the functioning member states and the new institution and so on, so forth.So you see that we move from operator to entities and from protection to resilience. So I think this really be remembered what . . . of the days in which really the EU has recalled the importance of the complementarity of the physical and cyber protection and resilience and the importance, also, of the states and the public administration and the governments in securing national security, EU security, and the international security because, of course, this go beyond that.HostGoing forward, what does critical infrastructure security and resilience look like for the US and the EU?LazariEven though we have this really great example of the European program for critical infrastructure protection, the PDD-63, all the executive orders, you know, every one of them in the US are very comprehensive in, you know, tackling the problem in the way it should be tackled and with all the effects that they have on the European Union, on the allied countries in NATO and so on, so forth.I think that there is some things that . . . on which we . . . we really need to improve. One of these is hybrid threats because we often talk about physical and cybersecurity, but we do not consider the hybrid threats that are all these actions below the threshold of warfare that are still to the entity or to the state or to the operator that is targeted. There is no clarity which is who’s behind these actions. It . . . these actions are also coordinated. So, there could be a state or nonstate actor that has decided to put under pressure certain systems, certain layers of our modern society, and it can be done with a combination of conventional and unconventional types of plot. And this is, for sure, one of the hot topics.The European Union has already recognized the importance of hybrid threats in 2016, and, in 2020, there is two specific documents that are being released on the point they’re working out in creating a framework for governments and public administration to try and recognize some key indicators that there is hybrid threats, that you are subject to hybrid threats, because you haveto . . . to imagine this extremely complex type of environment. It’s a number of events that are not correlated because they’re happening here and there. Therefore, you don’t have control on all of them, and, therefore, you cannot really see through the fog what’s going on. You just see the vertical events, but you don’t see the horizontal plot. Social tension, fake news propaganda—they are all part of this big element.Another thing that I think is part of the hybrid threat but is not properly dealt everywhere is that nonfinancial side. We know that all these operators of critical infrastructure, the way you want to call them, or critical entities or operators of essential services—they are companies. They may be on . . . on regulated market, on the stock exchange, on support. Therefore, someone may acquire them, part of them, part of the ownership.To me, the way we scrutinize a certain operation on national critical infrastructure is not yet clear because certain strategic infrastructure should remain of national property. I don’t mean it should be public. I mean that it should have national shareholders with minimum shareholders from abroad because they are strategic infrastructure on which, first of all, speculation shouldn’t take place, but, also, you have to imagine that once you see someone in the, you know, in the board of directors, everything is discussed there, immediately goes as to where as soon as the meeting is over. This shouldn’t really happen. And this is not only happening at the scrutiny, it’s already taking place for big infrastructure. For example, Italy has procedures for that. It’s very advanced, but the . . . the way the . . . the law is tuned on very big operations leaves every small operation outside.Here, we fall into another problem: third parties. It’s not only about critical infrastructure. Critical infrastructure relies on a constellation of third parties. Sometimes, they are also very small companies. They are very important in the supply chain. We don’t know who owns them. There is a little bit of scrutiny the company does on those other companies, third parties, but it’s not enough. So, the vetting procedure, the scrutiny procedure, they should really improve because we need to be sure that we are relying on the right people—that when something is going wrong, will help us out of the mud instead of leaving us in there. To identify friend or foe, as the . . . the military would say. So, this is, to me, among the hybrid threats, the financial aspect—also, the financial or third party. So, trustworthiness of the third party. Third-party risk assessment, to me, is fundamental.HostDo you have any final thoughts before we go?LazariOne last thing that is taking place anyway because of our footprint on planet Earth is climate change. To me, we need to work on the sustainability of critical infrastructure, and we need to do climate change risk assessments. This is something that already the Critical Entities Resilience Directive will ask to critical entities that will be designated under this directive in the future to do.So, to assess what is the impact of climate change on critical infrastructure, you have to imagine that the weather, among other things, is considerably changing. Fifteen years ago, no one could hear about, you know, medicane—that is, the . . . this Mediterranean hurricane, for example, in the Mediterranean. I come from the south of Italy, I’ve never heard about. We never heard “hurricane,” but, all of a sudden, in the last five years, we have initial glimpse of what it could look like, hurricanes. Of course, the proper hurricane, the one that you are experiencing in the US, you know, are much, much different, and their force of devastation is much higher. But, still, I can tell that these medicanes are already threatening our critical infrastructure because they have not been designed to withstand this type of event.Even though some of those that are designed for withstanding certain types of very severe weather events, they can be still disrupted, but ours are not designed at all. So, you can imagine the impact of if these hurricanes keep coming, and they keep increasing in . . . in their strength, the way they . . . we see them behave in other countries that are severely hit by hurricanes, this could really pose a threat to our critical infrastructure.So, for sure, the climate change has to be assessed. We will find ourselves with operators that have been used, like, operating extreme cold and in heat wave and the other way around. Operators used to work in extreme hot having cold wave, and, therefore, the reliabilities of these infrastructures may change, may be really threatened because they are not designed to operate in different condition or in very severe warm or cold. So yeah, that’s another thing that I would definitely take into account that will challenge critical infrastructure in the future.HostThank you for your time. Thanks for your contribution. This was a real treat to talk with you.LazariThank you very much indeed, once again, for inviting, and, uh, all the best.HostLearn more about the CISR frameworks of the United States and the European Union at press.armywarcollege.edu/monographs/955.If you enjoyed this episode and would like to hear more, you can find us on any major podcast platform.Author information: Alessandro Lazari has been working as a specialist in critical infrastructure protection, resilience, and cyber security since 2004. He is currently a senior key account manager at 24 AG, focused on incident and crisis management in Europe. From 2010–19, he provided policy support to two key initiatives at the European Commission: the European Programme for Critical Infrastructure Protection and Strengthening Europe’s Cyber Resilience. Lazari is a fellow in legal informatics at the University of Lecce’s School of Law (Italy) and a lecturer at COE-DAT’s Protecting Critical Infrastructure Against Terrorist Attacks course. He is the author of European Critical Infrastructure Protection, published in 2014 by Springer Inc. He holds a master’s degree in law and a PhD in computer engineering, multimedia, and telecommunications.

In most urbanized societies, water is taken for granted and little thought is given to how fragile the supply of this vital resource can be. A water emergency, however, such as a treatment plant outage, a water source contamination event, or natural disaster has the potential for significant disruption to society and the infrastructure that depends on water to function. Most other sectors of critical infrastructure, as well as activities of daily living, are highly dependent on the water sector. As a result, consequences of a water emergency can be significant and may occur immediately without notice depending on the nature of the event. Thus, the security and resilience of the water sector is a key component of a nation’s civil preparedness that can have military and international implications as well. Terrorist threats to water delivery or contamination of water sources as a terrorist act can impact a nation’s ability to move and sustain its military forces and project military power when required. From the perspective of the North Atlantic Treaty Organization (NATO), threats to the water sector in one member state could have ripple effects that limit or diminish NATO’s military mobility and force projection in support of its essential core tasks.Therefore, it is important to understand water sector risks and find ways to effectively mitigate them. While this chapter focuses on the US water sector and uses a case study from one of its most important metropolitan areas, the chapter provides a helpful framework for other Allies and partners to understand, adapt, and employ to their specific circumstances.This podcast based on Chapter 8 in Enabling NATO’s Collective Defense: Critical Infrastructure Security and Resiliency (NATO COE-DAT Handbook 1) provides a foundation from which to better understand the criticality of water sector resilience. While this chapter focuses on the US water sector and uses a case study from one of its most important metropolitan areas, the chapter provides a helpful framework for other Allies and partners to understand, adapt, and employ to their specific circumstances.Watch the webinar: https://youtu.be/G1OD24HEh94Read the book: https://press.armywarcollege.edu/monographs/955/Keywords: critical infrastructure, crisis management, security risk assessment, water sector resilienceEpisode Transcript:“Water Sector Resilience in the Metropolitan Washington Case” from Enabling NATO’s Collective Defense: Critical Infrastructure Security and Resiliency (NATO COE-DAT Handbook 1)Stephanie Crider (Host)You’re listening to Conversations on Strategy. The views and opinions expressed in this podcast are those of the authors and are not necessarily those of the Department of the Army, the US Army War College, or any other agency of the US government.Conversations on strategy welcomes Steve Bieber, author of “Water Sector Resilience in the Metropolitan Washington Case.” Bieber has more than 30 years of experience in leading development and reform and water security, public policy, and environmental regulation. He’s currently the water resources program director for the Metropolitan Washington Council of Governments.Welcome to Conversations on Strategy, Steve. Thanks for joining me today. You recently contributed to the book Enabling NATO’s Collective Defense: Critical Infrastructure Security and Resiliency. Your chapter is about water sector resilience. Give us an overview of the water sector, please.Steve BieberSure, so thanks for having me on. You know, water includes both water you drink and (water) you use for bathing and cooking and so on. But obviously when you’re done doing all of that stuff, it has to go somewhere—which is down the drain and to a wastewater treatment plant. But probably the other part that folks don’t think about a whole lot is the source of the water in the first place. When you think of the water system and working with water utilities, usually the three biggest components are the source of it, collection and treatment of that, distributing it, and then treatment at the end when you’re done using the water.Just to give folks a little bit of perspective, here in the