Episode 292: Critical Infrastructure Under Threat: Securing the Foundations of a Connected World with Dr Tim Stevens
Produced and programmed by Katerina Mazzucchelli
Today, Dominic Bowen hosts Dr Tim Stevens on The International Risk Podcast to examine how hybrid threats, cyber operations and infrastructure vulnerabilities are reshaping Europe’s security environment. They discuss how adversaries exploit the interdependence of digital, physical and informational systems, why hybrid activity sits deliberately below the threshold of open conflict, and how these pressures are redefining strategic risk for governments, businesses and critical-infrastructure operators across Europe. Together they explore how cyber intrusions, sabotage, supply-chain exposure and targeted information operations generate cumulative effects that undermine resilience, erode trust and complicate decision-making.
Dr Stevens outlines the dynamics driving contemporary hybrid competition, explaining how Russian and Chinese operators use access, ambiguity and signalling to shape the behaviour of European states. He discusses the increasingly global nature of insider threats, the strategic logic behind cyber pre-positioning in energy grids and communication networks, and the operational challenges facing organisations with fragmented digital estates. The conversation also examines the limits of regulation, the evolution of state and non-state tactics, and the growing expectation that European institutions must integrate cyber, infrastructure and geopolitical risk into a single, coherent security posture.
Dr Tim Stevens is Reader in International Security at King’s College London and co-director of its Cyber Security Research Group. His work analyses the politics of cybersecurity, hybrid threats, cyber risk and the global contest over technological infrastructures. He is the author of several leading publications in the field, including Research Handbook on Cyberwarfare (2024) and What Is Cybersecurity For? (2023). His research examines how cyber operations intersect with societal vulnerabilities, strategic signalling and governance capacity, offering perspectives that inform policymakers, security professionals and institutions responding to the rapidly evolving cyber-hybrid threat landscape.
The International Risk Podcast brings you conversations with global experts, frontline practitioners, and senior decision-makers who are shaping how we understand and respond to international risk. From geopolitical volatility and organised crime to cybersecurity threats and hybrid warfare, each episode explores the forces transforming our world and what smart leaders must do to navigate them. Whether you’re a board member, policymaker, or risk professional, The International Risk Podcast delivers actionable insights, sharp analysis, and real-world stories that matter.
Dominic Bowen is the host of The International Risk Podcast and Europe’s leading expert on international risk and crisis management. As Head of Strategic Advisory and Partner at one of Europe’s leading risk management consulting firms, Dominic advises CEOs, boards, and senior executives across the continent on how to prepare for uncertainty and act with intent. He has spent decades working in war zones, advising multinational companies, and supporting Europe’s business leaders. Dominic is the go-to business advisor for leaders navigating risk, crisis, and strategy; trusted for his clarity, calmness under pressure, and ability to turn volatility into competitive advantage. Dominic equips today’s business leaders with the insight and confidence to lead through disruption and deliver sustained strategic advantage.
The International Risk Podcast – Reducing risk by increasing knowledge.
Follow us on LinkedIn and Subscribe for all our updates!
Transcript:
Tim Stevens: [00:00:00] The principle purpose for targeting critical infrastructure is to undermine societal wellbeing. And now that’s a very vague term, of course, but it could extend to notions of trust in governments to be able to protect essential goods and services. Um, and if you undermine that trust, you are in a sense undermining some of the tenets, if you like, of democratic societies, but also societies in general.
Dominic: Hi, I’m Dominic Bowen and welcome to the International Risk Podcast where we unpack the risks that are shaping our world. And today we’re exploring the vulnerabilities of critical infrastructure, and we’re doing that in an area of escalating hybrid threats and geopolitical competition. We see energy grids, ports, undersea cables and digital infrastructure are the foundations of our connected world, and they’re also the targets and the victims of geopolitical activities.
[00:01:00] These systems are becoming increasingly probed. They’re being disrupted, and in many cases, they’re being directly targeted and the consequences are being felt beyond the immediate damage to the cables, to the pipes, to the dams, to actually at businesses, and certainly within our governments. With these growing vulnerabilities brings a range of questions, including, you know, how resilient are our societies, how resilient are our businesses, and how can governments be protecting critical infrastructure? And is the public and is the private actors coordinating properly to reduce the risk to these important systems.
