The sighting of an unclear number of drones over London’s Gatwick Airport closed down a major airport in a first-world nation at the height of holiday travel season on December 19, 2018. Over a span of 3 days, authorities struggled to confront the threat, trying to piece together a counter-operation, until finally the British Army brought in an Israeli-built Rafael Drone Dome system that allowed operations to resume. The 33-hour shutdown at their peak travel time — estimated to have affected over 100,000 passengers and cost airlines $65 million — was followed by short shutdowns at Heathrow Airport and Newark International Airport in the following weeks. By the first week of 2019, Gatwick, Heathrow, and other UK airports had spent millions of dollars on the crash procurement of military-grade drone defenses. The perpetrator of the Gatwick drone stunt — if there was one, given lingering questions about how many drones were actually seen — was never caught. These instances constitute the latest and most salient examples of the ability to easily disrupt complex systems using a combination of commercial-off-the-shelf technology (COTS), a little guile, and moxy.
But take it a step further and more startling ramifications start to come into focus. What if the target was not a passenger air terminal, but the Federal Express World Hub in Memphis, Tennessee? How many millions would be lost — not just by FedEx, but also by Amazon and every other mail order retailer — for every hour that the crown jewel of the just-in-time economy was paralyzed? What if the perpetrator had demanded a ransom to let Christmas season shipping resume- how much would FedEx have paid? How much would Amazon and any of the second-order victims have paid? Now, go one more step down the rabbit hole, and ask yourself how much a rival company — UPS, Target, etc. — might pay to make a move to seize or regain market share during the disruption, with little chance of concrete attribution?
HISTORICAL PRECEDENTS AND CONCERNING INDICATORS
Do black-clad teams of corporate saboteurs harassing rival company airfields sound like a far-fetched dystopian future sci-fi novel? Consider the historical precedent. From 1866 to 1876, at a time when American transcontinental commerce was blossoming thanks to the railroad and telegraph connecting eastern money to the western frontier expansion, the James-Younger Gang robbed banks, stagecoaches, and trains across at least 10 states. This band of outlaws’ expertise, attained while serving as Confederate guerrillas, combined with contemporary technological advances in explosives and small arms to prey on the weak points in a fragile system, making them both rich and famous in the process.
In the political risk industry, we analyze changes in businesses’ operating environments to determine the way geopolitical developments alter the distribution of advantage/disadvantage between businesses. Though much of the industry overwhelmingly focuses on the negative externalities, we take a more complete view, incorporating the identification of opportunities that emerge from changes and subsequent risk arbitrage. Hence, we prefer the term “geopolitical flux,” which also happens to be the title of my upcoming book, and where the focus is on the element of change, not mainly on negative externalities.
Given our current global environment, characterized primarily by shifts in what had been considered stable norms, what we see now is a dangerous combination that makes major commercial disruption an increasingly viable possibility:
- Current trends in technology are increasingly empowering individuals with the ability to wreak havoc — and to do it in deniable ways. Small unmanned systems are just one example. Ransomware in the cyber realm or messaging bots on social media can be similarly applied to disruption at critical moments.
- The expertise — whether technical or tactical — required to conduct these operations is readily present in the populace. In the 1990s, we obsessed over The Anarchist’s Cookbook being available on library shelves, but that pales in comparison to what is available now. As just one example, the CARVER matrix method — long the military standard for planning the disruption of complex systems by sabotage, strategic bombing, cyberattacks, or other actions — is publicly available, adapted into management methods, and is even taught in business school. Avid video gamers are applying advanced strategies to major global games, displaying impressive forethought and understanding of complex systems.
- The new SyFy series Deadly Class celebrates the training of disaffected youth into assassins. Though hardly a new premise for science-fiction, it is a timely one, considering the number of college-aged and even younger hackers with advanced skills, poor job prospects, and an ache to see what they can accomplish from their small corner of the world.
- There’s also a large number of veterans — men, like the James-Younger Gang, with tactical skills — potentially with an ax to grind and/or bills to pay. Remember the US Army Rangers turned bank robbers in the Seattle area in 2006? Or the recent case of Green Berets caught smuggling drugs? What do the recent reports of a “staggering” rash of drug abuse among Navy SEALs mean for the availability of disruption skills on the black market? This is not to repeat the action movie trope of all veterans as unstable time bombs, but only to make the point that there does exist an intersection between extreme skill and criminality that bears watching in light of the potential impact discussed here.
- After approximately 15 years of focusing on the tactical-level threat of terrorism, national governments in the West are forced to focus security effort back on state-level threats. The transition period leaves increasingly more opportunities for would-be disruptors.
- To what extent do developments like blockchains, whose benefits have been wildly exaggerated, offer only illusory solutions to coming problems? Are not false defenses worse than no defenses at all?
