Early on Friday, following a week of tense negotiations between Russia and the West over Ukraine, a major cyberattack took down a number of official Ukrainian websites. “Ukrainians! … All information about you has become public,” the attackers posted on the website of the Ukrainian foreign ministry. “Be afraid and expect worse. It’s your past, present and future.”
Though it’s not yet clear who was behind the attack, the timing made many observers think immediately of Russia, which has a long history of targeting Ukraine with cyber aggression. As the EU’s chief diplomat put it, “ I can't blame anybody as I have no proof, but we can imagine.”
Regardless of the perpetrator, the incident was a reminder of the many tools Russian President Vladimir Putin has used to weaken Ukraine other than traditional warfare. There is, of course, an actual war being fought in the country’s east. But Russia has supplemented its military efforts with nonmilitary tactics such as cyberattacks, disinformation and propaganda meant to exacerbate political tensions and undermine Ukrainians’ faith in their government and in democracy itself.
Much of Putin’s playbook falls into this murky area between war and peace — what national security analysts have come to call the gray zone. The term has become fashionable, but the concept isn’t new. It describes tactics that fall short of outright military aggression and instead take aim at a country’s social, economic or political cohesion. Gray-zone tactics include disinformation and cyberwarfare, as well as subversive economic practices, like China’s efforts to coerce Western firms into doing its bidding. Another recent example came when Belarusian leader Alexander Lukashenko — a Putin-allied autocrat — manufactured a migrant crisis at the border between Belarus and Poland. This also wasn’t a traditional act of aggression, but it created a feeling of crisis and chaos, forcing Poland and the rest of Europe to prepare for possible conflict.
Though the term can feel overused in national security circles, calling these seemingly disparate practices “gray-zone tactics” helps us see what they have in common: They’re cheaper and easier than using military force, they frequently aren’t overtly illegal, and to date they’ve rarely caused loss of life. Finally, gray-zone tactics take advantage of freedoms in democratic societies — like the open Internet, a permissive business climate and freedom of migration — to create political divisions, economic disruption or general social turmoil. Autocratic regimes (as well as criminals who are sometimes linked to them) are undermining liberal democracies by weaponizing their own strengths against them.
This emerging form of not-quite-warfare poses a direct challenge to President Joe Biden’s goal of advancing democracy over authoritarianism. It’s part of what I call the “Defender’s Dilemma”: Liberal democracies are inherently vulnerable to gray-zone threats, but have worked themselves into such a sorry mess of divisiveness that they’re practically begging hostile countries and sundry groups to exploit their weakness. Over time, such tactics may help convince people that democracy isn’t the best form of governance — a task that could be disturbingly easy with many in liberal democracies already feeling that the system doesn’t work.
There is no obvious tool or institution with which to combat gray-zone tactics. It’s been clear for decades that the armed forces need help from other parts of government to combat threats that are diplomatic, technological, economic or scientific in nature. Today, even that isn’t enough. As authoritarians eye a wider, more creative variety of targets — from private companies’ supply chains, to the systems that deliver gas and water, to faith in democracy itself — no government can, on its own, protect its population from gray-zone aggression.
The tool governments need is one that won’t be easy to deploy: the rest of society. Companies and private citizens increasingly need to play a role in protecting democracy by shoring up their digital security, learning to detect misinformation and not succumbing to their worst instincts when cyberattacks or disinformation crises attempt to foment widespread panic.
Can society really come together this way? Obviously, this seems like a tall order at a time when so few Americans trust their institutions — or one another. But other countries are experimenting with making corporations and citizens an asset in the fight against this new category of threats. Their experiences offer a starting point for the United States, which has only recently discovered that it’s vulnerable in a way never was before.
If it turns out that Russia or Russian-linked hackers were behind Friday’s cyberattack in Ukraine, part of their rationale will surely have been to worsen the country’s existing political divides and make Ukrainians conclude that their government is failing. (Later on Friday, reports suggested that the U.S. believes Russian operatives are planning “acts of sabotage against Russia’s own proxy-forces” to create a pretext to invade Ukraine — an example of how shadowy “almost-war” tactics can quickly lead to real war.)
Similarly, Lukashenko knew that massing migrants at Poland’s border would stoke existing divisions over European refugee policy and multiculturalism. The situation resembles a form of gray-zone warfare with which Americans are more familiar: In 2016, Russian intelligence agencies’ sought to manipulate Americans’ political views through Facebook. This effort took advantage of the open political debate in a free society, using that openness to turn us against each other.