Metro Washington region, the average daily demand for drinking water (and it goes up and down depending on the time of year) is close to 500 million gallons a day. We’ve got over 14, 500 miles of water mains (so that’s more than the miles of roads we have in the region) and almost 120,000 fire hydrants. So if you ever think about the challenge of maintaining something like that … you know, and over 1,000,000 metered accounts and a little more than 5 million people who are served by public water and sewer.HostTalk to me about the risks and threats of the water sector.BieberYou know, I’m sure people have seen in the news lately—especially with what happened in North Carolina (electrical substation attack in Moore County on December 3, 2022)—you know, a lot of terrorism and Black Sky events are in the news. Those things can be a threat to the water sector as well. So there’s physical security threats like that but also things like climate change, rising sea level, aging infrastructure, you know. We have some infrastructure here in the Metro Washington region that dates back to the 1800s, and there are instances that sometimes they find pipes made out of wood when they’re doing main break repair.You can imagine trying to keep up with operations maintenance. And just repairing things like that over such a vast network is pretty hard. And so, from the utility perspective, you’re dealing with all sorts of threats. You know, natural threats, man-made threats, accidents that happen (whether it’s a contractor striking a pipe and breaking it or an oil spill in your source water, all sorts of things) and you have to be prepared to deal with all of it.HostSpeaking of dealing with it, what are the key steps in resiliency planning?BieberSure, so I’ll start out maybe by saying a little bit about what resiliency is. So for the water sector, broadly, you can define it as the ability for a water utility to maintain their operations despite a challenge like, say, a water main break, and recover from the event as soon as possible. And we already talked about the stressors. Whether it’s weather, accidents, or some kind of intentional act, the idea is to be able to bounce back as quickly as you can.The other thing to be mindful of is resilience extends beyond just the utility and encompasses dependent and interdependent sectors, so things like the energy sector, health care. A big one in our region here is data centers, which are very dependent on water for cooling. All those local and regional assets are connected. And sometimes seemingly distant threats to resilience in another region can affect utilities here. So, for example, a spill in West Virginia could affect our water supply here in Metro DC, just as one example. And a lot of times these cross-sector dependencies are deep and complex, so it’s really important to think about those when you’re looking at doing resiliency planning.So here in the Metro Washington region, we actually do studies routinely to look at things like adequacy of our water and wastewater infrastructure to meet demand. So say we’re forecasting out to 2050. Do we have enough treatment? Enough distribution? Enough collection system to meet growing population and employment and all of that?We’ve historically looked at things like drought, which we know happens from time to time. And we do studies on that every five years to see do we have adequate infrastructure in place to be resilient against the drought of record. But one thing we decided to do a few years ago is expand that and take more of a system resiliency approach to look at other threats and hazards, not just drought, and see where we maybe have vulnerabilities and also see where we could make investments to buy down the risk from certain threats.So we got some federal grant money to do that. And let’s say you could kind of break down the steps into five phases. So, the first one was data collection and establishing system capabilities. So that was working with all the water utilities in our region. We held a series of workshops and determined, sort of, what do you have in terms of water treatment? Where do you get your source water from? How much distribution capacity do you have? Collect that all into one database, so we have a good baseline of what’s the capability that we have now. And then the second step was establishing a risk framework and defining a level of service. So basically, thinking about different failures events, how likely are they to happen, and what level of service do we want to have in the event that those things did happen? That’s really an important driver because I’ve seen utilities that use as their level of service in an emergency one gallon per person per day. I’ve seen others that have planned around 20 percent of your average daily demand. So as an example, if the average household uses 100 gallons a day, being able to provide 20 gallons a day, well, that’s 20 times more than one gallon.We used here, for our planning purposes, Average Winter Day demand, which would be even more than that. So as you can imagine, when things are changing by 20 times or 30 times, you’re planning assumption the capability you need to have to meet that demand is going to be vastly different, too. So once you’ve defined, you know kind of your level of service, the different failure events or scenarios you’re planning around (whether it’s intentional events, accidental events, weather events), you need to look at all of those and define what would the consequence be if those different things happen. For our purposes, we measured as how many days would people be out of water, and we called it people outage days. So it’s a combination of how many customers are affected? How many days would they be out before you could restore the water? And you can also use that to figure out an economic impact using some figures that FEMA and others put out. What would the cost to the region be under those different scenarios? So you can put a dollar amount on it.There’s other ways that you could quantify consequence. It could be things like, is there some critical mission in your region that if this happened you wouldn’t be able to fulfill? So say like for a military installation or something, or a nationally significant piece of critical infrastructure, and if the water was out it would impact that nationally significant infrastructure. So there’s other ways to measure it, but that’s the way we went about it.Once we had the scenarios we’re planning around, the likelihood of those things happening, and the impact, basically, if they happened, we identified different improvements you could make to mitigate those risks. So, it could be anything from interconnections between the different water systems and improving those to building more storage so you’re not dependent, say on just one water source, but you have storage, say in our case, like we use the Potomac River as a major source of our drinking water, having more storage off the Potomac River so if for some reason it wasn’t available, you’ve got an alternate source you can go to for a long period of time or a longer period of time. And then we used some simulation modeling to figure out which combinations of improvements (so whether it’s storage, interconnections, other types of improvements), which ones actually buy down the risk the most? Are there combinations of things you could do that buy it down even more? And you can basically put things into what I would call different buckets of combinations of scenarios, compare the benefits of one to the other, you can also see if there’s synergies of doing things in a particular sequence. And then you can find out which one basically has the best benefit-cost ratio. And once you have that information, you can come up with a plan for improvements of how you want to make your infrastructure more resilient.We kind of put ours into three categories. One was what we called “no regrets” improvements. So those would be things that the benefit-cost ratio is very high. It’s probably something you could get done quickly, and there’s an operational benefit to it. So even if the scenario you were planning around, say, a spill event or some kind of an attack, never happened the benefits to it still make it worth doing anyway. And then we had some that were more short-term—so things that had a high benefit-cost ratio and could be accomplished pretty quickly just because either the cost was low or there’s just not a long lead time to plan it and execute the improvement. And then there were other things that were sort of longer-term. If you’re looking at, say, building a new reservoir or something like that. That’s a major capital project. It’s not going to happen quickly, and you have to build that into your risk modeling. If it’s going to take 10 years to build something, you’re carrying the risk for that 10-year period until it’s built. And so you have to factor that in in determining which things you’re going to pursue. But we ended up with a mix of things that could happen quickly, kind of medium-term and longer-term.HostYour chapter uses Washington DC as a case study. I would love to hear more about this.BieberYou know the Metro Washington region, I think we’re the 6th largest metro region in the country, and, of course, on top of that, the home of our nation’s capital, a lot of the federal agencies, and we have a number of military installations in the region, too, and some nationally significant critical infrastructure. And we also have a long history of cooperating among the water and wastewater utilities here. We have agreements that go back several decades, cooperative water supply, cooperative wastewater treatment—different things like that. So we’re used to working together in the water sector to solve big problems.Especially since 9/11, everyone’s had more of a focus on security. But I would say in the last five or so years, that’s really shifted to not just security but security and resilience. And so that’s why we wanted to work together to look at what opportunities are there, not just at one utility alone but as a system in the region to collaborate and make improvements so that the system that serves the whole region is more resilient as a whole. And so that’s what drove us to take the systemresilience approach I talked about a moment ago—looking at things that are cross-cutting across the region, and that we could collaborate on together, which complements the individual utility vulnerability assessments and planning they’ve each done on their own. So, it was kind of another layer on top of that to identify things that are more regional system-wide, and bigger impact. And things that also, you know, you could work with your neighbor, maybe, to buy down the risk and be more resilient. More so than doing something on your own.HostYou talked about simulations and planning and resiliency. How do you test for this? Do you have to wait for an event to happen? Is there a way to do a test run?BieberYeah, that’s a really good question. So no, you don’t have to wait for an event to happen. Most risk-based approaches, whether it’s the one we used, or there’s some slightly different ones that are used in other sectors, but they have a lot of things in common. And one of those things is getting a group of subject matter experts together.In this case, it was our utility companies together, talk about scenarios of events they’re concerned about. In some cases, this is things that have actually happened before. So, say, like an oil spill or a water main break or a failure of equipment—like a pump failure or something like that. And they have a pretty good idea of how often does that happen? How likely is it to happen? If it happens, what are the consequences of it happening? And so those are real events that we have data on, and we can put a pretty good number to it. But then there’s other things that you also want to look at that are more hypothetical.So how likely is it that a rail car could fall in the Potomac River? Or how likely is it that you’d have a terrorist attack? You know you can go down the list (not an endless list of scenarios, but of scenarios that are things that maybe keep utilities up at night). You know it could happen and it would be, even though it’s a low probability, a very high impact event. And using this same group of subject matter experts, kind of put a number to each of those.So, in our case, we kind of had bins of things of like, “it happens