Much of Putins playbook falls into this murky area between war and peace what national security analysts have come to call the gray zone. The term has become fashionable, but the concept isnt new. It describes tactics that fall short of outright military aggression and instead take aim at a countrys social, economic or political cohesion. Gray-zone tactics include disinformation and cyberwarfare, as well as subversive economic practices, like Chinas efforts to coerce Western firms into doing its bidding. Another recent example came when Belarusian leader Alexander Lukashenko a Putin-allied autocrat manufactured a migrant crisis at the border between Belarus and Poland. This also wasnt a traditional act of aggression, but it created a feeling of crisis and chaos, forcing Poland and the rest of Europe to prepare for possible conflict.
Though the term can feel overused in national security circles, calling these seemingly disparate practices gray-zone tactics helps us see what they have in common: Theyre cheaper and easier than using military force, they frequently arent overtly illegal, and to date theyve rarely caused loss of life. Finally, gray-zone tactics take advantage of freedoms in democratic societies like the open Internet, a permissive business climate and freedom of migration to create political divisions, economic disruption or general social turmoil. Autocratic regimes (as well as criminals who are sometimes linked to them) are undermining liberal democracies by weaponizing their own strengths against them.
This emerging form of not-quite-warfare poses a direct challenge to President Joe Bidens goal of advancing democracy over authoritarianism. Its part of what I call the Defenders Dilemma: Liberal democracies are inherently vulnerable to gray-zone threats, but have worked themselves into such a sorry mess of divisiveness that theyre practically begging hostile countries and sundry groups to exploit their weakness. Over time, such tactics may help convince people that democracy isnt the best form of governance a task that could be disturbingly easy with many in liberal democracies already feeling that the system doesnt work.
There is no obvious tool or institution with which to combat gray-zone tactics. Its been clear for decades that the armed forces need help from other parts of government to combat threats that are diplomatic, technological, economic or scientific in nature. Today, even that isnt enough. As authoritarians eye a wider, more creative variety of targets from private companies supply chains, to the systems that deliver gas and water, to faith in democracy itself no government can, on its own, protect its population from gray-zone aggression.
The tool governments need is one that wont be easy to deploy: the rest of society. Companies and private citizens increasingly need to play a role in protecting democracy by shoring up their digital security, learning to detect misinformation and not succumbing to their worst instincts when cyberattacks or disinformation crises attempt to foment widespread panic.
Can society really come together this way? Obviously, this seems like a tall order at a time when so few Americans trust their institutions or one another. But other countries are experimenting with making corporations and citizens an asset in the fight against this new category of threats. Their experiences offer a starting point for the United States, which has only recently discovered that its vulnerable in a way never was before.
Polish soldiers patrol the Polish-Belarusian border on Jan. 13, 2022. Belarus' president Alexander Lukashenko manufactured a standoff with Poland by bringing hundreds of Middle Eastern migrants to the country's border. | Omar Marques/Getty Images
If it turns out that Russia or Russian-linked hackers were behind Fridays cyberattack in Ukraine, part of their rationale will surely have been to worsen the countrys existing political divides and make Ukrainians conclude that their government is failing. (Later on Friday, reports suggested that the U.S. believes Russian operatives are planning acts of sabotage against Russias own proxy-forces to create a pretext to invade Ukraine an example of how shadowy almost-war tactics can quickly lead to real war.)
Similarly, Lukashenko knew that massing migrants at Polands border would stoke existing divisions over European refugee policy and multiculturalism. The situation resembles a form of gray-zone warfare with which Americans are more familiar: In 2016, Russian intelligence agencies sought to manipulate Americans political views through Facebook. This effort took advantage of the open political debate in a free society, using that openness to turn us against each other.
Gray-zone warfare also exploits the interconnectedness of global business and the growing role private companies play in shaping public life. Danish, Irish and Romanian companies leased planes to the airlines transporting the migrants to Belarus. Russias most aggressive act of cyberwarfare against Ukraine the NotPetya attack brought down multinational corporations around the world by exploiting Ukraines links with the global digital economy. And of course, Russian election meddling in the 2016 U.S. election was that much harder to verify and address because it was done through a privately owned social-media platform.
