The vital role of public-private partnerships in countering hybrid threats

As we approach the end of 2019, the concept of ‘hybrid threats’ has become all too familiar for the European Union and NATO. These encompass a wide range of hostile measures ranging from cyber-attacks and disinformation to the disruption of critical services, such as energy supplies or financial services. They further include the undermining of public trust in governmental institutions and the exploitation of social vulnerabilities.

Such threats have always existed, but what makes them different now are the new vulnerabilities presented by a globalised and more interconnected world. These developments range from instant global communications to a globally connected system of finance and commerce, and the interconnectivity of gas and electricity distribution grids across borders. Hybrid threats represent the weaponisation of globalisation.

Within both NATO and the EU there is general consensus on the four steps needed to address hybrid threats: detection, attribution, response and recovery. Detection is the ability to detect a hostile state action in time to react and minimise any potential damage. Attribution, the more complex follow-on to detection, is the ability to attribute an attack to a specific actor and to differentiate it from an accident, system failure or human error. Response – which is greatly dependent on accurate, timely and credible attribution to allow for sound crisis decision-making – is to change security posture or retaliate against the actor to which the hostile action is attributed. Recovery is the ability to restore functionality to the systems, capabilities or societal coherence attacked through the hostile action.

Unlike previous forms of aggression, the first targets of a hybrid campaign are found in the private sector. This field is where the majority of the world’s supply chain, communications providers, financial systems, transportation providers and media outlets are found.

Thus, our ability to detect and attribute hybrid hostile actions is initially dependent on close cooperation and information-sharing with the private sector. Also, while response is the sovereign responsibility of members states, their means of delivery can often be undertaken through privately-held cyber, media, and communications infrastructure. As for the recovery phase, it is even more reliant on public-private cooperation.

And yet very few of the important discussions on countering hybrid threats among the EU, NATO, and their member states have involved the meaningful involvement of the private sector.

Given NATO’s heavy reliance on the private sector to provide logistics, energy, and communications capabilities during a crisis, these vulnerabilities can have far-reaching effects. Hybrid actors can disrupt these functions with negative impacts on the alliance’s ability to reinforce Europe from North America or even within European borders.

One only need to look at NATO’s seven baseline resilience requirements to see that each of them is directly tied to goods and services delivered by the private sector:

1. Assured continuity of government and critical government services
2. Resilient energy supplies
3. Ability to deal effectively with the uncontrolled movement of people
4. Resilient food and water resources
5. Ability to deal with mass casualties
6. Resilient communications systems
7. Resilient transportation systems.

The private sector connection to most of these requirements is obvious since the delivery of energy, food, water, communications, and transportation are largely done through private means. But even the continuity of government and critical government services relies both on private sector communications services in addition to the contracted delivery of many key services.

The ability to deal effectively with the uncontrolled movement of people involves close cooperation with commercial logistics and transportation services in order for any member state’s internal plans to be workable. The ability to deal with mass casualties requires well-coordinated plans between health ministries and medical providers which are found in both the public and private sector.

On the EU side, the European Civil Protection and Humanitarian Aid Operations (DG ECHO) has an ongoing dialogue with the private sector for addressing natural disasters and humanitarian emergencies. However, this same level of dialogue and cooperation has yet to be achieved in building resilience against hybrid threats.

Among the obstacles to a more robust dialogue with the private sector on countering hybrid threats are the legitimate concerns of private entities such as legal liability, share price and brand reputation, and the possible exposure of their own vulnerabilities to competitors and criminal actors.

For example, an internet service provider under attack by a hybrid actor is both concerned about maintaining its own business model and market share while at the same time seeking to protect itself from legal liability in case of secondary impacts on other public and private entities. These are among the concerns that cause delays in a private entity informing government authorities of an attack while it is underway.

Other private entities in the business of delivering food, energy, media, transportation, and financial services have many of the same concerns.

NATO, the EU and member states have made great strides in recent years on improving their cooperation and information-sharing through staff talks, tabletop exercises, seminars, and high-level scenario-based discussions largely facilitated by the European Centre of Excellence for Countering Hybrid Threats (Hybrid CoE).

In the last 12 months, engagements by various entities in Europe and the United States have started to engage the private sector and include them in their dialogue on countering hybrid threats. However, in order to make real progress, it is necessary to take the next step and start to conduct tabletop exercises which include not only the EU, NATO and member states, but also the private sector.

Given the unique value of tabletop exercises in shining a light on our legal, procedural, and information-sharing gaps and vulnerabilities to hybrid threats, including the private sector in them will allow all sides to have the difficult discussions on what they need from each other in order to close any gaps and mitigate any identified vulnerabilities.

The inclusion of the private sector in these exercises and scenario-based discussions will allow us to develop relationships built on trust which will enable us to go beyond dialogue into the deeper levels of cooperation to counter hybrid threats.

In the process, this deeper private-public cooperation may reveal new models of valuation. This could allow companies to cooperate more closely with governments in situations of hybrid threats without the same short-term risk of financial loss and the consequences of any security breach. These could take the form of tax benefits or other incentive structures for companies to support member state security objectives. But we won’t know for sure until we start – together!