once every 10 years,” “it happens once every 30 years,” “It happens once every 100 years.” Or maybe it’s less than one every 100 years, but you can get an idea of sort of how you would figure out how likely is it to happen. And then you can combine that with your estimate of if event A happened, how many people would be out of water? How long do we think it would be before we’d be back on our feet, and we’d restore water service? And then you can combine those things. So, the likelihood of it happening, the consequence of it happening. And you can get a sense of between those two things how worried are we about that and begin to come up with a list of which things are the most concerning, which things are the least concerning, and a bunch of stuff in between.And you can also put costs to all of that, which allows you to get to the benefit-cost of here’s how much it would cost. Here’s how likely it is to happen, (and) the impact of it, and you can calculate a benefit-cost ratio that. We used a pretty sophisticated modeling approach, but my point of bringing this up is if you’re a smaller utility or you just don’t have the resources to do that right away, it’s not like you need to throw up your hands and go, “Oh well, I can’t do anything.” Because you can get a group of your own employees together and just use your best professional judgment on which things are we most worried about? How likely do we think they are to happen one relative to the other? What would the impact be if it happened? How much would it cost us to bounce back from it, or to mitigate it? And what’s the cost to our customers, even if it’s just how long they would be out of service? And you can use that to come up with a pretty good list of priorities that’s probably going to be very close to what you would come up with if you used the more sophisticated modeling approach. And at least it gets you started.HostWhat are your recommendations for water security and resilience?BieberI’m a big proponent of data-driven decision making and using a risk-based approach. In the water sector— all public utilities—they’ve all been required already to do a vulnerability assessment to come up with security plans, different things like that. So, you already will have a lot of the data you need to get started, but, of course, the landscape is dynamic. It’s always changing. You know you may have the vulnerability assessment you did a year ago. Maybe it was five years ago. But it at least gives you a starting point. And then I would say take that, get a group of subject matter experts together, and just start going on developing a risk-based approach to planning. And there are a lot of good resources available online.American Water Works Association actually has standards for the J 100 standard for doing this kind of planning. So that’s one standard that’s widely followed in the water industry, but there’s also tools that are available for free. So, if you go search US EPA and water resilience, you’ll find a couple of tools they have online that you can get started with today. It will ask you questions. You fill it in as you go along, and you’ll get some recommendations out at the end. They have one that’s specific to climate change and building in resilience to that and another that’s more generic and more geared toward the types of events like we’re talking about, you know, whether it’s intentional or accidental events.Yeah, you do a little poking around online, you’ll find more tools, too. Another good resource that a lot of the utilities here in our region have taken advantage of, and if you’re in the US is available to you for free, is connecting with your protective security advisor. So, the DHS cyber and Infrastructure Security Administration they have protective security advisors in every state. In our case here in the DC metro region, we actually have three. They will come out and do a risk and resilience assessment of your infrastructure at no cost. And they can cover all sorts of things from physical security, other types of events like spill events, or other things like that. They can even come out and do a cyber assessment if you’re more worried about cyber risk and how to mitigate that. They’re free. It’s a good way to get started, rather than waiting and not doing anything.Whether it’s online, someone coming out for free, hiring a contractor, getting started with your own employees, there’s lots of ways to get going and take a risk-based approach and see where the opportunity is to make yourself more resilient. You know, buy down the risk on things you think are either most impactful or most likely to happen.HostWhat a great list of resources. Thank you for sharing that. Also, thank you for your time today.BieberYeah, I appreciate having the chance to talk today and look forward to working on more of this in the future.HostLearn more about water sector resilience at press.armywarcollege.edu/monographs.If you enjoyed this episode and would like to hear more, you can find us on any major podcast platform.Author information: Steve Bieber has more than 30 years of experience in leading development and reform in water security, public policy, and environmental regulation. He is currently the water resources program director for the Metropolitan Washington Council of Governments (MWCOG) and is responsible for managing its water resources programs, including the regional Anacostia Restoration Partnership, water security programs, drinking water and wastewater planning, drought management, urban stream restoration, and other related environmental programs for local governments and water utilities in the Washington, DC, area. Bieber holds a bachelor of science degree in zoology from Michigan State University, a master of science degree in oceanography from Old Dominion University, and a master of public administration degree from the University of Baltimore.

Communications form the critical backbone of the modern world, connecting more people and more devices more completely than ever before. The benefits of this hyper-connected society drive ever-increasing reliance on secure, reliable, and resilient communications. Potential adversaries to the North Atlantic Treaty Organization certainly understand the importance of communications—those they seek to target and those they use themselves—so it is critical to fully understand the sector, the risks it faces, and the best ways to mitigate those risks.This podcast based on Chapter 9 in Enabling NATO’s Collective Defense: Critical Infrastructure Security and Resiliency (NATO COE-DAT Handbook 1) provides a foundation from which to better understand the criticality of communications for national security and emergency preparedness and common important characteristics of the sector and their implications for security and resilience.Click here to read the book.Click here to watch the webinar.Keywords: communications, critical infrastructure, cyber threats, crisis management, security risk assessmentEpisode transcript “Communications Resilience” from Enabling NATO’s Collective Defense: Critical Infrastructure Security and Resiliency (NATO COE-DAT Handbook 1)Stephanie Crider (Host)You’re listening to Conversations on Strategy. The views and opinions expressed in this podcast are those of the authors and are not necessarily those of the Department of the Army, the US Army War College, or any other agency of the US government. Conversations on Strategy welcomes Chris Anderson, author of “Communications Resilience.” Anderson’s, an incident management and infrastructure protection expert with three decades of government, military, and private-sector experience. He’s currently the principal advisor for national security and emergency preparedness at Lumen.Welcome to Conversations on Strategy, Chris. I’m glad you’re here.Chris AndersonThanks for having me.HostYou recently contributed a chapter to Enabling NATO’s Collective Defense: Critical Infrastructure Security and Resiliency. Your chapter talks about communications resilience, the backbone of the modern world, in your words. Give us an overview of the communication sector, please.AndersonIt’s really hard to overstate how important commercial communications is to government and military communications of all kinds. So, sort of the traditional national security kinds of things—command-and-control networks, intelligence sharing. Even highly classified information typically travels over commercial networks for a big part of its lifespan. But then as you start thinking even in more detail, things like civil preparedness, police, fire, EMS discussions, how you issue civil defense alerts to the civilian population, et cetera. On top of all that, communications is critical to economies and the citizenry in general.In the US, we’ve started this concept called national critical functions, which sort of distinguishes the inherently governmental functions from the other things the nation needs to be able to do in order to have a vibrant economy and support the government and keep citizens safe, et cetera. And comms is really central to a lot of those national critical functions.The sector itself is incredibly diverse. So when we talk about communications, and in the book chapter I talk about sort of the breadth of communications as encompassing sort of the traditional wireline services. You know, twisted pair copper and fiber optic cables that make up the old, you know, Bell telephone kind of networks that have now become the broadband connections that we all use in homes and businesses throughout the world. It also includes wireless communications. So wireless, you know, everyone thinks of 4G point-to-point5G cellular communications, but wireless also includes things like point-to-point, microwave and other uses of the radio frequency spectrum.There’s the cable business, which is in some ways very similar to wireline. I like to stress cable in particular because I think there used to be a civil defense perspective of like, well, that’s not really critical infrastructure. You know, if somebody can’t watch Game of Thrones for a day or two, that’s not a big deal. But increasingly, the cable companies provide the same sort of broadband backhaul, for example, that enables wireless communications. So they’re really critical too.Similarly, with broadcast. Broadcast TV and radio, not just about entertainment, but in some ways that is the most survivable, giving you that one-to-many communications capability to reach a large number of people. One of the things I like to say is, you know, “you can hand crank a radio. And so a citizen on their own, with nothing more than a radio with a hand—crank you can communicate with that person in a pinch.”And then, of course, satellite networks which are themselves undergoing a massive transformation right now.Across all five of those segments, though, there are a couple of things that I think are important to keep in mind as we think about communication resilience. Probably the biggest one is really over the last 20 years, the massive transition of communications technology from primarily analog to primarily digital. So the transition to Internet Protocol packets for voice, for video. Almost everything that’s pumped over radio frequency is now packetized, digitized, and then reassembled on the other end. That meshed and packetized network is, by its nature, resilient. The packets can travel multiple paths, and, in fact, that’s the whole design of the Internet. It was designed to be resilient, and if that path is no longer available, now I’ll go this path, and I’ll still get the packets there in time.The market itself is highly competitive the different carriers and cross modes and within modes are fiercely competitive with each other. But at the same time, the nature of the business requires that we work closely together as well. So it’s this strange sort of coopertition (cooperation + competition) model that makes it all work.You know, for example in interconnection, the whole point of communication networks are to be able to communicate with whomever you want. And so that means we have to exchange traffic with each other from carrier to carrier, from mode to mode, in order to get those packets where they need to go. And that interconnection implies a couple of really critical things. One is the importance of international standards so that things will work across these vast and disparate networks, (for example) the need for very big companies to work