Americas adversaries have realized that targeting private companies or individuals is a fruitful way to hamper societys day-to-day functioning and spread chaos. Ransomware attacks can hit gas pipelines, the power grid or critical parts of the supply chain that are often run by private companies. Beyond some minimal standard precautions, private firms in the U.S. and other democracies have significant latitude when it comes to cybersecurity. That makes them vulnerable. Yes, companies operating critical national infrastructure are regulated by the government but even in those sectors, the balance between societal responsibility and responsibility to shareholders is far from settled.
Another emerging form of geopolitical coercion short of war involves direct pressure on companies as a way of influencing their home governments. Nike and H&M were caught unprepared when they were hit by a Chinese boycott last spring, an apparent act of revenge for Western sanctions over Uyghur forced labor. Last year the telecom company Ericsson became another easy proxy target as China sought to force Sweden to reverse its decision to exclude Huawei from its 5G network. Again, these practices tend to be more successful in free and open societies because they have more open business climates.
Of course, non-military aggression against society at large is not new. In wartime, propaganda is a constant companion of military action, and blockades are used to try and starve a population into submission. During the Cold War, both sides used broadcast news and publications to fight the battle of ideas.
But todays globalized, digitized world offers far more opportunities to achieve geopolitical aims by targeting a countrys businesses and citizens. Practitioners of gray-zone tactics will find more and more ways to use the interconnectedness and openness of democracies to undermine them. And because aggressors frequently use tactics are much less acceptable in liberal democracies, the defender tends to always be one step behind.
People walk by a Nike store at a shopping area on March 26, 2021, in Beijing, China. Chinese state media called for boycotts of major Western brands, including Nike, after statements made by the companies about human rights abuses in the province of Xinjiang. | Kevin Frayer/Getty Images
The private sector and ordinary citizens are generally asked to obey laws and pay taxes, but most people dont think of them as playing a central role in protecting the nations security or its democracy. But this will need to change as it becomes easier and more effective to target a countrys economic engine or social cohesion in ways that government isnt equipped to handle alone. In case of a severe cyber attack against, say, a major food retailer, the government can respond by helping identify the attacker and even retaliating. But the company should play an active role, too, by having a backup plan in place to make sure it can keep distributing after being compromised and communicate effectively with the government about whats happening. (It should also maintain high cybersecurity standards in the first place.) Consumers, meanwhile, surely have an obligation not to panic and start hoarding goods.
A number of European countries are already taking steps toward a whole-of-society approach that acknowledges the role of private citizens and the private sector in keeping countries safe. Three years ago, Swedens Civil Contingencies Agency an agency similar to FEMA, but with a mandate to educate the public and coordinate crisis response sent a leaflet to every household with information about how to spot disinformation and what to do if power or gasoline runs out. Just this month, Sweden launched a government agency for psychological defense, which will counter disinformation and make the population more resilient to it. Last year, Britain explicitly announced it was shifting to a whole-of-society approach to national security. Among its first steps: plans to launch a civil reserve, analogous to military reserves, of experts in fields from cyber to healthcare who will volunteer their services in crises.
In 2020 Latvia published a crisis-preparedness leaflet called 72 Hours: What to do in case of crisis. The idea, the countrys defense minister wrote at the time, is to [prepare] society for catastrophes we cannot specifically predict. The document instructs citizens on what to do for food, water and health care in the event of a natural disaster, war or other crisis. The Czech Republic launched joint military-industry gray-zone exercises, in which the armed forces and companies from every sector team up to practice reacting to different forms of aggression below the threshold of war, from cyber attacks to supply chain disruptions to coercion of companies.
France, meanwhile, has launched a one-month national service program in which teenagers learn crisis response skills; the program is also designed to enhance cohesion among different societal groups. Similarly, Your Year for Germany invites young Germans to spend a year training and practicing homeland-security protection.
The question is, are any of these efforts going to work? Its too early to say whether they have a real shot at succeeding. And Americans should be skeptical about whether smaller-scale initiatives in Europes less populous, more cohesive countries can make a difference in the larger and generally more fractious United States.
Still, its relatively early in the game. At this stage, its progress to acknowledge the unique nature of this problem and to try something. The whole-of-society approach is essentially psychological, focused on building confidence and preparedness to deal with anything from an attack on the electric grid to a misinformation crisis about migrants at the border. Its an unusual philosophy, particularly for the United States. But the growing prevalence of gray-zone aggression preying on a divided populace and a complacent private sector should be a wake-up call.