Gray-zone warfare also exploits the interconnectedness of global business and the growing role private companies play in shaping public life. Danish, Irish and Romanian companies leased planes to the airlines transporting the migrants to Belarus. Russia’s most aggressive act of cyberwarfare against Ukraine — the NotPetya attack — brought down multinational corporations around the world by exploiting Ukraine’s links with the global digital economy. And of course, Russian election meddling in the 2016 U.S. election was that much harder to verify and address because it was done through a privately owned social-media platform.
America’s adversaries have realized that targeting private companies or individuals is a fruitful way to hamper society’s day-to-day functioning and spread chaos. Ransomware attacks can hit gas pipelines, the power grid or critical parts of the supply chain that are often run by private companies. Beyond some minimal standard precautions, private firms in the U.S. and other democracies have significant latitude when it comes to cybersecurity. That makes them vulnerable. Yes, companies operating critical national infrastructure are regulated by the government — but even in those sectors, the balance between societal responsibility and responsibility to shareholders is far from settled.
Another emerging form of geopolitical coercion short of war involves direct pressure on companies as a way of influencing their home governments. Nike and H&M were caught unprepared when they were hit by a Chinese boycott last spring, an apparent act of revenge for Western sanctions over Uyghur forced labor. Last year the telecom company Ericsson became another easy proxy target as China sought to force Sweden to reverse its decision to exclude Huawei from its 5G network. Again, these practices tend to be more successful in free and open societies because they have more open business climates.
Of course, non-military aggression against society at large is not new. In wartime, propaganda is a constant companion of military action, and blockades are used to try and starve a population into submission. During the Cold War, both sides used broadcast news and publications to fight the battle of ideas.
But today’s globalized, digitized world offers far more opportunities to achieve geopolitical aims by targeting a country’s businesses and citizens. Practitioners of gray-zone tactics will find more and more ways to use the interconnectedness and openness of democracies to undermine them. And because aggressors frequently use tactics are much less acceptable in liberal democracies, the defender tends to always be one step behind.
The private sector and ordinary citizens are generally asked to obey laws and pay taxes, but most people don’t think of them as playing a central role in protecting the nation’s security or its democracy. But this will need to change as it becomes easier and more effective to target a country’s economic engine or social cohesion — in ways that government isn’t equipped to handle alone. In case of a severe cyber attack against, say, a major food retailer, the government can respond by helping identify the attacker and even retaliating. But the company should play an active role, too, by having a backup plan in place to make sure it can keep distributing after being compromised and communicate effectively with the government about what’s happening. (It should also maintain high cybersecurity standards in the first place.) Consumers, meanwhile, surely have an obligation not to panic and start hoarding goods.
A number of European countries are already taking steps toward a “whole-of-society” approach that acknowledges the role of private citizens and the private sector in keeping countries safe. Three years ago, Sweden’s Civil Contingencies Agency — an agency similar to FEMA, but with a mandate to educate the public and coordinate crisis response — sent a leaflet to every household with information about how to spot disinformation and what to do if power or gasoline runs out. Just this month, Sweden launched a government agency for psychological defense, which will counter disinformation and make the population more resilient to it. Last year, Britain explicitly announced it was shifting to a whole-of-society approach to national security. Among its first steps: plans to launch a civil reserve, analogous to military reserves, of experts in fields from cyber to healthcare who will volunteer their services in crises.
In 2020 Latvia published a crisis-preparedness leaflet called “72 Hours: What to do in case of crisis.” The idea, the country’s defense minister wrote at the time, is to “[prepare] society for catastrophes we cannot specifically predict.” The document instructs citizens on what to do for food, water and health care in the event of a natural disaster, war or other crisis. The Czech Republic launched joint military-industry gray-zone exercises, in which the armed forces and companies from every sector team up to practice reacting to different forms of aggression below the threshold of war, from cyber attacks to supply chain disruptions to coercion of companies.
France, meanwhile, has launched a one-month national service program in which teenagers learn crisis response skills; the program is also designed to enhance cohesion among different societal groups. Similarly, Your Year for Germany invites young Germans to spend a year training and practicing homeland-security protection.
The question is, are any of these efforts going to work? It’s too early to say whether they have a real shot at succeeding. And Americans should be skeptical about whether smaller-scale initiatives in Europe’s less populous, more cohesive countries can make a difference in the larger and generally more fractious United States.
