Addressing flow security risks in an age of disruption

Scores of vehicles line up to enter a gasoline station as demand for fuel surges following the cyberattack that crippled the Colonial Pipeline, in Durham, North Carolina, U.S. May 12, 2021.
Scores of vehicles line up to enter a gasoline station as demand for fuel surges following the cyberattack that crippled the Colonial Pipeline, in Durham, North Carolina, U.S. May 12, 2021. REUTERS/Jonathan Drake.

Over the course of NATO’s 75-year history, deterrence has failed twice. The first time was on September 11, 2001, when al-Qaida attacked the United States. The second occasion was on February 22, 2022, when Russia’s full-scale invasion of Ukraine caught most alliance leaders flat-footed, despite clear warnings from their own intelligence services that an armed incursion was imminent.

In both cases, deterrence failed because imagination failed. The 9/11 Commission identified “failure of imagination” as the major reason why the United States was unprepared for the September 11 attacks. And in 2022, many alliance leaders simply couldn’t imagine that Russia would actually invade, despite the evidence before them.

NATO has every reason to favor imagination today, as the Atlantic alliance faces the most complex strategic environment in its history. Attention is rightly focused on the direct and immediate threat posed by Russia and on China’s systemic challenge to the trans-Atlantic community and other democratic nations. The increasingly close alignment between Russia and China adds to the strategic complexity of the challenges that democracies must address from each.

The new frontier of warfare

Dangers include, but range far beyond, the war in Ukraine. They also go beyond conventional warfare. Chinese and Russian actors are audaciously targeting the connective sinews of other societies. Moscow weaponizes flows of people, information, food, and energy. Beijing manipulates flows of information and instrumentalizes flows of goods and critical materials to coerce others into abandoning actions deemed contrary to Chinese interests. Actors from both states are interfering in the electoral processes of NATO’s democracies. Russian and Chinese intruders have infiltrated the classified networks of the Pentagon and allied militaries and defense ministries. They have implanted pre-positioned malware in nuclear plants, power grids, and water systems—lurking time bombs that they could activate at a time of their choosing.

The Colonial Pipeline Company cyberattack by the Russia-based DarkSide ransomware gang disrupted gasoline and related deliveries across much of the southeastern United States. The Microsoft Exchange compromise by China-based hackers exploited more than 30,000 servers in the United States in sectors ranging from infectious disease research to defense contractors. In 2023, China-backed Volt Typhoon compromised communications, energy, transportation, water, and wastewater systems across the United States, and Russian hackers attacked 22 Danish power companies, stole thousands of documents from the U.K. Defense Ministry, and breached the U.K.’s Electoral Commission. Disruptive digital attacks, many linked to Russian-backed groups, have doubled in the European Union (EU) in 2024.

Railway disruptions in Germany, sabotaged communications cables in France, GPS disturbances in Finland, and cyberattacks on Europe’s largest port in Rotterdam have all raised concerns about the dangers posed by Russia’s hybrid attacks. NATO officials suspect Russia has already mined critical undersea infrastructure. Unattributed disruptions to the Nord Stream gas pipelines and the Balticconnector gas pipeline have further heightened anxieties. European Commission President Ursula von der Leyen has described critical infrastructure as “the new frontier of warfare.”

Russia is using Ukraine as a testing ground for its attack methods. If something works there, Moscow takes it on the road. Juhan Lepassaar, head of the EU cybersecurity agency, says that Russia fights its war of aggression “physically in Ukraine, but digitally also across Europe”—and it doesn’t stop there. Russia’s NotPetya attack in Ukraine was the precursor to the SolarWinds attack in the United States. The BlackEnergy malware code injected by Russian actors into Ukraine’s power systems was also discovered in the U.S. energy grid.

Dealing with threat multipliers

Major power rivalry now encompasses both the security of territory and the security of the flows that bind societies. Yet it is not the only threat to trans-Atlantic security. Terrorism remains an acute danger. NATO’s southern security challenges are extraordinarily complex. Poverty, political instabilities, and wars continue to inflict staggering human costs across the entire region, pushing millions to seek refuge on European shores.

Energy transitions pose new security dilemmas and amplify ongoing crises. Millions have been killed by an unanticipated and unpredictable virus, and outbreaks of zoonotic viral disease are becoming more severe and occurring more frequently. Climate change is a threat multiplier that can exacerbate political and societal tensions, undermine human health, displace people, degrade economies, and challenge military missions, operational plans, and installations.

