Hybrid Threats - Critical Infrastructure and EU Specific Mitigation Strategies

As outlined in the first article of this series, hybrid threat refers to an action performed by a state or non-state actor to undermine or harm a target by influencing its decision-making at the local, regional, state or institutional level. Such actions tend to be coordinated and synchronised and purposefully attack democratic states’ and institutions’ weaknesses to cause damage below the threshold of overt aggression. Activities can take place in the political, economic, military, civilian or information arenas, using widely-encompassing means. They are an amalgam of coercive and subversive activities, conventional and unconventional methods, employed in a coordinated manner across a  plethora of avenues. 

Concerns about the effects of hybrid threats first appeared in NATO’s 2010 Strategic Concept and consolidated into the NATO Capstone Concept, which categorises hybrid threats as “those posed by adversaries, with the ability to simultaneously employ conventional and non-conventional means adaptively in pursuit of their objectives.” In light of Russia’s invasion of Ukraine and events in Iraq, the idea of hybrid threats has started to receive increased attention. 

Critical infrastructure as a target for hybrid threats

Contemporary critical infrastructure is a viable target in the hands of adversaries who are willing and able to use hybrid tools. The European Commission defines critical infrastructure as “an asset, system or a part thereof located in the Member States which essential for the maintenance of vital societal functions, health, safety, security, economic or social well-being of people, and the disruption or destruction of which would have a significant impact in the Member States as a result of the failure to maintain those functions.” Thus, as reiterated in the recent NIS directive, the provision of essential services and their continuity are crucial. Regardless of the nature of the hostile actor (whether non-state or state), infrastructure, essential services and supply chains can be viable targets for disruption, intimidation and pressure.

The activities aim to:

1. Degrade the quality of goods and services offered (e.g., reduce availability, reliability),

2. Destroy key elements of an infrastructure,

3. Increase their operating costs,

4. Influence demand by putting pressure on the infrastructure,

5. Decrease/eradicate redundancies and cause unilateral dependencies on the hostile actor,

6. Acquire or limit access to key resources necessary for their operation (raw materials, technology, expertise, etc.).

Therefore, any tool capable of causing or exploiting a vulnerability in an infrastructure (home-grown vs injected vulnerabilities) and achieving any of these effects could be used in a potential hybrid toolbox. Vulnerability is often related to a specific sector, and can also have a temporal dimension (e.g., increased demand for a service amid a natural disaster, or service degradation due to normal ageing of the infrastructure), or be recurrent (cyclical) based on specific conditions.

The infrastructure domain can be considered a ‘mega-domain’, as it encompasses many sectors, including, but not limited to:

Cyber

Cyber plays an extraordinary and very specific role with regard to hybrid threats, and not only because every socio-political and military conflict will also take place in cyberspace. For national security planners, this includes cybercrime, propaganda, espionage, influence, terrorism, and even warfare itself. The nature of national security threats has not transformed, but cyberspace is a new delivery mechanism that can increase the speed, diffusion, and power of an attack, while ensuring anonymity and undetectability. The low cost of entry, anonymity, and asymmetries of vulnerability implies that small actors have a greater ability to exert power in cyberspace than in more traditional areas of global politics. This domain refers to the information environment, which comprises the interdependent network of information technology infrastructures (including hardware, software, data, and protocols), and information (including the internet, telecommunications networks, computer systems, and embedded processors and controllers). The tools that may be used by a hostile actor are intended to cause degradation, disruption or destruction of networks, or to access data and information. Access to information may also be an objective of a hostile actor to obtain intelligence and reduce detectability.

Space

Space-based services include navigation, communications, remote sensing, science and exploration. There is growing concern about activities related to hybrid threat activities in space, as a plethora of countries have been involved in developing counter-space capabilities with multiple state actors. The impact of hybrid operations in space not only affects the military/defence domain but can also cause a significant impact on civil commercial activities, as these increasingly rely on space capabilities.  Most tools that can target the space domain exploit the link between space assets and other domains, and the potential cascade effects if they are compromised, even temporarily. This domain is closely linked to the military/defence, economic, infrastructure, information and intelligence domains.