There is some movement in the United States toward preparing companies for a hostile nation cutting off essential services or attacking election infrastructure. The Department of Energy holds regular meetings with leading energy companies to discuss threats to their operations. Key businesses have recently been obliged to better protect their networks, and a May executive order by Biden makes firms part of a broader effort to secure the cybersecurity supply chain. The exercise Jack Voltaic, coordinated by the U.S. Armys Cyber Institute, is a good example of cooperation between the military and companies.
These are promising signs. The U.S. government needs to more regularly engage with companies and executives to update them on threats they may not know about. Companies will also need to start taking action sector-wide, such as by sharing cyber incident details with one another. Commercial satellite operators already do this, but few other industries do, generally fearing their competitors will use the information for advantage. But as cyberattacks and coercion efforts become more common, companies may need to set those worries aside. For instance, Colonial Pipeline and JBS both paid their ransomware attackers out of self-interest. Going forward, businesses could team up within their sectors and publicly say theyll never pay ransoms to create a stronger norm before the next attack.
President Joe Biden delivers opening remarks for the virtual Summit for Democracy on Dec. 09, 2021. The summit brought together world leaders and leaders of civil society and the private sector to "set forth an affirmative agenda for democratic renewal," said the State Department. | Chip Somodevilla/Getty Images
Tougher than getting private firms to collaborate with one another and the government will be securing buy-in from the population at large. Citizens of liberal democracies arent used to being asked to play an explicit role in protecting society, especially when it involves time or inconvenience. Then again, because the convenience they prize is so vulnerable to new forms of aggression, its in their interest to help make society as resilient as possible.
Citizen involvement both individual and collective wont be easy to organize. Two decades ago, Robert Putnams seminal Bowling Alone documented the decline of civic engagement in America. Now, we can draw a straight line from that disengagement to the divisions that plague America today and that seem to positively paralyze it in the face of crises. Adversaries have already taken advantage of this weakness, and we should expect that pattern to worsen. The fragmentation and atomization of society documented by Putnam is alarming on its own, but when it invites aggression from hostile countries, addressing it becomes a matter of urgency.
This September the House passed an amendment to the National Defense Authorization Act, intended help the country address gray-zone aggression. The amendment instructs the government to establish how to conduct gray-zone campaigns, including prioritizing the allied nations that are frequently targeted. This is good progress, but what we need next will be more specific efforts to enlist not just the government but also the American people to make society resilient against economic, psychological and other attacks below the threshold of war.
Perhaps in the future, well see programs in which retired American doctors and nurses join civilian reserve forces for crises like fuel chaos triggered by cyber attacks or even epidemics instigated by hostile states. Or, initiatives like Finlands elementary-school information literacy instruction could help gradually inoculate Americans against the pandemic of disinformation a problem that phenomenal amounts of research have tried to tackle, but that remains a stubborn contributor to the divisions that make us vulnerable. Or, we might envision more formal, Czech-style collaboration between companies and the Pentagon to game out scenarios for future ransomware attacks on critical utilities.
With the whole of society involved, America would be a lot stronger when the next crisis strikes. The challenge is to create a mindset where companies and citizens dont fall into passivity or destructive behavior when a crisis occurs. This is certainly a massive undertaking and we dont have much indication right now that it can work, especially in a divided democracy like the United States. But this country, along with many others around the world, is slowly becoming aware of the challenge.
Motorists in Fayetteville, N.C., had to wait in line to refuel in May 2021 after the Colonial Pipeline was hacked by Russian cybercriminals. The 5,500 mile long pipeline delivers a large percentage of fuel from Texas to New York. | Sean Rayford/Getty Images
Many homeowners put signs in their front yards informing prospective burglars that the house is equipped with a burglar alarm (or a biting dog). Standing militaries send the same message to would-be invaders. But when it comes to gray-zone aggression, countries practically put a welcome sign on their front doors. Many companies seem uninterested in playing a broader social role. And when something goes wrong, citizens sort into their tribes and are frequently unable to tell facts from falsehoods. Countries wishing to do harm would be foolish not to exploit such weakness indeed, they already are.
In the long term, recognition of the need to act collectively against gray-zone aggression might even help serve as a force for unity. Americans may not want to bowl together again, but how about working together to keep themselves, their families, their companies production and sales and the country safe? Call me optimistic, but perhaps defending against this new category of threats could one day play the role of yesterdays bowling leagues in bringing a divided people together.
See the original post:
Opinion | The Unorthodox Weapon We Need to Defend Democracy - POLITICO