Military mobility involves more than just transporting equipment; it also entails protecting the critical infrastructure across which it travels. On June 2, CEPA’s latest military mobility panel considered the cyber vulnerabilities of critical infrastructure. CEPA Pershing Chair LTG (Ret.) Ben Hodges moderated, and Institute for Defense Analyses’ COL. (Ret.) Tom Greenwood, former Lithuanian Deputy Minister of Defense Edvinas Kerza, Estonian Director of NATO Cooperative Cyber Defense Centre of Excellence COL. Jaak Tarien, and Bayerischer Rundfunk’s Sabina Wolf weighed in.
Key takeaways from the discussion (paraphrased and condensed for clarity):
An essential component of military mobility is its reliance on host nation transportation infrastructure and capabilities. In a potential crisis scenario, military reinforcement relies on the host country’s support and its national infrastructure — seaports, airports, bridges, and roadways — to move equipment and personnel quickly and efficiently.
Most critical transportation infrastructure is owned and operated by the private sector. The decentralization of such infrastructure inadvertently leaves them more vulnerable, particularly since a number of these companies are smaller and possess security systems that are easier to breach making them primary targets. But even big companies are potentially vulnerable. In 2017, the effects of Russia’s NotPetya malware attack directed against a Ukrainian software business ricocheted across the globe. The attack also hit targets such as the shipping giant Maersk, resulting in weeks of widespread transport disruption due to the loss of information regarding ship and container locations, as well as hundreds of millions of euros in lost revenue. The company supports military logistics.
A similar cyber attack directly targeted at NATO infrastructure, such as the critical German Bremerhaven seaport, would disrupt military mobility as well, perhaps worse than a kinetic attack. NATO brings together 30 different countries, which means there are 30 different processes for governing and protecting the alliance’s critical infrastructure, inconsistencies that NATO’s adversaries can easily recognize and exploit
If NATO wants to be truly prepared for cyber aggression, its forces need to cooperate on a single security platform. It is not enough to just share information; countries need to build shared operational capabilities. The EU’s Cyber Rapid Response Teams aim to ensure a higher level of cyber resilience through such cooperation. These teams operate by pooling participating national experts to boost training, vulnerability assessments, and collective response to cyber incidents. Greater participation in such collective projects would increase cyber capabilities across Europe, as well deter potential threats due to the collective response measures.
Moreover, NATO and U.S. forces must master joint and combined multi-domain operations. Adversaries do not assess capabilities in one domain, but across all five. Though large-scale, multi-theater exercises came to a standstill following the end of the Cold War, the rising threats from Russia and China show they are again needed. Defender-Europe 20, which was intended to be the largest deployment of U.S. based forces to Europe in over 25 years, was one such start. The outbreak of covid-19 may have halted the exercise, but similar large scale and multi-domain exercises in the future will help the U.S. and NATO deal with long-standing interoperability, mobility, and command and control challenges.
The burden of the covid era will force governments to reexamine their economic priorities. As these governments look to salvage their economies, prioritizing the protection of critical infrastructure will most likely be overlooked, as is evident in Europe’s looming defense budget battle. Yet the pre-covid security threats have not diminished.
With both an increasingly aggressive and cyber sophisticated Russia and China, NATO countries need to review their critical infrastructure and measures to protect it. It is in times of peace that countries must ensure their capabilities, so they can be prepared for times of conflict.
Europe’s Edge is CEPA’s online journal covering critical topics on the foreign policy docket across Europe and North America. All opinions are those of the author and do not necessarily represent the position or views of the institutions they represent or the Center for European Policy Analysis.