seamlessly with very small companies who have very different perspectives on how to operate their networks. And it also means that we’re generally interconnected with potential adversaries. So the network of networks that is the Internet has a lot of players on there and not all of them have our best interests at heart.The last thing I think is important to understand about communications is just how tightly integrated we are with other critical infrastructures. Pretty much every other critical infrastructure relies on comms for it to be able to function in its normal capacity. And comms is itself reliant on other critical infrastructures—in particular, heavily reliant on commercial electric power. And where commercial electric power is either out because of a temporary disturbance or is simply not available, then the continued availability of liquid fuels for on-site generation becomes really, really important.HostLet’s talk about threats to communications. What are the ways in which the integrity, availability, or confidentiality of communication systems might be degraded or compromised?AndersonIn the book, I talked through the “Big Three” set of things that can impact communications infrastructure. The first one is natural disaster and there’s physical attack. And I’ll lump in there industrial mishap kinds of accidental damages. And then same thing on the cyber front. There is cyberattack and cyber misconfiguration mistake kind of issues. There are some similarities across those three and some differences to tease out among them.So in terms of natural disaster, you know, sort of the gamut of bad things Mother Nature can throw at us also damage information systems and communication networks. So that’s storms, hurricanes and tornadoes, and derechos and you name it. Those can variously cause different types of physical damage either to key facilities (central offices, Internet exchange points, or to conduits, either underground cabling or aerial fiber. Stuff that’s not aerial, tends to be more susceptible to things like flooding or even to things like train derailments, or things that can damage the conduits—earthquakes for example). The other thing that natural disasters tend to do is impact the availability of commercial electricity. So if commercial electricity isn’t available then access to alternate fuel sources becomes really important.There’s also Mother Earth’s environment. So there’s geomagnetic storms and space weather that can impact satellites and can impact, depending on the frequency bands, radio frequency spectrum to varying degrees.Transitioning more to sort of the man-made attacks. Physical attacks. Either attacks or mishaps. As I mentioned, that sort of meshed packetized network makes these harder to be impactful, but there are still areas of concern around, for example, choke points. So things like undersea cable routes often have either one viable path (the cheapest shortest path where you’ll see a lot of cable stacked up) or they’ll be natural choke points. You know, for example, in the eastern Mediterranean Sea, there is a pretty tight choke point just off the coast of Egypt. A bunch of undersea cables run through there and then run down through the Red Sea on their way to wherever they are. They also have other concentration points like Internet exchange points and sort of massive data centers, which all by themselves can be huge and massive and important assets, but they often cluster together. Thinking about physical attacks, bombs and cutting of the cables, there’s also the less-nefarious accidents that can accomplish the same thing. Whether that’s, you know, construction facilities and a backhoe tearing through your fiber optic cable. And then finally, there’s, in the radio frequency world, spectrum-based attacks, so spoofing and jamming are also ways that you can physically, I’m doing air quotes here that you can’t see because it’s a podcast, but it’s a similar kind of attack vector.And then finally there’s cyberattack vector. So comms is an interesting character in this realm because we’re both a conduit for those attacks. But we’re also a target. And so those targets, in turn, target exactly as you teed up the confidentiality, the integrity, the availability of networks and data through a range of methods.I mean from an availability perspective, there are distributed denial-of-service attacks, where you flood the target system with so many requests for service that the system just can’t answer all those requests and it becomes unavailable to legitimate use. There’s ransomware where you’re able to, you know, get the ransomware on a system (and) shut it down so now it’s unavailable for its normal uses.Or disruptive malware. In terms of confidentiality, you have, you know some of those same players . . . ransomware, destructive malware, also routing attacks that target the ability to how packets determine where they move and the path that they take to get from the originating server to the destination server. If you can hijack that route, you can put a man in the middle and either listen in on those packets as they transit or potentially reroute them to somewhere else.And then finally, there’s integrity attacks on communications. Again, ransomware, advanced persistent threats. And I think integrity, in particular, with the book’s focus on critical infrastructure with respect to terrorist attacks, thinking through the potential complex attack scenarios where adversaries may seek to harm the integrity of communications so that they can control messaging. So that’s attacks on broadcast networks, on social media, on the places people will go for “reliable” sources of news that if the adversaries are able to track the integrity of those, they can amplify the effects of, say, a physical attack that’s coupled with, you know, social media and misinformation/disinformation.HostWhat are your suggestions for improving communications resilience against terrorist attacks or other threats?AndersonWell, I think in the interest of time, I’m going to limit it to sort of three things that I would talk about in terms of lessons learned. The first one is blue Sky relationship building. If you think back to even the way that I described how communication systems work, comm providers need to work with other comm providers who need to work with first responders who need to work with national security and national defense experts. And those relationships can’t just happen after “Boom” has happened. And now you need to figure out how to work together. It’s really important under blue-sky scenarios. To establish those relationships, work through how are you going to coordinate flow of information? Flow of request? What’s the disaster reporting process so people know in advance here’s what kind of information the government is going to need. And here’s the format I’m going to give it to them. And oh, by the way, what’s the definition for this one esoteric thing that actually means something different and different contexts. It builds those cross-sector relationships. Not just from comm provider to comm provider but making sure that we’re working with other infrastructure providers, especially energy, but not only energy. And then exercising and testing how all that stuff will work. So when the black-sky day comes, you have mechanisms that you’ve built out that you’ve practiced. That you know how to use. With people you’re used to talking to. You just can’t overstate enough how important that is in this public-private partnership.The second suggestion I would have is, you know, really methodically, look to identify and mitigate risk. So I talked earlier about those sort of choke points and concentration points. Make sure if you have mission-critical communications that you understand what that path diversity is. That it’s not just logical path diversity, but it’s physical path diversity, depending on your resilience needs. It doesn’t maybe necessarily buy you all that much to have two redundant circuits if they both go through the same central office or over the same undersea cable, et cetera. And then using, on the cyber front, you know, whatever baseline practices are most appropriate to your communications network, know them and use them. In the US, we use the NIST cybersecurity framework. The sector itself has done a huge amount of work to tailor what the NIST framework means to the different subsets of communication. But really, those cyber best practices are the really important resilience builders upfront.And then the third thing is to think through what will be the likely post-incident resilience enablers? How do you get comms back up and on its feet quickly so that the impacts of any disaster or any attack are minimized? And the big three that always come up, whether it’s an attack whether it’s a natural disaster are access, fuel, and security. So access. How are first responders or the military or whomever going to control who gets in and gets out to the disaster area. And making sure that commercial providers understand where they are in that hierarchy (and) what they need to do in order to be properly credentialed to get in at the point at which it’s appropriate and safe for them to do so.The second one is fuel, so it’s not just, “Hey, how do we prioritize commercial power.” But in a disaster where commercial power has been significantly impacted, suddenly the demand for those alternate fuel sources is going to be huge. And thinking through how that prioritization is going to work, which doesn’t even necessarily mean comms should be at the front of the line because there are going to be hard decisions to make. Does the hospital get that truckload of fuel? Does the state Emergency Operations center get it? Does the central office facility that’s routing everyone’s communications get it? But you need to think through those things in advance because that’s gonna be a critical decision point, a critical resilience enabler for post-disaster preparedness.And then the last one is security. After a big, particularly a broad (in terms of geography) disaster or attack, security is going to be an issue. So communication providers are going to be very concerned about putting personnel in harm’s way where it may or may not be safe. They’re going to be nervous about putting expensive equipment out in a field somewhere if they can’t secure it. And certainly, in this sort of a post-disaster environment, we’ve unfortunately seen that generators are pretty high-value commodities. And a generator that’s sitting on its own in a field next to a cell tower is a pretty tempting target. So thinking through how our government and industry going to work together to identify what’s safe. What’s appropriately safe for communications providers to put people and equipment out in the field, and then what are the ways that we can work together to make sure those are kept safe over the course of their response?Those are the big three—blue-sky relationship building, identify and methodically mitigating the risks that you see, and then thinking through what post-incident resilience enablers are and how you’re going to function them. And if you can do those three things, you’ll go a long way towards building communications resilience for your nation.HostSo much food for thought here. Thank you so much for your time and for spending it with us today.AndersonGreat, thanks for having me.HostLearn more about enabling NATO’s collective defense and communications resilience at press.armywarcollege.edu/monographs/955. If you enjoyed this episode and would like to hear more, you can find us on any major podcast platform.Author information: Chris Anderson is an incident management and infrastructure protection expert with three decades of government, military, and private-sector experience. He is currently the principal adviser for national security and emergency preparedness at Lumen, a US-based global network provider and tech company. He previously held various senior leadership positions in emergency management and national security at the US Federal Communications Commission and US Department of Homeland Security. Anderson began his career as a US Navy helicopter pilot, completing 24 years of active and reserve service. He holds master’s degrees in national security strategy from the National War College and in management information systems from Bowie State University, and he received his undergraduate degree from the University of Virginia.