Our guest today to help us understand this is Dr. Tim Stevens. He’s the reader and international security at the Department of War Studies at King’s College in London, and he is also the co-director of its cybersecurity research group. His research includes cybersecurity, politics, cyber risk, cyber warfare, and of course the global politics of technology. He’s the author of Research Handbook on Cyber Warfare, What Is Cybersecurity For?, The Cybersecurity and Politics of Time, and more recently, [00:02:00] Cyberspace and the State. Tim, welcome to the International Risk Podcast.
Tim Stevens: Thanks Dominic. Glad to be here.
Dominic: So Tim, critical infrastructure has long been seen as a silent enabler. Some people might even say just a boring behind-the-scene activity that, whilst critical, we don’t really think about it in modern economies. But we’ve definitely seen the shift in recent years. We’ve seen that these systems are no longer in the background, but often on the front page of our news, and they’re becoming strategic targets themselves.
And there’s been a lot of concerns about Russian activity, especially around undersea cables and the Baltic. There’s also been ransomware attacks on pipelines. We’ve seen significant ransomware attacks on hospitals, especially in Sweden. There’ve been victims of multiple ransom attacks on hospitals and entire communes. We’ve seen critical infrastructure increasingly exposed.
So let’s start by unpacking what that means. You know, what is the current landscape? When we look at risk and when we speak about infrastructure, what should we be thinking about, Tim?
Tim Stevens: [00:03:00] That’s a very good, very good question. The word infrastructure, without being too academic about it, is a relatively modern phrase that had only really emerged in France in the late 19th century, and it’s through the 20th century that the word has become attached to pretty much anything that supports a wider or higher-level societal undertaking, shall we say.
Now, that’s a relatively modern word. You’re right in the sense that for the longest time, infrastructure was treated as something that, if anyone looked at it at all, it was rather mundane, boring, perhaps even invisible, and not something that we really thought about in our everyday lives. But as you’ve said, this has very, very clearly changed.
And whilst we’ve always had infrastructure, particularly, you know, if you think about urban environments where we’ve had sewage and water systems, transport, logistics, power and so on as foundations, if you like, for city living, it’s really in the last sort of half a century or so, perhaps a bit longer, when we’ve begun to think about infrastructures as extending in a global sense.
[00:04:00] And when we think about infrastructures now, we’re thinking about transnational supply chains. We’re thinking about computer networks. We’re thinking about international trade and logistics. Thinking about communications generally. And this has really sharpened our attention, if you like, to what the possibilities are if supply chains and networks are disrupted.
And that’s really where we are at now, thinking about those critical infrastructures — those infrastructures without which we could not be a modern society, without which government couldn’t function, without which we couldn’t deliver essential goods and services.
But because we’re in this supply web, if you like, at the global level, a disruption in one place can cause disruption in others. And when we think about critical infrastructure now, we’re really in that kind of mental, cognitive and political space, of course, where we’re having to rethink, or draw new attention to, those critical infrastructures because, as you said in your introduction, they’re very much being targeted by a range of actors who wish to do our societies harm.
Dominic: And recent incidents, from sabotage of undersea cables to these really sophisticated cyber attacks, they’re really demonstrating that infrastructure today is both the target but also the terrain and the vehicle for actually achieving strategic competition. Which is quite interesting.
[00:05:00] And I understand — you know, I work in risk management and crisis preparedness — that these assets are difficult to defend. And part of it is due to the vast nature of them, the fact that they’re so interconnected, they’re often international in nature, and they fall out of some countries’ jurisdictions. And that leaves critical infrastructure vulnerable at a time of what is undoubtedly significantly risen and increased geopolitical tension.
So with that basis, can you tell us why? Why are energy grids, why are ports, why are undersea cables, why are our digital networks increasingly targets? What’s the purpose of targeting them?
Tim Stevens: The principle purpose for targeting critical infrastructure is to undermine societal wellbeing. And now that’s a very vague term, of course, but it could extend to notions of trust in governments to be able to protect essential goods and services. Um, and if you undermine that trust, you are in a sense undermining some of the tenets, if you like, of democratic societies, but also societies in general.