Furthermore, today’s societies are increasingly reliant on the smooth functioning of large and interdependent Critical Infrastructure systems. Few buildings can be heated by their own systems. Most are connected to a district heating system. Besides district heating systems, many other systems (distribution of fuels, fresh water, sewage) are dependent on the availability of electricity, as they are dependent on pumps. Communication systems need electricity for data transmission. The failure to generate and distribute electricity can lead to multiple failures elsewhere.

Previously, the investment and maintenance of critical infrastructure as well as the continued readiness of critical deliveries, were the responsibility of the state or the public sector. Since the end of the Cold War, governments have reduced their authority over these assets. This is the case, for example, with power generation companies, the electricity grid, telecommunications companies, national aviation companies, airports, airfields, seaports and even many other services that used to be run by the state, such as postal services, road building, shipping channels and pilotage, and health care services. Thus, from a resilience perspective, Western open-market systems have clear vulnerabilities: 

1. Based on the Just in Time delivery notion, the stock of all goods has been purposefully reduced. In the scenario of a major disruption of market-guided logistical systems, reserves near the used end would be scarce.

2. Globalisation implies longer distances for many goods. Fewer and fewer countries are  self-sufficient in the production of goods to maintain a basic standard of living.

3. Digital systems have become increasingly dominant. Thus, if IT systems fail, goods will be lost. This means that logistics is a potential target for a cyberattack.

4. Financial systems are increasingly vulnerable to cyberattacks. If payments cannot be made, goods will not flow, leading to  a shortage of food and basic necessities.

5. Societies are increasingly reliant on the proper functioning of large and interdependent critical infrastructure systems. Cyber or physical channels can be used to damage them.

6. All logistics and finance rely on telecommunications. Telecommunication systems are highly vulnerable to cyberattacks, but can also be paralysed physically by hitting key congestion points. Damage recovery would take time.

7. Domestic actors cannot counteract and remedy problems that occur abroad.  A serious disruption of the international market can lead to congestion in deliveries and financing. Such events can lead to serious damage where goods no longer arrive since they are not produced locally.

What are the appropriate countermeasures?

1. Increase the resilience of critical infrastructure to hybrid threats, which would also improve resilience to natural disruptions; 

2. Increase the likelihood of detecting breaches in systems and, if such a breach occurs, of successfully attributing the actors behind it; and

3. Facilitate the exchange of information and good practice within and between different areas of critical infrastructure.

Some of the necessary improvements can be achieved through education, training and process development. Others can best be achieved through improved standards and technical improvements. Critical infrastructure is mostly managed by private companies that are based on a commercial logic and aim to make marginal profits. They can be encouraged to propose mitigation solutions and companies can be part of the solution, with authorities having a responsibility to support and guide them. States can use regulations to counteract them. Careful consideration should be given to the functioning of open markets, regardless of national borders. When a state imposes costly regulations on one aspect of a business, this has an impact on the competitiveness of businesses in the country concerned. Thus, one should regulate them in a wider all-encompassing framework, such as the EU. States can also financially support the most vulnerable points of critical infrastructure. This may include support for critical equipment stocks, technical systems or certain types of vulnerable market functions. Moreover, states should formulate responses at EU and NATO-level. The developing RescEU mechanism should be viewed as a possible tool to help EU Member States (or neighbours) to cope with unlikely scenarios beyond national capabilities.

Countering hybrid threats

Countering hybrid threats tends to be primarily a responsibility of the affected state, but the EU is helping to facilitate cooperation between Member States to find policy solutions and share best practice. There are two major policy documents in this regard: the EU’s 2016 Joint Framework on Countering Hybrid Threats and the 2018 Joint Communication on increasing resilience and bolstering capabilities to counteract hybrid threats. The EU policy on countering hybrid threats is based on the following pillars:

1. Situational awareness: this is fundamental to ensuring that Member States are aware of the challenges, make informed decisions and develop a common strategic culture.

2. Resilience: the concept of EU resilience implies its ability to help prevent, build resilience and recover from crisis, including multidimensional hybrid attacks. Member States develop their resilience to such attacks and can use the CSDP mission for this purpose.

3. Cooperation: the EU participates in the fight against hybrid threats in liaison with stakeholders and international organisations, as well as with other civil society bodies. It is essential that any mitigation efforts are not only undertaken at national or regional level, but also at international level.

