Published On: July 8, 2024

Hélène Galy, Director, Willis Research Network, Willis Towers Watson

This article was written for WTW’s Research Network Newsletter and is reproduced here with permission.

Among superstitions, one of the most enduring is that crossing paths with a black cat will bring bad luck. Healthcare organizations in the U.S. would not disagree, as they were recently targeted by a cyber attack by ransomware group BlackCat (February 21, 2024), which led to delays in claims processing and significant impacts on revenue.

CNI in private hands, with implications for national security

The healthcare ecosystem is only one aspect of Critical National Infrastructure (CNI) – a term that covers systems whose compromise would impact the integrity of essential services, resulting in severe economic and social consequences or even in loss of life. CNI includes assets such as energy supply pipelines, food supply chains, transport infrastructure, water supplies, telecommunications and banking. In many countries, CNI is increasingly in private hands, where decisions driven by commercial considerations may have wider implications for national security.

To further complicate matters, a country’s critical national infrastructure is often partly owned by foreign companies. With ageing infrastructure and the need for investment, foreign investment has been welcome. As geopolitical tensions and greyzone aggression are on the rise, how then are governments supposed to safeguard national security? Heated debates around 5G network suppliers in a dozen European countries and in the U.S. showed how security concerns can clash with usual procurement processes.

A report by the U.S. National Security Telecommunications Advisory Committee concluded in March 2024 that market forces alone are insufficient to incentivise privately-owned entities to prioritise cybersecurity at the levels needed to protect national security. 1

There is no easy solution to this conundrum, but it helps to look at it from two angles:

  1. Recognising market failures and how to address them
  2. Embracing a “whole of society” approach to resilience

Inadequacy of market forces

Market failure resulting from tensions in the collaborations between the private sector and government stakeholders has long been evident in the field of disaster risk insurance. This situation is analysed in a new book, Disaster Insurance Reimagined: Protection in a Time of Increasing Risk, by Paula Jarzabkowski et al.2 As the authors clearly demonstrate, the protection gap results from a triple imbalance: having too little or too much knowledge about risk; who controls the market; and who bears the most responsibility for mitigating risk. It looks like the most resilient, forward-looking setup involves well-structured, purposeful public-private partnerships rather than simply relying on the “invisible hand” of markets.

With pure economics optimising for efficiency rather than resilience — for just-in-time rather than just-in case spare capacity — redundancy in a system and diversification of suppliers are often deemed suboptimal strategies. There is clearly a need to put a value on resilience,3 who benefits from it and who needs to pay for it.

The criticality of some national services often becomes evident only when they break down. In the U.K., the forensic services sector is critical to the delivery of justice and has faced significant challenges since 2012 when the publicly-owned Forensic Science Service closed. Private companies stepped into the gap. In 2018-2019, with a major provider entering administration, another impacted by data manipulation and a ransomware attack on yet another, service continuity has been at risk, and thousands of cases were re-examined and convictions overturned. 4

Especially in market economies, it is easy to overlook the role of competition authorities and wider government in ensuring that markets can meet the needs of people, businesses and the wider economy in normal times, let alone in times of crisis. In a recent discussion paper, the U.K. Competition & Markets Authority 5 illustrated causes of fragility (lack of supply diversity, financial risk) and amplifiers of harm (vulnerable customers, barriers to entry, criticality of service) through a range of compelling case studies, which are reminiscent of enterprise risk management practices. 6

At the end of 2022, the U.K. government launched its Resilience Framework 7, which has three core principles:

  1. A shared understanding of risk
  2. Increased emphasis on prevention and preparation
  3. A “whole of society” approach to resilience

Everyone — from government and business to individuals — is encouraged to be prepared.  From its inception, the National Preparedness Commission has encouraged this very paradigm shift, moving away from preparedness being a top-down endeavour.  The opportunity is that what is needed to be better prepared for many shocks is the same, whatever the initiating crisis or incident. The NPC’s programme of work is both strategic and pragmatic – with topics ranging from the UNDRR Handbook for Implementing the Principles for Resilient Infrastructure8 to a review of our economy’s underestimated vulnerability to software risk.9  The challenge is to encourage immediate action and to get away from merely admiring the problem.  It is not only national governments that are embracing a whole of society outlook; the military is acutely aware that operations and communications depend heavily on private assets and supply chains.