We trust government and the private sector to deliver us what we want and what [00:06:00] we need to undertake our daily lives. So targeting critical infrastructure in that sense has a sociopolitical purpose, but there’s also — they serve national security purposes. And some of the, for example, the accusations against Chinese merchant vessels cutting undersea cables around Taiwan, for example, it’s very clearly both a message to Taiwan but also possible preparation for future military attack.
And indeed, when you think about digital networks, some of the activities of a group that’s associated with the Chinese People’s Liberation Army — Volt Typhoon — have very much been about implanting capabilities in American power grids, military networks, communications and so on. Again, as a bridgehead, if you like, for possible future military action.
So there’s a range, if you like, of different objectives — some of which might be immediate and tangible, in the sense of sowing mistrust or disquiet amongst civilian populations. But others have a much longer-range objective, much as we in the past — and still do, of course — position military materiel in [00:07:00] foreign countries in case we need it for future operations. In cybersecurity, some of those capabilities — the malicious software, the malware that’s being implanted in foreign countries’ networks — serves a very similar function. That is something we can deposit, hide, and then use later to prosecute our military objectives.
Dominic: And it doesn’t matter what intelligence service you speak to, which government agency you’re engaging with — you know, we don’t need to speak to anyone else, we don’t need to read another headline to realise that the hybrid threats are increasing across Europe. And summer really did heat up — pardon the pun — when we look at the official assessments released by so many government agencies.
And, you know, the blunt reality really was that Russia’s hybrid campaign in Europe is widening, and it’s directly targeting businesses. It’s targeting their operations, the safety, the compliance, capital, reputation, but also government actors at the same time.
At the start of summer, on the 26th of June, the European Council said — and I’ll quote them — that it condemns Russia’s continued hybrid campaign, including sabotage, including disruption of critical infrastructure, including [00:08:00] cyber attacks and information manipulation and interference. And that was the European Council statement.
And we saw that just continue. We know the UK’s national security strategy talked about needing to counter the persistent and growing underwater threats from Russian submarines and Russia’s shadow fleet. We know that in July, in Brussels, the European Council listed nine people and six Russian entities attempting to destabilise and conduct negative operations across Europe.
There’s been increased reports about Russia’s Kaliningrad region and their electronic warfare operations and the impact that is having on shipping and on aircraft. And there are many more examples, and some of them we will no doubt unpack during our conversation today, Tim.
So the picture seems to be quite clear from what we’re seeing in publicly available information that Russia and China are doing this. Is that the whole story, or do we need to be considering more when we think about who the actors are — who is leading and causing this hybrid warfare?
Tim Stevens: [00:09:00] I think identifying Russia and China as the main actors is a fairly sensible first step. It’s very clear that Russian hybrid operations have increased dramatically over the last two to three years. And indeed, one recent assessment suggests that the number of Russian sabotage operations, if we want to call them that, has quadrupled over the last two years — which is a fairly staggering statistic — which means that there are dozens and dozens of Russian hybrid operations being conducted against various forms of infrastructure in Europe at this time.
China, too, has a slightly different objective, in the sense that unlike Russia, which aims to destabilise European allies and their support for Ukraine, and destabilise the very notion of a unified Europe, Chinese operations are geared more toward thinking about ultimately taking back Taiwan.
But they both experiment in various types of sabotage operations against critical infrastructure. Russia is much more varied, one might say. It uses a wider spectrum of techniques, which can go from something as fundamental as — in the jargon we call kinetic [00:10:00] attacks. So we’ve seen warehouse fires in London. We’ve seen assassinations in the UK. We’ve seen attempted assassinations elsewhere in Europe. But also through the virtual dimension, through cyber operations, through electronic warfare.
The current big story around the European Union, of course, is the Erezelia Airlines civilian aircraft that was forced to land using paper maps the other day due to a Russian and/or Belarusian electronic-warfare operation — so directly affecting civilian aviation.
I think the picture at that level is fairly clear. Those would be the two main adversaries in this space. But they involve a much wider range of actors too. One of the reasons why a country like Russia or China can get away with, or act with relative impunity in this space, is because, for example, in the case of Chinese maritime operations against undersea cables, ships have long flown flags of convenience.
