Security and resilience have to be designed into society’s fabric.
The US Department of Homeland Security defines security as ‘reducing the risk to critical infrastructure by physical means or cyber defense’ and resilience as being ‘the ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions’. Thus, if we consider the recent chaos at Gatwick airport, better security would have meant more effective measures to counter drones and prevent them from closing the airport, and improved resilience would have been more effective mitigation of the consequences for passengers whose flights were disrupted.
Like many security measures, resilience is threat-agnostic. And in the Gatwick example the mitigation for those affected would have applied whether the cause was a drone attack, an Icelandic volcano or unexpected bad weather. Thus, resilience is about withstanding and recovering from a deliberate attack, an accident or a naturally occurring event.
This means that resilience is about designing systems so that they are more durable; and it is about having a continuity plan and a back-up system for when things go wrong. For an adversary, if your opponent is well-prepared and can recover easily from any attack you may unleash on it, that is as much a deterrent as a response capability. Why waste your resources attacking your opponent if that attack will have only the most limited impact? In these days of hybrid attacks, societal resilience may be the best defence, and thus a deterrent. That is why RUSI’s new Modern Deterrence programme is not only welcome but desperately needed, and I am honoured to be involved with it.
Indeed, such resilience may increasingly become a necessity. As our society becomes increasingly complex and as our infrastructure becomes increasing interconnected, new vulnerabilities are created and our ability to survive disruption of one element of the infrastructure is reduced accordingly.
In the event of a widespread power outage, for example, many services would simply stop being provided. Schools routinely close if the heating stops working in the event of a power cut. Unless a hospital has its own emergency generator it will cease to function, and even then it assumes that other utilities would continue to be available and that staff would be able to report for work. In many areas, without power potable water cannot be guaranteed and wastewater and sewage cannot be removed and treated, and those areas would rapidly be rendered uninhabitable. Telephony would fail and so would mobile communications. ATMs and petrol pumps would stop working. Under such circumstances, civil order would probably break down within a very short time.
The reality is that all the systems that we rely on for modern life are inter-connected, inter-related and inter-dependent. A catastrophic failure might be brought about by hostile action, but it could just as easily happen as a result of an unanticipated system failure or some natural occurrence.
Most organisations plan for things to go wrong, but usually those plans are based on only one crucial input failing, not for a problem that is more pervasive. A large factory or office may have an emergency generator – although often these will not have been adequately tested – but the plans for dealing with a power outage probably assume that mobile communications and the internet will still be available, that staff can still get into work and that their buildings will still have water supplied.
Most organisations have not focused enough on the inter-dependence of their systems with those of others. Moreover, their resilience plans will usually rely on key utilities and services continuing to function.
And this is as true for a city as it is for an individual business. Thus, the question must be asked: how much resilience do we have as a society? Are we resilient collectively and as individuals?
Too many of us simply assume that ‘the authorities’ will come and sort it out. However, emergency services and local government are all increasingly cash-strapped. The reality is that security and resilience have to be designed into society’s fabric. Ultimately this means that everyone has to see security and resilience as their responsibility.
Only with such an approach can we ensure that our increasingly complex and inter-dependent society can respond and recover from a shock – whether that shock is a malign action by an adversary or a natural phenomenon. The resilience needed at an individual or family level, at an organisational level and as a nation is probably much the same whatever has precipitated the shock.
Thus the investment to boost that resilience should not be siloed in a defence budget, or a flood management budget, or a pandemic control budget. It should be a whole-government and a whole-society response.
To be sure, any of the individual events that might precipitate such a catastrophic shock may be of low probability – but the complexity of our society and its systems means that there are many such potential catastrophe-inducing events. The chance of one of them arising in the foreseeable future becomes significant.
While all sensible efforts should be made to reduce further the risk of the occurrence of such events, it is also essential to start building a societal resilience that can withstand those events that nonetheless occur and enable us to deal with those that at this stage cannot even be identified or contemplated.
Toby Harris, the Lord Harris of Haringey is a member of the House of Lords and sits on the Joint Committee on the National Security Strategy. He is also the UK Coordinator of the Electric Infrastructure Security Council.
The views expressed in this Commentary are the author’s, and do not necessarily represent those of RUSI or any other institution.