Emerging technologies are changing the very nature of competition and conflict. Digital transformations are upending the foundations of diplomacy and defense. Financial volatility can be triggered by taps on an app. On March 9, 2023, in what has been called “the first Twitter-fueled bank run,” Silicon Valley Bank’s panicked customers used their apps to pull an unprecedented $42 billion from their accounts—more than $1 million per second—for 10 straight hours. Imagine such manipulative power in the hands of an adversary.

In recent decades, the scale and complexity of these critical economic, environmental, technological, and human flows, as well as many societies’ dependency on such flows, have increased dramatically. These flows have become the world’s operating system. They have generated untold gains for billions of people. But they can also generate pain, as state and nonstate actors seek to manipulate the connections and asymmetric dependencies they establish. “Managing tangible and intangible resources and flows is key to new power strategies,” says French President Emmanuel Macron.

One consequence of these activities is that critical societal functions are increasingly susceptible to disturbances, interruptions, and shutdowns generated by actors half a world away. Ciaran Martin, the founding CEO of the U.K.’s National Cyber Security Center, has framed the challenge succinctly:

“For the first time in human history, an adversary—whether a criminal or a nation state—can do things systematically, at scale, without coming anywhere near your territory, or the territory of an ally. … What I think is driving this change is that sort of large-scale harassment of the civilian population; of just the chronic socioeconomic harm that can be done; the attritional harm that can be done just through this constant wave of low- and medium-level attacks. That’s where I think it’s changed concepts of security.”

Martin Dempsey, former chairman of the U.S. Joint Chiefs of Staff, is more blunt: In a world of “weaponized bytes and bits,” he says, “an entire country can be disrupted by the click of a mouse.”

Addressing flow security risks

Flow security risks do not supplant territorially-oriented challenges; they supplement them. In some cases, they may aggravate them. The upshot: Allied governments accustomed to protecting their territories must also be able to protect their connectedness—the vital arteries that are the lifeblood of open societies. They need to ensure that the world’s operating system is resilient and robust: the plumbing that channels what we need to where we need it; the values that inform it; the principles that make it work; the standards that make it safe; and the models of production and service that render it effective and efficient. They need to address the risks and vulnerabilities generated by critical flows while simultaneously fostering the opportunities they present.

NATO and the EU are making some strides. An EU-NATO task force is looking at ways the two groups can work together to improve the resilience of critical infrastructure. Von der Leyen has asked former Finnish President Sauli Niinistö to prepare a report recommending how the EU can become more resilient. At the June 2022 NATO Madrid Summit, allied leaders agree to augment country-by-country baseline requirements for critical infrastructure resilience with shared resilience metrics for cross-border infrastructures. NATO has stood up a critical undersea infrastructure network and NATO’s Maritime Command has created a center for the security of critical undersea infrastructure. NATO’s Digital Ocean Vision Initiative aims to enhance the alliance’s maritime situational awareness from seabed to space. The Joint Expeditionary Force of 10 Northern European countries is coordinating efforts to prevent and respond to disruptive threats.

These efforts, while commendable, can only be the beginning of what must become a far more urgent and determined approach. The EU has yet to map existing cable infrastructures or devise a common assessment of risks and vulnerabilities. EU and NATO members must extend their efforts to review key industries, financial flows, strategic ports and transportation nodes, critical materials, supply chains, communications and information networks, and other connective tissues that bind allied societies together. And alliance leaders should complement their efforts at shared resilience and forward defense, which stop at NATO’s edge, with a comprehensive strategy of forward resilience, which would extend to vulnerable democratic partners beyond NATO’s borders—Including, but not limited to, Ukraine. All of this will require partnerships with civil society and private sector actors. And it will require imagination.

During the Cold War, allies knew where the front line was. After the Cold War, they hoped that there would be no more front lines. Today, allies are focused on frontline challenges in Europe’s east and to its south. In this age of disruption, however, the front line could be anywhere—the Baltic Sea, Istanbul’s Grand Bazaar, Frankfurt’s airport, Italy’s food supply, trans-Atlantic subsea cables, the Washington, DC metro, an election booth in Georgia, or Nevada’s Hoover Dam. In such a world, imagination may be one of NATO’s most vital resources.