And if your ship is registered in Togo or Senegal, or wherever it happens to be, it’s effectively under the control of that flag nation. And if you send your merchant navy [00:11:00] ships out under a flag of convenience, the international law of the sea operates slightly differently than just saying, “This is a Chinese vessel.” It becomes a Togolese vessel. And there are layers and layers and layers of companies and shell companies and flag nations and so on that are used to hide these shadow fleets that both China and Russia use, which means it is relatively easy to escape attribution.
In the sense that there are all these layers you have to unpeel like an onion to get to who the original perpetrators are, as it were, or who have organised or commanded these operations. And, of course, ultimately the perpetrator — whether it be China or Russia — is just going to deny it anyway.
So incredibly difficult. But there’s also other aspects to it. For example, in cases of European sabotage by Russia, operations have been conducted by third parties. So we’re not necessarily talking about agents of the Russian state conducting operations. We’re talking about citizens of other countries being co-opted, or indeed the use of private military contractors like the Wagner Group [00:12:00] to conduct operations, which again creates a little bit of distance between those who might be directing these operations ultimately, or at least providing the opportunity for actors to conduct these types of operations.
So it becomes quite complex. The idea that Russia and China are centrally commanding all of these types of sabotage operations against critical infrastructure is only partly true, because there is a range of other actors all too willing to conduct these operations on their behalf.
Dominic: Thanks for explaining that, Tim. And I thought this case was particularly interesting. In mid-August, Norway’s security service — that’s the PST — said that pro-Russian hackers opened a floodgate at a huge dam for about four hours, and the amount of water that they released was enough to keep a huge data centre operating for an entire year.
So it’s a lot of water — there was about 500 litres per second — and it was open for about four hours. And the head of Norway’s security service said that the aim of this was to influence and to cause fear and chaos amongst the general population in Norway.
And I think it’s this variety of hybrid operation that mix things like, you know, opening dam waters to mixing cyber attacks, disinformation, physical attacks, assassinations. Not only does that complicate the [00:13:00] protection of critical infrastructure, it really complicates our responses.
But, of course, the first step in protecting is to understand your adversary. So I wonder — you talked about the different objectives that Russia and China has — so if we start by looking at Russia and its attempts to undermine and destabilise Europe, when we look at the activities, they’re just so broad and they’re so wide, and some are very deep and some are quite shallow.
It’s hard to know if these attacks are coordinated, if they’re deliberate, or if it’s more just a matter of “let’s throw what we can at Europe and see what sticks”, and then learn from that. What’s your understanding? What are you seeing, and how coordinated and deliberate are these really broad and wide-ranging attacks?
Tim Stevens: I think the general conceptual umbrella for Russian hybrid operations is. Not that someone’s sitting in the Kremlin saying, today we’re going to attack a dam in Norway. I don’t think that’s how it works, but what has been delegated somewhat to various organs of the Russian security and intelligence apparatus is, if you like, a green flag to, let’s see what works.
we understand the overall strategic objective, which is [00:14:00] to destabilize, confuse, undermine societal cohesion in against the backdrop in Ukraine. But also there is an element of, let’s see what works. Okay. One of the things that the Russian playbook operates on is that it understands all too well how Western societies work in a way that perhaps we don’t quite understand how Russian society works.
Western societies are very open. they publish national risk registers. We know what government’s concerned about. We know what makes the public tick because we’re open societies. Russian operatives are clever. They know what concerns us. They know what we hold of value. They understand, for example, in the case of the UK that the NHS is sacrosanct when you look at public polling and so on and so forth.
And they exploit those. They exploit those seam, they exploit those vulnerabilities, which are social, psychological vulnerabilities as much as they’re pragmatic, functional ones. But what they’re also doing through these operations, of course, is demonstrating a couple of other points. The first is capability.
So the Norwegian dam case is a very, very good [00:15:00] example of we have access to your water system. We have access to this dam. We could have opened it a lot more. But we didn’t. So we’re keeping it at a level that’s demonstrating our ability to infiltrate those networks and systems to, to make changes in industrial control systems, to modulate the flow of water, which, you know, 500 liters a second sounds a lot, and it is, but it could have been more.
So we’re demonstrating our capability, and we’ve seen this loads of times, where Russian operators have infiltrated systems and played with it almost wanting to be caught. In the sense that you now know that we have this capability to affect things that you hold dear. The second point, of course, is demonstrating intent and capability and intent go together.