This podcast based on Chapter 1 in Enabling NATO’s Collective Defense: Critical Infrastructure Security and Resiliency (NATO COE-DAT Handbook 1 answers the questions: What is critical infrastructure? Why is it important? What is the difference between critical infrastructure protection (CIP) and critical infrastructure security and resilience (CISR)? What are some of the key terms defined in national CISR policy? What are the core areas of activity or work streams involved in implementing CISR policy in and across the North Atlantic Treaty Organization nations?The answers to these specific questions provide the contextual basis for understanding why CISR is a quintessential societal task for maintaining national security, economic vitality, and public health and safety in a world filled with increasing levels of risk. For NATO member states, building and enhancing CISR at the national level is necessary to safeguard societies, people, and shared values and also provide the foundation for credible deterrence and defense and the Alliance’s ability to fulfill its core tasks of collective defense, crisis management, and cooperative security.Click here to read the book.Click here to watch the webinar.Keywords: CBRNE, critical infrastructure, cyber threats, crisis management, security risk assessment, CISREpisode transcript “Understanding Critical Infrastructure” from Enabling NATO’s Collective Defense: Critical Infrastructure Security and Resiliency (NATO COE-DAT Handbook 1)Stephanie Crider (Host)You’re listening to Conversations on Strategy.The views and opinions expressed in this podcast are those of the authors and are not necessarily those of the Department of the Army, the US Army War College, or any other agency of the US government.Conversations on Strategy welcomes Ronald Bearse, author of “Understanding Critical Infrastructure,” featured in Enabling NATO’s Collective Defense: Critical Infrastructure and Resiliency. Bearse is an expert in critical infrastructure protection and national preparedness, with more than 23 years of experience in the US Department of Defense, Homeland Security, and Treasury.Ron, welcome to Conversations on Strategy. You recently contributed to a book, Enabling NATO’s Collective Defense: Critical Infrastructure Security and Resiliency. I’m looking forward to hearing about your chapter, but first, thank you for being here.Ronald BearseWell thanks Steph. Yeah, I’m happy to discuss that with you today.HostWhat is critical infrastructure?BearseAlthough there’s no real global or standard or universal definition of critical infrastructure, most, if not all, European and NATO nations, which have a national CIP or CISR policy or national plan, define critical infrastructure as those physical and cyber systems, facilities, and assets that are so vital that their incapacity or their destruction would have a debilitating impact on a nation’s national security, economic security, or national public health and safety.We kind of understand them (and most people do) as those facilities and services that are so vital to the basic operations of a given society 9like the one we live in) or those without which the functioning of a given society would be greatly impaired. In our book, for example, we talk about critical infrastructure sectors. Here in the United States, for example, we have 16 critical infrastructure sectors where assets and systems and networks, whether they’re physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on our national economic security or public health and safety. Those sectors include, here in the United States, and for most Western nations, the same types and same sectors, such as the chemical sector or the dam sector, commercial facilities. Communications sector. Critical manufacturing. The defense industrial base. Emergency services obviously is one. Energy. Financial services sector, food, agriculture, government facilities, healthcare and public healthcare sector. Information. Information and technology. Nuclear reactors, materials and waste sector. The transportation infrastructure sector is huge as well. As well as water and wastewater systems. So there are a number of economic areas, and we call them sectors, that have critical infrastructure, the loss of which would really be a problem.Within NATO, Allied Command Operations defines critical infrastructure as a nation’s infrastructure, assets, facilities, systems, networks, and processes that support the military, economic, political, and/or social life on which a nation and/or NATO depends.NATO mission readiness depends on the assured availability of critical infrastructure. Let there be no mistake about that. Critical infrastructure, which I should mention is mostly owned by the private sector. For example, during large NATO operations for exercises, about 90 percent, and that’s nine zero percent, of military transport, relies on civilian ships and civilian railways or civilian aircraft.HostWhy is critical infrastructure important?BearseCritical infrastructure is vital because it enables a nation’s productivity and quality of life and economic progression by driving economic growth and creating jobs and improving efficiency. It also provides essential services, such as energy and water, electricity, and transportation. It also connects communities via transport and communications networks, which enables the flow of goods and information—not just across the country but between countries and across the world.Another reason why it’s vital has to do with the fact that it’s highly interconnected today, Stephanie, meaning that critical infrastructure systems often depend on other areas or other critical infrastructure to operate. If it is severely disrupted or destroyed, it can cause severe catastrophic consequences, locally, regionally, nationally, and even globally. And also, if it happens in one sector, you can have cascading events that can cross over into other sectors as well. An increasing number of nations depend on critical infrastructure located in another country, or worse, controlled or operated or owned directly or indirectly by a foreign adversary. And yet another reason is that millions of critical infrastructure systems and the gazillions of devices which connect to them are connected to the Internet. And because of that, you know, we see that there is that vast increase of vulnerability attached with those devices.We’ve all witnessed how COVID-19 and the ongoing Russian invasion of Ukraine have impacted critical infrastructure. The critical infrastructure of NATO and partner nations—those nations face a rising, unprecedented wave of malicious cyber activities and destabilizing and devastating consequences—and public and private entities that are indispensable to the functioning and well-being and cohesion of allied societies (such as energy providers and telecommunications operators and banks and hospitals). And we’re certainly aware of the current situation, hybrid warfare and real actual warfare at the conventional level. And Europe and Ukraine and seeing how critical infrastructure is being targeted that way.HostIn the context of keeping critical infrastructure safe and functioning, what’s the difference between critical infrastructure protection and critical infrastructure security and resilience?BearseHumankind has been protecting critical infrastructure for thousands of years, Stephanie. It goes back a long time. In the Peloponnesian Wars, infrastructure then that nations fought over included ships and grain and ports and brick walls around the cities, if you will. And wells where water was. And you know, 1,000 years later you had the fall of Rome. And with the fall of Rome, you had the contribution of the aqueducts falling apart for a variety of reasons. But again, critical infrastructure in the Roman Empire. The shift that has happened over the last 20 years alone is due to the fact that stakeholders have learned that it’s almost impossible to protect critical infrastructure from all the growing risk factors that they face—where we are moving from the protection of critical infrastructure to securing it and making it more resilient against threats. For example, when we talk about security. Security in the CISR, the S, if you will, means reducing the likelihood of successful attacks against critical infrastructure with the effects of natural or man-made disasters through the application of physical means or defensive cybersecurity measures. And resilience is the ability of critical infrastructure to resist, absorb, recover from, or successfully adapt to changing conditions, including attacks.The concept of critical infrastructure security and resilience is particularly useful to inform policies that mitigate the consequences of such events and speak to the vital need, again, for nations to develop and implement a comprehensive risk-management strategy.Karen McDowell, who 10 years ago was an information security analyst at the University of Virginia, said something that still haunts me and should actually haunt everybody listening in today. I believe she said, “public opinion isn’t going to lead the push to better protection of critical infrastructure since most people aren’t aware of the security issues and don’t even know that they are at risk, let alone understand the risks to critical infrastructure.”HostWhat are the core areas of activity or workstreams involved in implementing CISR policy in and across the North Atlantic Treaty Organization nations?BearseThere are really three essential tasks—assess the risk, improve security, enhance resilience, right? It’s all in those three. That’s the basic process. But the process of accomplishing those three tasks can be extraordinarily complex and a continuing challenge because it requires numerous what I call “streams of work” to be performed by a number of stakeholders—such as government agencies, (whether they’re federal, state, regional, other types of government agencies), the owners and operators in the private sector themselves of critical infrastructure, academicians, people who do research, subject matter experts, international organizations, technology vendors, people that run the ISACS (information sharing and analysis centers). I mean, there’s just many, many, many stakeholders out there. But what’s really, really important is that the major work streams basically include the following. All these are discussed in the book and how they are applied at different levels and case studies and whatnot. But we need to establish very clear roles and responsibilities for all stakeholders. That’s a major workstream just doing that—identifying and determining the criticality of a nation’s infrastructure. The protection of critical infrastructure is a national responsibility. NATO doesn’t go out and identify what’s critical for other nations. It’s up to that nation to do that. It’s up to that nation to figure out what they’re going to do. NATO can certainly help them. The nations help each other as well, and we certainly want to help our partner nations.So another big workstream here is mapping critical infrastructure dependencies and interdependencies. Determining critical infrastructure vulnerabilities . . . I can’t say enough about that as a workstream. Using applicable risk management, risk analysis, and risk management tools, if you will. Risk assessment tools and approaches. A lot of different critical infrastructure sectors have defined some very good tools to use to do risk-based assessments. They are available to NATO and NATO partner nations.Establishing crisis management capabilities is important. Another key workstream is establishing public-private partnerships between government and private-sector owners and operators of critical infrastructure Establishing and implementing collaboration and information-sharing mechanisms between government and the owners and operators is also important. Developing and exercising continuity of operations and information technology, disaster recovery plans, and providing physical and cyber security and resilience measures is a big workstream, if you will. Ensuring the integrity and security and continuity of critical infrastructure supply chains is huge. Expanding opportunities to deliver CISR education and training. Another key workstream, this one it’s dear to my heart, is implementing a robust (and when I say robust, I mean thorough) test training and exercise program to determine the extent to which a nation’s current CISR policy or legislation or plans, procedure, systems, research and development efforts, you name it, are either meeting, falling below, or exceeding prescribed requirements and established standards.Another key part of the workstream that’s vital to this is fostering the local, regional, national, and international cooperation, collaboration, coordination, communication, and