Still, it’s relatively early in the game. At this stage, it’s progress to acknowledge the unique nature of this problem — and to try something. The whole-of-society approach is essentially psychological, focused on building confidence and preparedness to deal with anything from an attack on the electric grid to a misinformation crisis about migrants at the border. It’s an unusual philosophy, particularly for the United States. But the growing prevalence of gray-zone aggression preying on a divided populace and a complacent private sector should be a wake-up call.
There is some movement in the United States toward preparing companies for a hostile nation cutting off essential services or attacking election infrastructure. The Department of Energy holds regular meetings with leading energy companies to discuss threats to their operations. Key businesses have recently been obliged to better protect their networks, and a May executive order by Biden makes firms part of a broader effort to secure the cybersecurity supply chain. The exercise Jack Voltaic, coordinated by the U.S. Army’s Cyber Institute, is a good example of cooperation between the military and companies.
These are promising signs. The U.S. government needs to more regularly engage with companies and executives to update them on threats they may not know about. Companies will also need to start taking action sector-wide, such as by sharing cyber incident details with one another. Commercial satellite operators already do this, but few other industries do, generally fearing their competitors will use the information for advantage. But as cyberattacks and coercion efforts become more common, companies may need to set those worries aside. For instance, Colonial Pipeline and JBS both paid their ransomware attackers out of self-interest. Going forward, businesses could team up within their sectors and publicly say they’ll never pay ransoms to create a stronger norm before the next attack.
Tougher than getting private firms to collaborate with one another and the government will be securing buy-in from the population at large. Citizens of liberal democracies aren’t used to being asked to play an explicit role in protecting society, especially when it involves time or inconvenience. Then again, because the convenience they prize is so vulnerable to new forms of aggression, it’s in their interest to help make society as resilient as possible.
Citizen involvement — both individual and collective — won’t be easy to organize. Two decades ago, Robert Putnam’s seminal Bowling Alone documented the decline of civic engagement in America. Now, we can draw a straight line from that disengagement to the divisions that plague America today and that seem to positively paralyze it in the face of crises. Adversaries have already taken advantage of this weakness, and we should expect that pattern to worsen. The fragmentation and atomization of society documented by Putnam is alarming on its own, but when it invites aggression from hostile countries, addressing it becomes a matter of urgency.
This September the House passed an amendment to the National Defense Authorization Act, intended help the country address gray-zone aggression. The amendment instructs the government to establish how to conduct gray-zone campaigns, including prioritizing the allied nations that are frequently targeted. This is good progress, but what we need next will be more specific efforts to enlist not just the government but also the American people to make society resilient against economic, psychological and other attacks below the threshold of war.
Perhaps in the future, we’ll see programs in which retired American doctors and nurses join civilian reserve forces for crises like fuel chaos triggered by cyber attacks or even epidemics instigated by hostile states. Or, initiatives like Finland’s elementary-school information literacy instruction could help gradually inoculate Americans against the pandemic of disinformation — a problem that phenomenal amounts of research have tried to tackle, but that remains a stubborn contributor to the divisions that make us vulnerable. Or, we might envision more formal, Czech-style collaboration between companies and the Pentagon to game out scenarios for future ransomware attacks on critical utilities.
With the whole of society involved, America would be a lot stronger when the next crisis strikes. The challenge is to create a mindset where companies and citizens don’t fall into passivity or destructive behavior when a crisis occurs. This is certainly a massive undertaking — and we don’t have much indication right now that it can work, especially in a divided democracy like the United States. But this country, along with many others around the world, is slowly becoming aware of the challenge.
Many homeowners put signs in their front yards informing prospective burglars that the house is equipped with a burglar alarm (or a biting dog). Standing militaries send the same message to would-be invaders. But when it comes to gray-zone aggression, countries practically put a welcome sign on their front doors. Many companies seem uninterested in playing a broader social role. And when something goes wrong, citizens sort into their tribes and are frequently unable to tell facts from falsehoods. Countries wishing to do harm would be foolish not to exploit such weakness — indeed, they already are.
In the long term, recognition of the need to act collectively against gray-zone aggression might even help serve as a force for unity. Americans may not want to bowl together again, but how about working together to keep themselves, their families, their companies’ production and sales and the country safe? Call me optimistic, but perhaps defending against this new category of threats could one day play the role of yesterday’s bowling leagues in bringing a divided people together.