When we’re thinking about strategy, it’s all very well to have a capability, but what are you harnessing it to? And these operations show very clearly that the intent. Behind these operations is to, disturb and disrupt that should, our current strategic competition raise to the level of strategic crisis, let alone conflict that Russia will [00:16:00] act, or at least to introduce some uncertainty in our thinking about whether they will or not, and that they’re always playing on this idea that, and we do this as well in some respects in other fields.
Is introducing some ambiguity about will they, won’t they, we know they can, but what is it that they will do? should there be an escalation in, you know, diplomatic relations or, open hostility or whatever. So there’s a couple of different components to, to thinking through that issue.
Dominic: Yeah, I mean, I think that we know that Russia is definitely trying to undermine Western resilience. It’s trying to divide societies and it’s been very successful. And we see the manipulation of social media in the UK to great extent. It’s not just Russia and China. We know that, hackers and bot farms in India have really contributed to a lot of.
anti-Islam and anti-Muslim protests in the uk, but certainly we’ve seen that across, the North America and, and Europe as well. And we also know that that Russian doctrine is, quite advanced and it’s very mature and it’s quite deliberate and intentional in its attempt to blur the lines between what’s all out war and what’s [00:17:00] peace and and, and what’s in between.
But you also mentioned China, You mentioned that China’s goal is very different, that in fact China’s real focus is just on reunification with Taiwan. So can you help us understand how does hybrid attacks in North America, how do hybrid attacks in Europe benefit?
China’s attempt to reunite and reunify itself with Taiwan?
Tim Stevens: Yeah, I mean, Taiwan is one of its major focuses. the other one of course, is that it is a peer challenger to the United States. and a lot of the actions that China has taken in recent years have to be understood in those terms that it’s, it’s directly challenging sometimes in very physical and obvious ways, such as island building its in the maritime, uh, and so on.
It is even through its operations against Taiwan, though, it it, it’s against the backdrop. It’s almost saying. We are patient, we can play the long game. We are making preparations for taking Taiwan. Let’s not forget the Chinese Communist Party doctrine is still essentially rooted in a kind of [00:18:00] linear view of Marxist history, which tells us that the reunification of Taiwan with mainland China is inevitable.
It’s only a question of time. So everything that’s happening around that is preparatory, if you like, but it is also challenging the United States in that way. It’s saying, well. Taiwan is Ally. what are going to do about it? And it knows perfectly well that the United States and its allies can’t an awful it.
Now you mentioned, Chinese operations, principally information operations, I would say, rather than kinetic operations in Europe. sending a similar message, suggesting that, you know, China has access to and understands Western communications, understands how our societies work, and of course it understands them even better, through.
Data collection and surveillance through various, sort of web applications and so on. TikTok primarily, so part of it’s, you know, openly stated objectives for artificial intelligence is to gain data on how western societies tick, and it can feed that back into its information operation, shape, the communication space attempt to shape the debates that are being had around China.
And Chinese [00:19:00] intentions. Um, ultimately China wants to portray itself both as a peer competitive, the United States, but also as a good global citizen. And shaping the, the discussions online and elsewhere around, those types of issues is very valuable, when you think about it in strategic terms.
Dominic: And it is quite interesting, Tim, one of the questions I get asked all the time from business leaders right across Europe is, how do we build resilience? How do we build resilience when everything around us feels so uncertain? And my response isn’t necessarily what people want to hear. And I say that, you know, resilience isn’t necessarily something that’s builds overnight.
Resilience is something that’s a process. But like all processes, if you start now, you’re gonna be better prepared in a week and a month and a quarter’s time than what you will be if you don’t take any action now. But sometimes where to start and how to start can be quite difficult. And a conversation that I have with a lot of.
Businesses is the threat from insiders. Now, it could be organized crime, it could be organized crime sponsored and supported by state actors, which is an increasing, increasingly large phenomenon across Europe. or it could be, state sponsored actors inside your [00:20:00] organization. and whilst many of our listeners might be thinking that we’re talking about a Tom Clancy novel, this is a reality.
I have clients in Northern Europe, in mainland Europe that are victims of this. At least once a month I’ll have a client and we’ll be working through a challenge where there’s been an insider threat that’s linked to a state actor. it’s, it’s quite phenomenal how common and how, how deeply penetrating so many industries are.
