A Grand Strategy Based on Resilience
Recent revelations about the SolarWinds breach, in which ostensibly Russian threat actors exploited a critical node in the information and communications technology supply chain to gain access to U.S. government and private sector networks at an enormous scope and scale, are yet another example in a growing list of incidents that reveals ways in which America’s institutions, economy, and society are vulnerable. Other events — those that are actually disruptive — have more starkly exposed America’s vulnerabilities, most obviously the coronavirus pandemic, the ensuing economic recession, and exacerbation of preexisting income and racial inequalities.
It is nearly inevitable that disruptive events will continue to take place in the future. These may stem from geopolitical causes as the balance of power in the international system continues to evolve toward multipolarity, or other causes like climate change. Given this reality, the notion that resilience should be a cornerstone of American grand strategy has gained increasing attention. For example, in an article in Foreign Affairs this past fall, Ganesh Sitaraman calls for the United States to adopt a grand strategy of resilience. Sitaraman lays out a broad vision based on the objective of defending American democracy in an environment beset by various disruptions. But, while the defense of democracy is certainly important, is it the only purpose of American grand strategy? And how would the United States implement a grand strategy of resilience?
Resilience involves the ability to anticipate and withstand a disruptive event, and to rapidly restore core functions and services in its wake, whether it be a pandemic, financial crisis, terrorist attack, or large-scale cyber incident. Within this broad umbrella, there are different forms of resilience, such as operational resilience, financial resilience, or data resilience. In the context of grand strategy, resilience would reorient America’s strategic approach around improving its ability to anticipate and respond (from a defensive perspective) to adversary actions. Over time, this may have a positive, indirect effect of reducing the appeal to adversaries of conducting disruptive events in the first place through diminishing the perceived benefits.
Barry Posen, in his foundational work, The Sources of Military Doctrine, defines grand strategy as “a state’s theory about how it can best ‘cause’ security for itself.” Therefore, if resilience is to be a cornerstone of American grand strategy, it should be able to help improve American security. Other objectives, like defending American democracy, are impossible without achieving the basic, fundamental objective of security. For decades, American grand strategy has rested on the strategic concept of deterrence to preserve its security and, by extension, maintain the stability of the international system. However, the strategic context is changing — increasingly characterized by “great-power competition” — which is creating new challenges for deterrence. The nature of these changes suggests that the United States should update deterrence concepts to include resilience as a core element.
Deterring undesirable outcomes solely through the threat of force while effectively managing escalation risks is far more difficult in a great-power competition context. That is because rival states, such as China and Russia, are increasingly capable of denying American efforts to achieve military objectives and imposing costs in response to attempts to do so. And, historically, the United States does not have a good track record in deterring adversary activity that occurs below the threshold of warfare in the proverbial “gray zone,” whether it be Russia’s use of unconventional and proxy forces to annex Crimea, China’s artificial island-building campaign, North Korea’s massive cyber-enabled financial crimes, or, most recently, Iran’s information warfare campaign during the 2020 U.S. election.
What might incorporating resilience into American grand strategy look like in practice? As it turns out, the private sector and private cyber security firms have already devoted significant efforts to developing resilience-based frameworks to secure their organizations against cyber threats. Therefore, policymakers should draw lessons and best practices from these initiatives to help inform how the United States might incorporate resilience into an implementable grand strategy.
Resilience Approaches: Lessons from Cyberspace and the Private Sector
The nature of the environment in cyberspace makes it conducive to resilience-based approaches. Specifically, in cyberspace the large surface area of attack, dynamism of the environment, distribution of capabilities across a diversity of actors with low barriers to entry, and reality that a persistent and dedicated attacker can almost always find a means of gaining access to a target, mean that it is nearly impossible to identify and remediate every vulnerability in advance of an event, anticipate every type of threat, and perfectly defend all networks and systems. Disruptions and incursions — such as distributed denial-of-service attacks against private sector firms, ransomware attacks against American cities, or intrusions into critical infrastructure, including election infrastructure — have become a routine occurrence in cyberspace.
Therefore, the sheer impossibility of a perfect defense has driven organizations, especially in the private sector but increasingly in government as well, to reorient their thinking around a risk management approach to resilience. In fact, for over a decade, organizations that contend with threats in cyberspace have been drawing on the logic of resilience and investing in developing and implementing resilience-based frameworks. While several frameworks exist, such as the Financial Stability Board’s cyber resilience toolkit, MITRE’s cyber resiliency engineering framework, or the National Institute of Standards and Technology’s systems security engineering approach, they generally share a few core components. These typically include being prepared in advance of an incident, maintaining the ability to withstand and continue critical services during the course of an event, responding to and recovering from the disruption, and finally adapting and maturing an organization to incorporate lessons learned to be better prepared for the next incident.
