Martin Howard of UDSS considers what a supercharged national resilience strategy might look like and how embedded the internet is in all our lives

The key feature of the Covid-19 pandemic is its ubiquity.  Most crises short of total war are not like that.  Natural disasters, major accidents, terrorism and regional conflicts impact on specific peoples, places and organisations.  But COVID-19 has had consequences for pretty much everybody.  That creates special challenges.  This is not the place for a post-mortem on how nations have dealt with them.  But it is hard not to conclude that most western governments’ responses to the pandemic have been inadequate.  Rightly, therefore, achieving a step change in resilience has come front and centre.

This article is in two parts.  The first outlines what a supercharged national resilience strategy might look like.  The second takes as its start point the fact that it would be wrong only to focus on the next pandemic.  There are several other events that could have ubiquitous, damaging impact on virtually all citizens – climate disaster, space weather, global financial collapse and widespread failure of the internet are examples.  Given how far the internet is embedded into everyone’s lives, part two takes a closer look at thelast of these.

A national resilience strategy

The parallels are not that close, but the COVID-19 pandemic can be seen as a seminal moment for resilience in the same way that 9/11 transformed counter terrorism.  In the case of the UK, 9/11 led to major changes in how national security institutions resourced and delivered counter terrorism.  These changes have been carried out within the CONTEST strategic framework, with its four Ps structure describing Protect, Prepare, Pursue and Prevent strands of activity.  Without pushing the parallel too far, an equivalent framework for a national resilience plan might revolve around six roughly sequential Rs:

Research.  This covers intelligence, horizon scanning and risk assessment as well as scientific and technological research.  The aim is to ensure as much understanding as possible of the threat picture and, crucially, present it in a manner accessible both to experts and top level decision makers.

Resource.  This should be broadly drawn to include central and local institutional structures and processes for leadership and crisis management as well as properly targeted, maintained and protected contingent capabilities, including stockpiles.

Readiness.  Structures, processes and capabilities need to be tested regularly through exercises and other simulations with high level participation.  And lessons from this testing need to be acted upon rather than just identified.

Respond.  The key is rapid conversion of contingency planning into realistic and real time decision making – recognising that plans do not wholly survive contact with reality.  But it is better to have a plan to deviate from than have no plan at all.  Equally important is regular and honest strategic communications in an environment of high public anxiety.

Recover.  Government crisis management machinery will need to have the bandwidth to manage day to day issues and chart a route to recovery.  This is easy to say, but hard to do.

Review.  Once a crisis is over, there will be a need for an in depth and honest appraisal of what went well and what didn’t.  Part of this in a democracy is the natural desire to hold elected representatives to account.  That is important, but so is the need to take the results of a review process at the practitioner level and feed it back into the research, resource and readiness parts of the cycle.

This is not meant to be prescriptive.  It is one way of dividing up an incredibly complicated business to make it digestible for top level policy makers.  But however resilience is organised, two things are essential: proper and sustained resourcing, especially of contingent capability; and high level ownership, including at Ministerial level.  Without these, the temptation to push resilience planning onto the back burner and raid contingency capacity for easy savings will become irresistible.  In the meantime…

Failure of the internet

How vulnerable is the internet?  Most people would say, ‘not very’ and there is truth in that.  By accident and design, the internet is resilient because its networked nature allows failures to be isolated and bypassed.  Deliberately taking down the whole thing is extremely difficult, but not impossible.  Publicly available expert opinion tends to coalesce around three options:

• Destroying key communications infrastructure, notably cutting undersea cables and disabling communications satellites.  It is hard to see this being done by anyone other than a technologically advanced hostile state and would probably be seen as an act of war.

• Disrupting or manipulating the Border Gateway Protocol (BGP) system that routes data over the internet in the most efficient manner. Widespread malign rerouting of traffic could in effect break the internet.  BGP is one of the most heavily monitored parts of the internet infrastructure, making it very hard to disrupt on a global scale.  But with sufficient resource and determination, it could be done.

• Disrupting or manipulating the Domain Name System (DNS) which links web titles (eg something.com) to IP addresses.  This wouldn’t so much break the internet as make it unusable for most people.  Again, service providers monitor DNS closely to detect malign activity.

Other possibilities include space weather; tectonic events which disrupt major internet nodes; and the escape into the wild of advanced malware designed by states to take down targeted servers and routers.  ‘Failure’ can also be defined in different ways.  Persistent instability in one or more of the layers of interaction between the physical infrastructure of the internet and its users will be just as much a failure as a complete breakdown of the web – and is more plausible.

However it happens, the impact of a sustained and widespread loss of internet connectivity could be devastating in its impact on citizen-facing services (tax, benefits, banking, insurance, trade and shipping, food supplies, provision of health care, medical data etc) all of which are now mostly organised, delivered or stored online – and where there is neither the resource nor the infrastructure to revert to a pre-internet Plan B.  Even if a full breakdown of the internet looks unlikely, there are scenarios short of that which could also be highly damaging, eg disruption which degrades data flows to a fraction of their current speeds, making data hungry use of the internet impracticable; or a widespread loss of citizens’ confidence in the internet’s integrity, possibly in the wake of ubiquitous compromise of online services and personal data.  None of this is a high probability, but it is self evidently high impact and a properly resourced national resilience capability should put it high on its list of major strategic risks.  In the commercial world, big insurance companies are already doing so.

Conclusion

There are two conclusions from this analysis.  The first is that if we think that the Covid experience means a step change in national resilience capability and planning, then that needs to be real.  In the case of the UK, despite having a highly regarded and well led risk assessment process, it will not be enough to tinker around the edges of what we have and do currently.  Big questions flow from this.  Do we need a high powered, high profile central authority maybe comparable to the Office of Security and Counter Terrorism?  How would that connect with vital local and regional players?  Can technology improve understanding and crisis response?  The UK government is planning a high-tech Situation Centre to sit alongside COBR.  That looks like a step in the right direction, but in practice how will it help decision making in the run up to and during a crisis?  For all this to make sense, a comprehensive strategic framework agreed and owned by top decision makers is essential.  I have suggested the outline of one model.  There are obviously many others.

The second key conclusion is to avoid falling into the trap of focusing only on the threat posed by a future pandemic.  There are plenty of other credible risks that a properly constituted national resilience capability should be ready to understand and deal with.  I have talked about one – failure of the internet – but I could easily have focused on others.

I will finish by repeating what I said earlier.  COVID should be seen as an inflection point in relation to resilience planning in the same way that 9/11 was for counter terrorism.  Here’s some numbers to ponder.  According to Our World in Data, an average of 21,000 people per year have been killed by terrorism over the past decade.  In little over a year, the global death toll from COVID is 2.6 million and counting.  I rest my case.

Universal Defence and Security Solutions Ltd (UDSS) was founded by General Sir Richard Barrons and Peter Hewitt to provide policy, strategy and operational solutions for governments, businesses and commercial organisations, on a global basis. UDSS has the largest and broadest membership of former British Armed Forces personnel, regular and reserve from SNCO to 4 Star, as well as former MoD Civil Servants. This enables UDSS to provide the very best expertise in the major defence and security challenges of today, including leading in contemporary military ‘hard power’ capability; ‘hybrid’ or ‘political’ confrontation; information operations and cyber warfare; peace support; wider security; constabulary; humanitarian assistance and disaster relief.
www.universal-defence.com