concentration that is required to produce results. So, one of the reasons why this book was actually published is because more nations need to be developing and implementing a national CISR policy.There are many reasons, again, why countries haven’t started down this road, Steph. Let me just share with you the top five really quick. The top three basically, and I believe these are in the correct order, are money, money, and money. The fourth reason is that most countries have been protecting things that they deem important or critical the same way for many years. The military protects W and X. The minister of interior protects Y. And the Department of beta protects Z. And rarely do they coordinate their efforts due to turf, territory, and tradition. And the fifth reason revolves around the realization that CISR is complex, and it is one of the most difficult things a country can do. Even if it had the money and resources to do it.The good news in this, Steph, is that the book that we are discussing today and it’s follow-on book provides several lessons to be learned as I call them. Good practices. Case studies, methods, tools, (and) approaches and experiences that are designed to promote the security and resilience of all NATO populations and strengthen their ability to function in a way that most people want them to during crisis management and to support collective defense or external operations. Failing to achieve CISR goals or objectives is going to reduce NATO’s mission capability and adversely impact member states’ collective societies because critical infrastructure is the foundation on which vital society and economic functions depend.HostThank you so much for your time today, I really appreciate it.BearseThanks, Steph. It’s been a pleasure talking to you and your listening audience. And again, it’s a hot topic. It always will be. And it’s a great way for nations to strengthen their capabilities and for the avid reader in national security, if he really or she really wants to, wrap their head around why things are happening in today’s world and how we could get a better grip on preventing some of those bad things from happening, these books also represent good reads, so with that take care.HostSame to you, thank you.Learn more about critical infrastructure, why it matters, and how to protect it in the monograph visit press.armywarcollege.edu/monographs/955.If you enjoyed this episode and would like to hear more, you can find us on any major podcast platform.Author information:Ronald Bearse is an expert in critical infrastructure protection and national security preparedness, with more than 23 years of experience in the US Departments of Defense, Homeland Security, and Treasury. He is an adjunct professor at the Massachusetts Maritime Academy and an adviser to NATO’s Centre of Excellence for the Defence Against Terrorism (COE-DAT), where he teaches in COE-DAT’s Critical Infrastructure Protection Against Terrorist Attacks training program. Bearse earned an undergraduate degree in political science and Soviet studies from the University of Massachusetts at Amherst and a master of public administration degree from George Washington University. He is a distinguished graduate of the US National Defense University and a former senior fellow at George Mason University’s Center for Infrastructure Protection and Homeland Security

In 2014 NATO’s Centre of Excellence-Defence Against Terrorism (COE-DAT) launched the inaugural course on “Critical Infrastructure Protection Against Terrorist Attacks.” As this course garnered increased attendance and interest, the core lecturer team felt the need to update the course in critical infrastructure (CI) taking into account the shift from an emphasis on “protection” of CI assets to “security and resiliency.” What was lacking in the fields of academe, emergency management, and the industry practitioner community was a handbook that leveraged the collective subject matter expertise of the core lecturer team, a handbook that could serve to educate government leaders, state and private-sector owners and operators of critical infrastructure, academicians, and policymakers in NATO and partner countries. Enabling NATO’s Collective Defense: Critical Infrastructure Security and Resiliency is the culmination of such an effort, the first major collaborative research project under a Memorandum of Understanding between the US Army War College Strategic Studies Institute (SSI), and NATO COE-DAT.The research project began in October 2020 with a series of four workshops hosted by SSI. The draft chapters for the book were completed in late January 2022. Little did the research team envision the Russian invasion of Ukraine in February this year. The Russian occupation of the Zaporizhzhya nuclear power plant, successive missile attacks against Ukraine’s electric generation and distribution facilities, rail transport, and cyberattacks against almost every sector of the country’s critical infrastructure have been on world display. Russian use of its gas supplies as a means of economic warfare against Europe—designed to undermine NATO unity and support for Ukraine—is another timely example of why adversaries, nation-states, and terrorists alike target critical infrastructure. Hence, the need for public-private sector partnerships to secure that infrastructure and build the resiliency to sustain it when attacked. Ukraine also highlights the need for NATO allies to understand where vulnerabilities exist in host nation infrastructure that will undermine collective defense and give more urgency to redressing and mitigating those fissures.Click here to read the book.Click here to watch the webinar.Keywords: critical infrastructure, cyber threats, crisis management, weaponizing critical infrastructure, security risk assessmentEpisode Transcript: Enabling NATO’s Collective Defense: Critical Infrastructure Security and Resiliency (NATO COE-DAT Handbook 1)Stephanie Crider (Host)You’re listening to Decisive Point, a US Army War College Press production focused on national security affairs.The views and opinions expressed in this podcast are those of the authors and are not necessarily those of the Department of the Army, the US Army War College, or any other agency of the US government.Decisive Point welcomes Dr. Carol V. Evans, editor of Enabling NATO’s Collective Defense: Infrastructure Security and Resiliency, which was published by the US Army War College Press in November 2022.Evans is the director of the Strategic Studies Institute and the US Army War College Press. She brings 30 years of expertise in the areas of mission assurance, crisis and consequence management, asymmetric warfare, terrorism, maritime security, and homeland security. Since 2014, Evans has been a lecturer at the NATO Center of Excellence for the Defense Against Terrorism in Ankara, Turkey, where she teaches its Critical Infrastructure Protection Against Terrorist Attacks training program. She holds a Master of Science degree and a Doctor of Philosophy degree from the London School of Economics.Thanks so much for joining me. I’m really excited to talk with you today.You recently edited a book for NATO, Enabling NATO’s Collective Defense: Critical Infrastructure Security and Resilience. Why this book? Why now?Dr. Carol EvansWell, let me take a step back and that is explain to our audience why NATO? The SSI (Strategic Studies Institute) has had and enjoyed a very strong relationship with the NATO Center of Excellence (for the) Defense Against Terrorism in Ankara, Turkey. This book is the result of a joint research project between the two organizations. COE-DAT (it’s acronym) really focused on looking at critical infrastructure because terrorist attacks against that infrastructure have been increasing in time. And so, when we think about critical infrastructure and why now, we also need to examine the fact that infrastructure is being increasingly targeted; you just need to take a look at the news, for example, of the Russian attacks against the Ukraine infrastructure. Or if you look at, within Europe, strategic penetration by the PRC and some of their economic investments in telecommunications, in real estate, and even in the port infrastructure. All of this portends of two things. One, using critical infrastructure as a weapon of war, weaponizing that infrastructure. And so, we really need to understand critical infrastructure and the future of warfare. It’s going to be a tool for our adversaries. So, the timing was perfect for us in this book. It took about a year and a half in the making, but it is really so current and so relevant, given what we’re seeing happening right now on the battlefield.HostWhat can readers expect from this work? Can you give us an overview, please?EvansSure, it’s a lengthy book, it’s I think, coming in at around 400 pages. First of all, I brought together a team of incredible international experts in critical infrastructure. Some of the authors come from high levels of government. Some of them are industry practitioners. Some of them come from academe. And some are from, you know, some of the most important government labs and other actual NATO centers of excellence. So, with this huge intellectual capability, we broke the book into four sections.The first one looks at the evolution of threats to critical infrastructure, and we start with the basic question “What is critical infrastructure?” Luckily, both European and US definitions are in agreement, but we need to understand why infrastructure is so important and why it is being targeted and how has that threat to infrastructure evolved over time.So that first section looks at (the) beginning with the kinetic threats to infrastructure. This is very much apropos of, sort of, terrorist means to target infrastructure, as we’ve also seen with Russia. I’m not saying they’re the same. I’m just simply saying we have states using kinetic attacks against infrastructure as well as terrorists. And then it has morphed; I guess about 10 years ago we saw increasing cyberattacks against that infrastructure, globally, and then hybrid warfare (where you have a mixture of both cyber and kinetic). So that’s sort of the first section.HostWhat does the second section cover?EvansLooking at what we call the lifeline sector. So, we wanted to provide case studies from each of the lifeline sectors, namely the energy sector, transportation sectors—so we have a chapter both on threats to civil aviation that has been often targeted, as you know, (not just airplanes but also airports). And also mass rail transit. You can harken back to Spain or the attacks against London and the underground.Following transportation, we also look at telecommunications, and this is really important, as well as water. A lot of people don’t think about the water infrastructure, but it’s really really vital for many other infrastructures. And that’s why we call them lifeline(s)—because they’re so key to the quality of our life. And if you think about, particularly, energy—all of the other infrastructures rely on energy, so there is massive interdependencies between these infrastructures.So each of the authors in those chapters really give some good case studies of both cyber and kinetic threats to that infrastructure and also discuss some of the measures, maybe to try and build that resiliency in our book, as you referenced, Critical Infrastructure Security and Resiliency. So both, how do we protect that infrastructure? But we know it’s going to go down at a certain point. Therefore, how do we build the resiliency back?HostWhat does the latter part of the book bring to the conversation?EvansIt’s the tools and measures to build security and resiliency. What’s nice about this book is it’s not a US perspective. It is not a European perspective. We have authors from around the globe. And so they’re bringing their different backgrounds and subject matter expertise to help owners and operators or governments that have an infrastructure responsibility to think about what those tools might be. So, we first start with looking at both US and European frameworks—critical infrastructure, security resiliency frameworks—and what are then, sort of, the key policies. What are some of our key organizations? For example, here in the United States, it’s the Department of Homeland Security (and) CISA is the key organization. And then what are some other types of best practices that we can use, such as information and intelligence sharing? So, policies, practices, organizations, and how those frameworks have really helped incentivize both the government and private sector to work together to build security and resiliency.Some other tools are modeling and analysis of critical infrastructure interdependencies. As I mentioned before, you know, energy, water—all of those sectors are very interrelated and interdependent. And