Implementing this kind of resilience framework requires identifying and prioritizing critical assets, systems, functions, and personnel, and mapping the dependencies between them; understanding the threat environment and ascertaining likely avenues and methods of attack; being willing to assume greater risk in areas that may be more exposed but are of less significance, or are less likely to be targeted; and building the organizational maturity to continuously update and sustain these practices based on new information and evolving understandings of the threat and vulnerability landscape.
Government entities, especially with respect to regulatory bodies in the financial services sector, have begun to take resilience more seriously. Just this October, for instance, the United States Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corp., and the Office of the Comptroller of the Currency released a joint white paper articulating best practices for firms in the financial services sector to improve their operational resilience. This came on the heels of the European Commission’s publication in September of draft regulatory language to build operational resilience testing requirements into existing regulatory frameworks for the financial services sector within the European Union.
Applying Resilience Frameworks to American Grand Strategy
Turning to the broader strategic environment, the current international system shares characteristics that are similar to those that make resilience an appropriate concept for addressing cyber threats. For instance, the interdependence of global markets, economies, and societies means that a given disruptive event could have cascading effects across diverse sectors with difficult to anticipate consequences. An international system characterized by great-power competition compounds these concerns. While the term great-power competition obscures as much as it illuminates (e.g., over what are great powers competing?), the basic attributes of this environment make a resilience-based grand strategy a particularly good fit. Specifically, just like cyberspace, the “competitive” aspect of the current strategic context implies some form of continual activity that takes place below the level of warfare (thus, distinct from great-power conflict). And, as has already been the case in cyberspace for a number of years, the “great power” aspect reflects the reality that the United States no longer holds a position of unchallenged economic and military power and must contend with other near-peer or peer states.
A strategy anchored in resilience means the United States must reframe its approach to great-power competition. For instance, while there has been considerable focus on the military aspects of great-power competition and the development of new capabilities, forces, and concepts geared at deterring a great-power rival, less attention has been paid to the vulnerabilities and resilience of military capabilities and, importantly, the critical infrastructure and supply chains that support their development, sustainment, and employment. But perhaps even more important than the military aspects of great-power competition are the economic ones — made even more salient in the wake of the COVID-19 pandemic. As the fundamentals of American economic power erode in relative terms — manifest not only in the relative size of the U.S. economy, but also in other states’ efforts to build alternative economic and trade organizations and agreements and assume leadership in international standard setting initiatives — the ability to withstand and rapidly recover from economic disruptions will be critical for maintaining American prosperity and influence.
Applying a resilience lens to great-power competition will require the United States to systemically identify and prioritize critical assets, capabilities, functions, and dependencies. It means asking (and answering) difficult questions: Where is America most vulnerable and how critical are these vulnerabilities? What functions are essential and must be prioritized? And, conversely, where can the United States assume some risk? Additionally, effective resilience frameworks rest on a complete picture of the threat environment to anticipate and be proactive in preparing for and addressing potential adverse events. This means investing in strategic threat intelligence capabilities to understand evolving adversary intent, capabilities, and objectives, and collaborating with others, both in the private sector and allies and partners, to improve shared understandings.
Of course, the particulars of a resilience-based approach will vary by sector and function — each is defined by its own stakeholders, requirements, unique technologies, types of threats, relationship with society, and so on. In other words, financial resilience, which is critical for the U.S. economy, had fundamentally different requirements than the resilience of energy infrastructure, or the resilience of the U.S. nuclear deterrent, or the resilience of American alliances. That said, beginning to incorporate resilience into strategy and creating market incentives for private sector and government entities alike to prioritize and invest in their resilience is an essential first step toward refreshing American grand strategy for current and future challenges. That is because, in a great-power competition, resilience is likely to be a significant comparative advantage. If American grand strategy rests on “winning” every interaction in the so-called great-power competition, policymakers are left with a brittle strategy that forces unpalatable choices between capitulation and escalation. Resilience, however, obviates that need by anticipating that setbacks will be part of the strategic environment and, therefore, preparing in advance to address them.
Erica Borghard is a senior fellow with the New American Engagement Initiative at the Scowcroft Center for Strategy and Security at the Atlantic Council. She is also a senior director on the U.S. Cyberspace Solarium Commission.