Countering hybrid threats: the vital need for digital resilience

Hybrid threats continue to change and evolve, impacting not only our societies but also governments, institutions, and private companies. One year after Friends of Europe’s 2019 tabletop exercise on ‘hybrid warfare readiness’, we find ourselves in a world drastically changed by the COVID-19 crisis. Yet while we continue to seek to enhance resilience against hybrid threats, the ways we’ve adapted to the pandemic are presenting us with new levels of vulnerability in some key areas.

In the 2019 tabletop exercise, we learned more about the vital link between the public and private sectors in addressing hybrid threats, developing a concrete set of recommendations to strengthen these ties in the cyber, information, financial, energy, and other domains. While the recommendations remain valid, certain aspects require increased urgency.

As we’ve seen, the world of 2020 is a far different one than we knew only one year ago. Due to the COVID-19 pandemic, large parts of our economies and societies have moved online in order to observe social distancing to prevent the spread of the virus.

Our world now is more digital than ever as remote work has become the norm in many workplaces. Entire industries and the ways governments interact with citizens have moved online with business services shifting from conducting 5% of their work digitally to 74%; the finance industry went from 5% to 70%, and even manufacturing has gone from 2% to 61%.

This great shift to digital has already stressed the global internet infrastructure with an 80% increase in uploads to cloud services and even higher peaks during business hours due to video conference calls and web-based education. For example, Telecom Italia reported a 70% increase in internet traffic while British Telecom saw a 60% increase in fixed network traffic during workdays. This increased reliance on digital services also points to increased vulnerabilities.

The new requirement for digital work means more people working from home as the workforce must now connect to company and government servers remotely, adding to a whole new host of vulnerabilities not only for the public and private sector but for individuals as well.

A company or government’s previously well-protected data may now be at risk of exploitation by hybrid or criminal actors if the person working from home takes shortcuts on security or the entity they work for has not invested in the equipment and training to mitigate the risks associated with remote server access. In the case of governments, banks, energy and transportation companies, and communications firms the risk is even greater for society as a whole.

Hackers certainly are not slowing down during the pandemic: reports indicate that during the pandemic spear-phishing attacks are occurring at a rate seven times as high as before the crisis.

These increased cyber vulnerabilities are being exacerbated by a global shortage of cyber-security experts vital to companies’ and societies’ ability to keep their networks and citizens safe.  The global cyber-security workforce is projected to need an additional 3.5 million experts by 2021 with the shortage in Europe increasing from 291,000 in 2019 to 335,000 in 2020.

Alarmingly, surveys of corporate chief cybersecurity officers seem to indicate that their budgets for such training cannot be increased due to pandemic-related costs of equipment adaptation. Thus, a public-private solution should be found before this problem gets much worse, leaving our societies and institutions even more vulnerable at a time when we are so reliant on digital platforms. Without enough of these guardians at our cyber gates, hybrid and criminal actors will be more able to slip through our defences.

With more citizens living their social lives online as well, primarily via social media, their vulnerability to disinformation may also be increased as a result. Everything we’ve learned in recent years has shown us how social media and internet advertising can be the primary delivery means of disinformation – during a stressful crisis like the current pandemic, people can be psychologically more susceptible to such campaigns. Lacking the opportunity for in-person contacts against which one can temper the impact of disinformation through open discussion, the pandemic may have created an even more volatile disinformation challenge.

We’ve already seen its potent ability to help sway opinions against the guidelines put into place by health officials and may yet see the worst of it when the EU and its member states start to implement a vaccine strategy in 2021. In many ways, we’re already living in a hybrid scenario.

Since disinformation campaigns on social media rely heavily on microtargeting, it is vital for the EU to enact reasonable measures to regulate its use. The newly released European Democracy Action Plan (EDAP) proposes exploring such measures and similar provisions are expected in the forthcoming Digital Services Act.

Finally, there is a social dimension to our new reality which also impacts our resilience to hybrid threats. While many people are maintaining social connections via digital means, it’s becoming more obvious that these are insufficient to meet social needs, as evidenced by the increased demand for mental health support and reported suicides. It’s extremely difficult to have social cohesion when many citizens feel disconnected from their government and from each other, which can lead to new social vulnerabilities that make society an easier target for hybrid actors. How can local governments and civil society help to meet this innate need for human connections during the continued lockdowns?

Exacerbating these social issues is the increased impact of the digital divide during a time when so much of life is being conducted online. The gap between both sides of the digital divide has become much wider in the last nine months. Given limited access to online education for children on the losing side of the divide, it could lead to an entire generation falling even farther behind in terms of social mobility and social inclusion. Perhaps these same children, having missed out on key aspects of their education, will be more susceptible to disinformation as adults.

How long will those on the losing side of the divide wait before they become open to a disinformation campaign seeking to convince them not to trust those on the other side of the digital divide? What kind of rapid actions can be taken by the EU and its member states to begin closing this gap even faster than was planned? Given our new realities, unless we address this aspect there will be continued limits on our social cohesion and resilience.

Having looked at how much our world has changed since the 2019 hybrid tabletop exercise, it is heartening to see that all of the recommendations remain valid. We still need stronger ties between the public and private sector and between the EU and NATO in order to address hybrid threats.

Something we should now add to the list of recommendations is a holistic effort to build digital resilience so we can more effectively meet the challenge of hybrid threats. Building digital resilience can start by taking action to support whole-of-society access to high-speed broadband services, taking into account the economic, social, and climate impacts of these investments while closing the digital divide. This also includes measures to thwart online disinformation campaigns through the adoption of regulations concerning microtargeting and possible penalties for those actively producing and distributing harmful disinformation – all while respecting our own laws and values on free speech.

Perhaps the most urgent need however is to address the critical shortage of cybersecurity professionals in order to better protect our networks and societies. Building digital resilience into our plans for countering hybrid threats will require capable and adaptive institutions to manage the required investments and the increased complexity of our digital infrastructure. This will have to be pursued in collaboration between the public and private sector and between the EU, NATO, and their member states.