So what’s your advice to business leaders, government? That person sitting beside you, the desk beside you. Now, no one wants to think that their colleague could be the risk, but we know whether we look at cyber data, uh, information breaches that, around two thirds of those are usually caused by insiders.
Now, some of that is accidental, some of that is, poor training or, or poor compliance with policy, but some of it is deliberate. how do we balance that and how do we have those conversations with business leaders and, and, and policy advisors?
Tim Stevens: It’s a really difficult conversation, and it always has been because it’s not really in most people’s nature or desires to suspect one’s fellow employees.
Right. And, and [00:21:00] managers don’t like doing it either. The paranoid management style does no one any favors at all, but it’s a very real threat. the scale of the threat overall is probably quite small. But yet it’s quite common too, if that makes sense. It’s not that everybody is as an insider threat, it’s just that many organizations do have an insider threat, even if it’s only just one or two individuals.
short of, you know, surveilling all one’s employees 24/7, it’s very, very difficult. But there are things that can be done through digital means. most organizations will wanna, establish baselines for pattern of life. For example, using over their digital networks and, you know, large organizations properly resourced and with, acutely aware information security professionals making decisions at boardroom level, will be aware that pattern of life analysis is really important.
And if suddenly you see oddities, are anomalies. Creeping in such as, you know, huge amounts of data being extracted from your, department that deals with intellectual property at 2:00 AM in the morning. you might wanna investigate and usually there’ll be someone’s digital fingerprints all over that.
What’s really interesting is the insider [00:22:00] threat. the conversation has changed a little bit, quite recently in fact, whereas it used to be the person that you hired and maybe had been at the company for ages and the insider threat used to come from a disgruntled employee you know, their treatment at the hands of their employer.
Or they’re disquiet about, corporate policy or something like that, or somebody that maybe had been blackmailed from outside and so on and so forth, which is, corporate intelligence. now because of partly driven by the pandemic, I suspect, but ’cause of ways of hybrid working in hiring and lots of forms of remote working.
We’ve seen an awful lot of cases where people have been hired, they never set foot inside the building. and if you like. The labor supply chain has, has become much more internationalized so you can get a job and never set foot, in your corporate HQ or one of their satellite offices. And we have seen this, for example, with North Korea.
Where North Korea has ceded LinkedIn with likely looking individuals looking for IT jobs in North America and elsewhere with highly plausible cvs that are mainly AI generated or, augmented in various ways. [00:23:00] And they’re hired to do jobs that allow them access to corporate networks that they then leverage to extract intellectual property or just take the salary and then use that to feed into North Korean evasions, sanction evasion and things like that.
So there’s, they’re insider threats, but in a slightly different way. so in a sense, they’re, they’re not individuals who are already inside the corporate perimeter. They’re people you’ve invited in, and vetting and so on, has to become much more sophisticated in order to understand who you are hiring.
And unfortunately, or for better or for worse, AI driven hiring practices could either make that situation better. Worse. you know, if someone ticks all the boxes and the AI says they tick all the boxes and they hire them, then, you know, we’ve got a bit of a problem. So, HR is people driven and it’s about people.
and we need to remain mindful of that.
Dominic: Yeah, it’s a great point. And I think AI can be both our tool and our strength, but also our, our weakness if we, if we rely on it too much. And, and you, you mentioned, screening candidates, and I think that’s a really solid one and most companies now do a reasonable level of background checks, but it’s, it’s really interesting.
The Dominic Bowen that’s [00:24:00] sitting here now in, in, you know, Q3 of, of 2025 is very different to the Dominic Bowen of two years ago and completely different to five and absolutely different to 10 years ago. You know, from financial positions to countries I’m working in to people that I’m engaging with on a, on a weekly basis and the, the, the countries that I’m spending time in, you know, it’s a very, very different profile and we’re all like that.
But it’s amazing how many companies, you know, will have employees that have worked there for 10, 15, 20 years and maybe in different roles, but maybe they did a background check 15 or 20 years ago, but we’re not sure who they are today. Do they have a gambling addiction now? have they been divorced? are they now married to someone from the Hell’s Angels? you know, we don’t revisit these and similarly, doing a background check just as a, as a blanket statement.