so we need to understand if you’re going to lose, say, one part of your grid, what are the cascading impacts? You need to have a good sense of that situational awareness because dollars are scarce. So where can, if you’re an owner of infrastructure, or if you’re a government that needs to incentivize private owners, where are you going to put those dollars?So you have to understand where the risks are greatest to that infrastructure failing. And that, the whole subject of risk, is another category that we look at in terms of the tools. How do you conduct security risk assessment(s)? How do you develop a risk management approach? And that particular chapter provides people, government, and industry with some of those best practices to develop their own risk programs.And then, finally, of course, you have to talk about infrastructure and protecting it from cyber risk. So, cybersecurity is a big chapter, and that chapter focuses on the need for really good cybersecurity hygiene when it comes to industrial control systems, also known as SCADA systems. Here, the author does a really great job of explaining why SCADA is subject to such vulnerabilities. Often companies or infrastructure are using their business enterprise networks and are connecting those to their operational side where the SCADA exists. So that opens up vulnerabilities for penetration and attack. So threats, you know, lifeline sectors and then the tools to build security and resilience is really what the book is all about.HostYou touched on this a little bit earlier. In addition to editing this work, you contributed a chapter as well: “Hybrid Threats to US and NATO Critical Infrastructure.” I’d love to hear more about it.EvansMy chapter really focused the reader on why should NATO, or why should the Department of Defense, care about infrastructure. And so my chapter really goes pretty much in-depth, looking at three potential hybrid threat vectors to critical infrastructure. And the first area that I look at in my chapter is . . . I examine how Russian penetration, as well as some of our other adversaries, have been very active in our electric grid. And as a consequence, that infrastructure can be compromised. And this is especially important when we think about particularly from US installations and bases. We are reliant on the private sector to provide our power. That was not always the case. You know, back in the 50s, a lot of our bases had our own water supply systems, our own power-generation capacity. But over time, we have privatized most of those services, and so hence, we’re now reliant on the private sector to provide those goods and services. But how well is their cyber security?So as I mentioned, the Federal Bureau of Investigation has cited Russia inside our grids. If we were to think about, for example, suddenly needing to deploy to support NATO, (if) we needed force projection into the European theater. If our bases go down, that’s going to interfere with our troop movement. Or if we’re along our rail systems. Or if we’re in ports where we know that those can be compromised, how will we successfully sustain a force-projection movement of some particular size and scope? So, I show how that’s a key vulnerability for us.The second area that I look at is how our adversaries are targeting the logistical infrastructure within NATO itself. We’ve seen in Russia how logistics have played such a crucial role in their inability to successfully invade Ukraine. We’re sort of on the back foot as well, equally, because of the penetration of some of the key infrastructure sectors within Europe. Our ability to sustain ourselves, and to mobilize within the theater can be very much compromised. So I go into quite a bit of detail there.And then the final area that I look at is the strategic investment by the People’s Republic of China into the European Defense industrial base. Chinese companies are now owning big swaths of many of the ports in Europe. There’s a lot of Chinese investment and ownership, particularly in the southern part of Europe, in their electric grids. But also, when we think about supply chain resiliency, the Chinese company Huawei has been very active in terms of trying to sell telecommunications within Europe. All of this portends, then, to when we need to fight a war with NATO in Europe, is that infrastructure going to be there when it’s largely owned and controlled by foreign adversaries? So I think this is a really important wake-up call, particularly for a number of countries that haven’t been as attentive to the strategic penetration by the Chinese in their own infrastructure.I then conclude my chapter by looking at some of the measures NATO has been doing to address some of these issues—building capacities such as NATO Center of Excellence Defense against terrorism and leading the charge there. But building other centers of excellence, for example. More recently, again, in Turkey, we have the establishment of the MARSEC (maritime security), and they, too, are looking at the protection of maritime infrastructure. So, a lot of organizational capacity, ongoing, as well as the European Union, taking a harder look and passing not so much regulation but guidance to their member countries to review purchases of their infrastructure much more carefully and with great consideration.HostYou have an upcoming launch event for this book. How can readers participate or even watch it after the launch?EvansWe’ve organized some of our key authors to provide short overviews of their chapters. We will be taking questions. I’ll be actually serving as the moderator, so we hope to have a very good discussion. Mr. Ron Pierce has written a lot on the policy frameworks. Mr. Chris Anderson is going to talk about his communications chapter. Theresa Sabonis-Helf is an expert in energy, and she’s going to be talking about the Ukraine case. And Steve Bieber is an expert on waters. So, it’s going to be a dynamic and engaging panel. And I would look forward to everyone being able to download and watch it.HostI’d like to interject listeners. You can find the webinar at ssi.armywarcollege.edu. There’s also a link to it in the show notes.There’s a lot to unpack in this book. Thanks so much for sharing it with us.EvansI appreciate the opportunity.HostIf you’d like to learn more about NATO’s infrastructure security and resilience, download the monograph at press.armywarcollege.edu/monographs. If you enjoyed this episode and would like to hear more, you can find us on any major podcast platform.Carol V. Evans is director of the Strategic Studies Institute and US Army War College Press at the US Army War College in Carlisle, Pennsylvania. The Strategic Studies Institute is the US Army’s leading think tank for geostrategic and national security research and analysis. She brings 30 years of expertise in the areas of mission assurance, crisis and consequence management, asymmetric warfare, terrorism, maritime security, and homeland security. Since 2014, Evans has been a lecturer at NATO’s Centre of Excellence for the Defence Against Terrorism (COE-DAT) in Ankara, Turkey, where she teaches in COE-DAT’s Critical Infrastructure Protection Against Terrorist Attacks training program. She holds a master of science degree and a doctor of philosophy degree from the London School of Economics.

21st Century Warfare, Afghan National Defense and Security Forces (ANDSF), Afghanistan, al-Qaeda, collapse, Doha Accord, Grand Strategy, international relations, Military Change and Transformation, Military Strategy and Policy, Pakistan, Security force assistance, Statecraft, strategy, Strategy and Policy, Taliban, Ukraine, War and SocietyKeywords: urban warfare, Ukraine, Afghanistan, modern warfare, Military Strategy, 21st Century warfareEpisode Transcript: “Urban Warfare”Stephanie Crider HostDecisive Point introduces Conversations on Strategy, a US Army War College Press production featuring distinguished authors and contributors who explore timely issues in national security affairs.The views and opinions expressed in this podcast are those of the authors and are not necessarily those of the Department of the Army, the US Army War College, or any other agency of the US government.Conversations on Strategy welcomes John Spencer. Spencer currently serves as the chair of urban warfare studies at the Modern War Institute, codirector of the Urban Warfare Project, and host of the Urban Warfare Project podcast. He served over 25 years in the US Army as an infantry soldier, having held the ranks from private to sergeant first class and second lieutenant to major. He also currently serves as a colonel in the California State Guard, assigned to the 40th Infantry Division, California Army National Guard, as the director of urban warfare training. His research focuses on military operations in dense urban areas, megacities, urban, and subterranean warfare.Welcome to Conversations on Strategy, John. I’m glad you’re here.John SpencerThanks for having me.HostLet’s talk about urban warfare. The US Army War College Press has published several pieces on this topic over the years. On a recent Urban Warfare Project podcast, you note urban warfare is the hardest. Can you elaborate on that?SpencerSure. So I’m pretty adamant out of all the places you could ask military units to try to achieve strategic objectives, the urban operating environment is the hardest.Because, one, the physical terrain, right, which is complicated and hard in all areas—high elevation, you know, deep jungles—but the actual element of the urban physical terrain, the three-dimensional, the surface, subsurface, rooftops, the canalizing effect of the buildings, and the architecture of the city that reduce our military’s or any military’s ability to do what they want to do, right? So to do maneuver warfare, to use (intelligence, surveillance, and reconnaissance or) ISR and long-range strike capabilities—it doesn’t get negated; it gets degraded in the urban environment. So I think it is the hardest because of that complexity of that physical terrain.But, by definition, “urban” means there’s people present. By our definition, the US military’s definition, “urban” means that there’s man-made terrain on top of natural terrain. There’s a population, and then there’s infrastructure to support that population. So with the presence of civilians in the operating environment in which militaries will be told to achieve objectives, the presence of civilians means that there will be a limit on the use of force. Because of the law of war, the international humanitarian law, (law of armed conflict or) LOAC, the different names that we use for it—since World War II and even all the way before World War II—most people think that in urban fights, like Stalingrad and, for us, Manila and Seoul—that was just a free range. There’s always a limit on the use of force. So going into it, it’s going to be harder for the military to use their form of warfighting because there’s gonna be limits on the use of force. Of course, there’s the three-block war, where soldiers and commanders will have to be fighting a peer competitor, at the same time dealing with humanitarian approaches and trying to get civilians out of the battle area, trying to save infrastructure. General (Charles) Krulak called it “the three-block war.” And then, of course, we often, when we envision urban warfare in massive operating environments that are urban, we think the civilians are just a hurdle or a concern to protect them. But, you know, modern warfare and old warfare—I mean, the population can be either a challenge, they can be supportive of the military’s objective and actually take part. Of course, they lose their civilian status to become combatants at that point but . . . or they can be completely nonsupportive and be going against what you’re trying to do. And that just complicates it, makes it harder. Right?Next—and I think it’s hard to put, like, which one of these is really the hardest—but the information domain. I call this “the First Battle of Fallujah effect,” although—yeah, that was 2004. The level of the information domain in the application of military power in urban environments is the hardest. The fight for the truth, the ability to hide—it becomes, literally . . . like, one of the primal warfighting functions is to fight in this information domain, as no military unit in the operating environments is gonna be very challenged to hide. All actions will be viewed because every civilian is a camera, an uplink to the global community. There’s so many sensors, and we’ve seen this on the modern battlefield . . . is I can watch live combat as we speak. I can tune in to most cities in Ukraine, and I can actually watch. In war, we talk about these three populations, right: the military, the political apparatus, and the populations. Well, in the urban terrain, those all