In the Strategic Compass for Security and Defence, Member States intend to build the EU Hybrid Toolbox, which would include prevention, cooperation, stability enhancement, containment and support measures. It focuses on identifying complex and multifaceted hybrid campaigns, and coordinating tailored and cross-sectoral responses to these campaigns Acting as an overall framework, it would bring together other relevant response frameworks and instruments, such as the EU Cyber Diplomacy Toolbox and the proposed Foreign Information Manipulation and Interference (FIIMI) Toolbox. It would help improve the effectiveness and coherence of a range of actions and improve the EU’s capabilities to mitigate hybrid threats.

The analysis of the challenges posed by hybrid threats has led to the evolution of a comprehensive approach that combines all actors and policy instruments: military forces, diplomacy, humanitarian aid, political processes, economic development and technology. The EU adopted its own comprehensive approach in December 2013. However, it is also essential to understand that adjustments to a security scenario afflicted by hybrid threats can have long-term implications for the stability of the international order and can potentially influence global power shifts. Thus, in this regard, a multitude of policy trends are important:

1. Conceptual trends: Comprehensive government-led approaches now tend to be coupled with whole-of-society strategies aimed at managing risks and building resilient societies. This emphasis on resilience helps mitigate risks that could potentially cause hybrid conflicts in the future (for instance, over energy or access to water), and improved related resource-management practices.

2. Material trends: Resources to help counter hybrid threats are held by a plethora of stakeholders, i.e. governments, civil society, the private sector and individuals within  society. This shared ownership is reflected in the public-private cooperation on security and development. Moreover, governments have taken steps to increase and modernise their civilian and military capabilities.

3. Legal trends: Some existing legal concepts and frameworks may be anachronistic and generally do not adequately address the issue of hybrid threats. This can lead to the incoherent application of the existing rules, whereby states use treaties and conventions selectively to justify their positions. The choice between the status quo and new instruments could increase the need for other means of dealing with the issue, such as confidence-building measures, law enforcement cooperation and mutual legal assistance.

4. Institutional trends: Many countries have adapted to hybrid threats by expanding the serving purposes of already existing institutions (i.e. new powers for intelligence agencies, facilitating EU strategic communication) or creating new organisations (for instance, the Ministry of Truth in Ukraine)

Conclusion

Countering hybrid threats is one of the most difficult challenges facing the EU and its Member States. An effective response involves building situational awareness capacity, boosting resilience in all critical sectors, ensuring recovery and response in times of crisis, and cooperating with other countries and organisations. While efforts should be made at the national level to build resilience and detect, prevent, and respond to these threats, efforts at the regional or EU level should support national efforts. Given the cross-border nature of hybrid threats and their EU-wide targeting, coordination at EU level, integrating the external and internal dimensions in a seamless flow and in conjunction with the whole-of-government and whole-of-society approaches at national levels, are pivotal to counter them effectively.

Although considerable effort has been made, more emphasis needs to be placed on raising awareness and understanding of hybrid threats, on improving resilience and the ability to recover quickly from and respond to such attacks, and on the ability to deter and respond to malicious cyber activity. To counter the increase in cyber threats activities aimed at influencing the outcome of democratic elections, more frameworks must be deployed; one such existing framework is the European Democracy Action Plan. In addition, the international element is highly pivotal as the security environment has changed considerably. Cooperation with partner countries is essential in this regard. Lastly, the COVID-19 pandemic has shown how a health crisis triggered the employment of specific hybrid techniques by attacking critical infrastructures and spreading misinformation through digital media to achieve political objectives. There is therefore a need to counter misinformation and strengthen strategic communication.

It is important to consider the limitations of these countermeasures. Firstly, there may be disagreements over what is understood and categorised as a hybrid threat. Different stakeholders may have different notions of hybrid threats, making it difficult to develop a common approach to countering them. Moreover, most mitigation measures focus on the military or strategic dimensions of these threats, thus neglecting economic and financial considerations. A comprehensive response should be holistic and multifaceted, addressing the different areas affected and involving coordinated efforts. Most importantly, it is important that responses are international as these threats tend to be transnational and not localised. Any response that is restricted to a single area would not be effective in combating most of these threats.