The North Atlantic Treaty Organization (NATO) organises a yearly resilience symposium, bringing together “civilian and military leaders, policymakers and experts with a resilience portfolio to promote resilience as a national responsibility and a collective commitment”.10  In 2023, the importance of the private sector for securing critical infrastructure and supply chains was underlined, with a determination to explore a more two-way public-private cooperation — talking with the private sector rather than at or about it.

It was probably not a coincidence that the follow-up two-day workshop in March 2024 was set in Stockholm.  Sweden, which has just joined NATO as its 32nd member, was one of the countries (alongside Finland) that pioneered the concept and practice of “total defence” after World War II, whereby preparation for war (or a crisis) explicitly comprises both military and civil defence. Singapore also adopted this whole of society national defence concept in 1984. The Swedish approach of engaging its whole population in preparedness was mocked in the U.K. in 2018 when an updated 20-page preparedness guide titled If crisis or war comes 11 was delivered to all 4.8 million households. These days it doesn’t sound as ridiculous. The U.K. government is gravitating toward similar advice, but most households are probably unaware of it. When households were recently encouraged to keep a few “analogue capabilities that it makes sense to retain” even in a highly digital age (torches, but also battery-powered radios), press coverage was sceptical.

Indeed, in times of crisis, communication is key. And again, we take our telecommunication infrastructure (mostly in private hands) for granted. Since 2022, multiple examples of suspected sabotage of undersea cables (in the Baltic Sea, in the Red Sea and around Taiwan) have raised awareness of their vulnerability, especially around the key hotspots of geopolitical tension. The business interruption resulting from such incidents can be considerable.12 The vast majority of cables are privately-owned, mostly by telecommunications companies. Tech companies have started investing in the cable business as well. For example, Google owns at least 59,000 miles of submarine cables (nearly 8% of the total). Cable ownership is an international patchwork, reflecting the era of globalisation that prevailed when the internet took off in the 1990s, as the world was emerging from the Cold War. SeaMeWe-5,13 which starts in Singapore and ends in France, is owned by a dozen companies.

While undersea cables have a life expectancy of 25 to 50 years, the odds of seeing them damaged are now raised when factoring in geopolitically-motivated greyzone aggression. The fleet of specialised cable ships able to lay or repair cables is small (60 ships for 574 active and planned cables) and ageing, despite the increasing demand for cables and increased vulnerability.

Deeply aware of this, NATO created an Undersea Infrastructure Coordination Cell in 2023, to map risks and coordinate efforts between allies, partner countries and the private sector. This could become a very iconic example of the new equilibrium that the public and private sectors need to reach, with assets largely in private hands but threat detection, information and deterrence in the hands of governments and intergovernmental bodies.

Businesses can no longer opt out of geopolitics.

Footnotes

  1. The President’s National Security Telecommunications Advisory Committee
  2. Disaster Insurance Re-imagined: Open-access publication funded by a European Commission grant
  3. Wanted: a better economic framework for resilience
  4. In conversation with NPC Commissioner Hélène Galy
  5. Market resilience:Discussion paper
  6. Risk identification and risk assessment
  7. The UK Government Resilience Framework
  8. UNDRR Handbook for Implementing the Principles for Resilient Infrastructure
  9. The Elephant in the Room one year on
  10. Resilience Symposium
  11. The brochure If Crisis or War Comes
  12. Geopolcast Podcast Series
  13. Submarine Cable Map

 

Share this story

Related posts