collide into what we call a “tactical compression,” where the strategic and tactical become one because of the information domain.I could go on for a while because this is my thing. I think the complexity of the urban terrain . . . unlike other areas like mountainous or Arctic warfare, when we asked militaries to conduct operations in urban environments, the complexity, as in the cause and effect of our actions . . . in the urban terrain, just presenting a military force changes the environment in unknown ways.There’s very few cities—and there are some, and there’s been some great writings . . . every city is different. And that’s the challenge of understanding urban environments.The commanders and the political leaders have to understand the risk in second-order effects of the operations. Well, in the urban train, sometimes that’s near impossible. That’s literally the definition of complexity, is “I can’t tell the second- and third-order effects of touching the system on the global supply chain, on the global economic factors, on the regional factors.”Those are just some of the highlights. I know that it’s a podcast and you want me to be brief, but I honestly believe that it’s the hardest place on Earth you could ask militaries to try to achieve political objectives.HostWe’re obviously not the only people thinking about urban warfare. How do other countries like England and Israel look at and train for urban warfare?SpencerSure. So I’ve actually spent a lot of time in England with the British Army, and, of course, I just got back from the NATO Headquarters (Allied) Rapid Reaction Corps conference on urban warfare. So there’re not really a lot of differences between the US and the (United Kingdom or) UK model. But I think, interestingly, what the UK or England has done is that they have embraced that this should be a primary area of training focus and preparations. So they actually put out a mandate saying, “We used to do 80-percent rural and 20-percent urban preparations.” Now they put out a mandate that states all units in the British Army will do 50-percent urban, 50 percent rural. You know, sometimes, that’s just words, but that’s actually translating into budget priorities and how they spend their time.So for me, that was really important. They’ve made major changes at their major training areas like Copehill Downs (Copehill Down), major investments in synthetic and physical training and distributed training. I think it’s really translating. There’s not a different way they approach it. They know combined arms maneuver is the most powerful form of maneuver. But in the urban terrain, you have to prioritize preparing for this hardest environment.Now the Israeli model—there are a lot of differences, just because it’s a different army. It’s not an expeditionary military like, uh, NATO members—you know, NATO partners. So that does actually cause changes in the approach. Plus, they know their likely environments they’re going to deploy into.But spending a lot of time with the Israeli military and security forces, there are differences on how—even their equipment. Because they actually, in their urban warfare experience, will then make immediate changes. And that’s kind of their power of their ability to adapt their technologies. So when they go into a contested urban environment, they will come in with a much more armorized force: a bulldozer in the lead, infantry compartment in their tank so the infantry can get inside of it, an active protection system on all their tanks.And not saying that we don’t have these things, but they’re very deliberate in their approach to going into a completely nonpermissive urban environment. Because that’s their assumption if they’re going in, again, because they have different—whether it’s (doctrine, organization, training, materiel, leadership and education, personnel, and facilities or) DOTMLPF or what of their force design—they can do things like have heavier equipment, have purpose-driven units designed for underground warfare, things like that. So there’s definitely some differences in both models, but there’s also some similarities.HostWould any of their methods or theories be useful for American forces?SpencerSo, absolutely. One of the challenges with urban warfare for us—especially the US military—is we don’t view it as a special task. We train offense/defense in all other military tasks, and we say the environment is a condition, and we’ll make minor changes. But look where we spend our time. We spend our time in the desert, in the woods, and that does translate into military capability. So absolutely, as, especially, the UK really pushes the envelope on “Fifty percent of my time is gonna be spent preparing for the urban environment. I’m gonna change doctrine—really, the whole DOTMLPF spectrum.” They’re on the forefront, in my opinion. And those lessons will translate to the US military. There is a lot of synergy going on between the two. But they’re really pushing.And then in the Israeli model—I think, absolutely, based on their mission sets and their environments, when they adapt to it, I would say, they’re probably at the forefront of the world in the use of information operations when it’s a known urban operating environment. So they have units that are established to do that, their acceptability of risk fighting in the information domain.The problem we get into, especially at the strategic and operational level, is that we think that we’re going to control information when we have to view it as a high a priority as actual fighting. Because we are fighting in the information domain. When Israel goes into the urban environments and does an urban operation, it’s at the top of their priorities for the commander is the fighting in that information domain—and, especially, in things like (Operation) Guardian of the Walls in 2021, where they really showed how they’re advancing the ball on that.HostUkraine and urban warfare: What are the important takeaways so far?SpencerOh, man. So there’s so much that’s going to be learned. I just got back myself from Kyiv, trying to understand the battle of Kyiv, which was . . . we have to take that, as a military, as the most decisive battle in modern era. Russia invaded Ukraine with the intent, the strategic objective of overthrowing the Ukraine political apparatus and taking the whole country. They had to penetrate the capital city. That’s nothing new, right? Like us in Baghdad, Kabul, you name it. But they were stopped by a much smaller military armed by understanding their urban environment better than the opponent. There’s so many lessons that we’re gonna take from just that one battle, when Russia, the second biggest military, was stopped by literally a brigade, and then 10s of thousands of civilians.It wasn’t that the Russians weren’t prepared to fight in urban terrain; they weren’t prepared to understand the requirements of doing large-scale combat operations on force projection, logistical needs that the urban environment puts to a test. So that’s the interesting aspect of Ukraine is that urban warfare will put your operational concepts; your doctrine; your ideals of ends, ways, and means to the ultimate test. It really does.But each one of these urban battles out of Ukraine are different, right? So Kyiv was a different fight than the battle of Mariupol, where time is important to militaries, and a small force . . . again, using the urban terrain features, all elements from information domain to the infrastructure already present were able to hold off 20,000 Russians for 80 days.Operationally and strategically, when you have a political objective you’re trying to achieve, if you can grind your opponent to a halt like that using the urban terrain, that’s powerful. This is evolving, so there’s so many lessons. And, like, Syeverodonets’k, and what urban terrain is most important?Of course, the capital city—that’s a strategic operation that has to be studied. But in my words—and Ukraine shows it—is that all roads lead to urban. “The main goal in warfare is to destroy your enemy’s military” is not true. And modern war puts that to the test. The battles of Ukraine are context, of course, but all roads lead to urban. The idea that you’re going to enter an operating environment and not at least have to secure your logistical lines through urban terrain—it’s just not reality. There’s a long list. I’ve taken a lot. The guy I went to Ukraine with, we’ll have a report on the battle of Kyiv, specifically. Which really does put to question ideals at the strategic level about, like, total defense, where your civilian population is going to rise up. But how do you do that? How do you resource it? What are the legal considerations when you turn civilians into combatants? And there’s a lot of lessons here.HostLooking forward to hearing more about those once you get it all put together. So you mentioned your trip to Ukraine and the battle of Kyiv a couple of times. You want to share any highlights of your trip with us?SpencerSure. So I think if you lay down Russia’s objective, its strategic objective, and then lay down its operational plan . . . which can be argued that they spread themselves too thin. They didn’t adhere to the elements of operational art. You know, they didn’t mass on the critical objective, which was Kyiv. But they did come hard. They did implement a joint forcible-entry objective, inserting paratroopers into an airfield that were then not backed up by enough forces, and they were defeated.They ran into not complications in fighting another military; they ran into complications of things like mobility and countermobility in the urban terrain.The battle of Kyiv didn’t happen, really, in the urban areas that people think about when they think about urban terrain. It happened in the peri-urban. Because Ukraine immediately blew 300 bridges. So we talk about, you know, wet-gap crossings. But if you have 300 wet-gap crossings to do, that’s gonna have strategic implications for your military power if you’re not able to do that.So there’s a lot of lessons here in, like, ancient siege warfare. Kyiv had to just close the castle gates. They dropped all the bridges. They flooded rivers, which was very interesting. They flooded three major rivers to take away all the avenues of approach that Russia wanted to have, right? That’s what we do, right? We have a primary massive avenue of approach, and we have other ones. And they were coming hard, but Kyiv was able, through years of planning, to understand their city to where they could make it really hard to get into the city.Because it wasn’t about destroying the Russian military; they’re never going to do that. They had to buy time. They had to prioritize strategic capabilities like TB2 drones and the limited artillery they had as they fought seven different city fights. But there’s also elements of . . . again, this is about terrain denial. Ukraine was on the defense. And they showed that . . . (Carl von) Clausewitz said that defense is the strongest form of war. Now, it’s not your politically strongest form. But I think there is lessons in Ukraine, especially the battle of Kyiv, when you have to be prepared for defensive operations.We, as in the West, can’t always be the attacker. All warfare includes both offense and defense, and some of that’s the large-scale combat operational defenses. Like the city of Chernihiv. If the city of Chernihiv in Ukraine had not held, Kyiv might have fallen because they would not have been able to fight the way they were fighting because there’s another major axis of advance. But the first Ukrainian guard division (1st Division of the National Guard of Ukraine) held all Russians from advancing south of Chernihiv.I know that the war college and other people will study this in depth. But I think we can’t wait. Some of these lessons are almost immediate to translation to the way we think about massive theater operations. You’re not going to avoid and bypass urban areas. Maybe a few, but it’s going to have implications on strategic capabilities.HostBefore we go, give me your final thoughts.SpencerSo my final thoughts is that when I ask military people about urban terrain, they think about clearing buildings. Urban warfare is not an infantry fight. It will put joint combined arms maneuver to the test. And it is the people that can bring it all together at the point of need that can succeed. But we need to think about urban warfare like it is defined: the actual city, the people in the city, and the infrastructure and how that incorporates into our joint combined arms fights.HostThank you so much. I appreciate your time, your insight, all of it. This was really good.SpencerNo—thank you.If you enjoyed this episode of Decisive Point and would like to hear more, look for us on Amazon Music, Spotify, Apple Podcasts, Stitcher, and any other major podcast platform.