- The current business environment is replete with soft targets — whether just-in-time logistics, communications infrastructure, or vulnerable intellectual property. Consider the amount of effort that high-frequency trading firms place on their ability to conduct transactions at the highest possible speeds — procuring communications hardware, colocating servers in exchange buildings, buying real estate according to its position in the data stream, etc. These are expenditures in the tens and hundreds of millions. It isn’t difficult to contemplate a rival firm, or a rogue employee looking to gain an edge, spending money off the books to cause a mysterious power outage or start a small fire in a rival’s server closet. How much would competing video game companies have paid to surreptitiously insert a virus into the master code for a major game’s launch and thereby cripple a major adversary in the contest for entertainment market share?
Finally, perhaps the most important factor driving our concern about the prospects for deniable commercial disruption is the current breakdown of behavioral norms that were previously considered sacrosanct. In an environment where our politics are lousy with corruption — and even violence — excused on the basis of tribal loyalty, is it really so hard to imagine a company thinking they could profit from an array of dirty tricks? Business ethics were hardly saintly to begin with and we’ve seen many companies twist themselves into pretzels to justify very questionable actions. Even now, two of the world’s biggest management consulting firms are embroiled in stunningly large ethics scandals and allegations of fraud. Likewise, the richest man in modern history currently finds himself embroiled in a sordid mess meant to disrupt the function of one of his media holdings and, rather than turn to the law, he looked to private investigators and his own resources for counter-action.
Will deniable infrastructure disruption be to the 2020s what junk bonds were to the 1980s or the massively fraudulent accounting of Enron and Arthur Andersen to the 2000s? When we look across the ocean to the overlap between legal business and criminal enterprise that exists in places like Russia, are we looking at a potential dystopian future for ourselves?
PREPARING FOR THE UNPRECEDENTED
So, what is a well-meaning company to do in such an environment? Businesses need to rapidly wise up to the many cheap and easy ways that they can be attacked. From phishing emails, to drones, to a carefully timed labor protest, to blackmail of senior officers, and even up to acts of violence — those who seek to benefit from destabilizing the status quo are actively brainstorming, refining their ideas, and experimenting. Meanwhile, businesses are still largely taking a passive approach, believing that the hundreds of thousands they’re spent on automated monitoring programs will help alert them to a problem. As a last resort, they think their insurance policies will save them, or that their governments will step in to prop them up. These hopes are misplaced. Insurance companies are wising up to the fact that they’re being conned by companies that are dishonest about their vulnerabilities and remediation efforts. Governments have innumerable other problems to deal with and are themselves contending with issues such as ransomware attacks that paralyzed major cities like Atlanta in 2018.
Relying on passive monitoring and threat identification is not enough. There are dozens of companies ready to show executives how their machine learning tech can help keep them safe, but every day brings news of yet another exploited vulnerability, major breach, and accidental disclosure. Even if such systems were as potent as their salesmen profess, human weakness can never be fully covered by technical armor. Training algorithms to learn from the past will never be enough – and would be attackers know that by constantly innovating, poking, prodding, and finding new attack surfaces, they can stay ahead.
No, this all calls for a proactive approach. Unconventional tactics cannot be identified by conventional methods of analysis alone. By incorporating geopolitical risk insight not just at the top, and not just in the risk team, but across all levels, companies can help each employee understand the role they play in exacerbating or mitigating their company’s exposure to the forces at play in an era of shifting norms.
They must invest in insight that helps them identify the incentives of those seeking to disrupt the complex systems which these companies rely on to operate – meaning insight from people who think like attackers, competitors, and saboteurs, not recent college grads googling the news from their cubicles. Penetration testing and ongoing active measures, performed by those who have the mindset of real attackers can continuously probe the company’s defenses, identify vulnerabilities early, and remediate them rapidly. Interactive red cell simulations, facilitated by simulation designers who can help companies diagnose problems in existing protocols and explore possible threats and opportunities in new markets can help businesses better prepare, adapt their strategies, build and practice smart business continuity plans, and deploy them more successfully. Finally, interactive simulations, designed to cultivate common priorities and good decision-making in employees at all levels, by testing their susceptibility to various exploits and social engineering tactics, and to ensure they follow crisis response procedures correctly, are vital tools for all companies to invest in now, before they’re left paralyzed.
Instances of commercial disruption with wide-ranging consequences are likely to increase as those with advanced skills and a penchant for experimentation probe what are known to be weak defenses. Losses will pile up quickly for those who fail to seize a chance to be proactive.
Regular people, like those simply trying to fly to their grandmother’s for Christmas, will bear the brunt of the consequences — and market trends will follow accordingly. But the ones who take heed now, and invest in non-traditional means to counter these non-traditional threats, can be ready for the unexpected and come out ahead.
Milena Rodban is a geopolitical risk consultant and interactive simulation designer, with 9 years of experience helping businesses navigate complex operating environments. She designs and facilitates interactive simulations to allow clients to diagnose problems, analyze major decisions, and integrate more effective communication, collaboration, and crisis response protocols. Her co-author for this article has over 15 years of experience in the US government, working in counterterrorism and special operations.