What are we checking and is that comm measure with the risk? I’m a big believer in, you know, we shouldn’t be doing any security and risk controls that aren’t adding value. And if you’ve got someone that presents no or low risks to your company, well then that should be reflected in the precautions you take with them. But if you’ve got someone that has access to a lot of systems and a lot of information.
Then of [00:25:00] course you should be doing much more robust checks. So they should be tailored. There’s not just a background check. There are many different types of background checks and that might include drug testing. It might include, self-assessments and disclosures that you require people to make. It might require repeating background checks every two or three years.
But it’s interesting, we’ve got to the point now where people are doing background checks, tick good. But now I’ve gotta take that next step in the maturity journey. Is that something you are seeing with people that you are speaking with?
Tim Stevens: It’s definitely on people’s minds. And the, the problem is that. If you have one incident in either your company or a company that you do do business with or in your sector or, you know, multiple instances, it automatically puts everyone on alert, or it should do anyway.
If you’ve got, an acute sense of, of, of risk and risk management, the question then becomes what on earth you’re gonna do about it. And we’ve seen, you know, historically, that surveillance of workers, is deeply unpopular, can be very, very invasive and can be counterproductive, both in terms of the cohesion inside a company, but also [00:26:00] when it comes to the bottom line. you know, surveilled workers aren’t necessarily the productive workers.
you know, we go back to days of Fordism and Taylorism and thinking about the mechanized production lines and so on, and it, it was deeply unpopular and, and, and huge labor movements protested against it. So how do we implement those? one would hope. That, periodic review processes around performance development and so on, would assist in that.
But I, I think there is a role for digital monitoring, should we say. I don’t like the word surveillence. I don’t think it’s appropriate in this case. although I think some companies do overstep the mark there. But, as a lot of what’s happening in companies involves the extraction or transfer of digital data. those digital systems need to be properly configured and monitored to ensure that, the data is going where it should be.
And that can be a really, really difficult proposition. But it again, makes the point that any company that’s serious about risk management needs to treat cyber risk or digital risk as a business risk. And therefore decisions about it need to be made at the highest levels in a company and be properly resourced and understood, which isn’t always the case.
Repeated [00:27:00] surveys of FTSE 100 or FTSE 500, or, whatever kind of subset of, corporate entities you wish to examine repeatedly shows that, awareness, understanding, investment, and therefore resilience are not where they need to be in respect issues around, digital. Sabotages extraction, and so on, and in fact in general around cyber insecurity.
So there’s a lot of work to do, but you know, the overarching paradigm here has become, you know, I’m sitting here, you say, you were a different Dominic than you were five years ago. I’m a different scholar than I was five years ago. Five years ago we were probably talking about security still. At least, you know, thinking about the industry and so on.
But very quickly, resilience has become the watch word, and I undoubtedly the pandemic has had a huge impact, effect. and we are now seeing, for example, in the UK where I’m that resilience is now above security and risk management.
When it comes to an overarching sort of rubric, if you like, for understanding these issues, resilience accepts that bad things are gonna happen. It’s [00:28:00] just about how you deal with them. How do you absorb. The impact of a particular incident. How do you recover from it? How do you adapt and learn, and be better positioned to deal with these things in the future? It’s an outgrowth, if you like, of risk management for sure. but it’s, it’s definitely now the kind of cohering, I don’t wanna call it a buzzword, but it’s the, the policy concept, shall we say, that’s even bigger than security or risk.
Dominic: And, you know, critical infrastructure really is, is about adjacency. And, and many of our listeners and the Internationalist podcast is blessed with some, you know, amazing listeners, and business leaders and policy advisors from across Europe and North America, and really around the world. And I’m speaking to our listeners right now that, you know, your business might not be critical infrastructure, but I guarantee you depend on it.
You rely on the power, the ability to transfer data. You rely on the ports and the railway systems that keep, society, functioning. And we know that a near miss at a local substation. We saw that in London, Heathrow at the airport, or a faulty cable or a cable being cut in the Baltic can very quickly [00:29:00] become businesses downtime.
In June, the European Council explicitly highlighted sabotage and, and critical infrastructure disruption as one of Europe’s. Biggest risk to both companies, but also government entities. So, Tim, if you were sitting in front of, FTSE 100 CEOs or S&P 500 CEOs and you were trying to get ’em to understand the benefit, ’cause everything in business is a cost benefit analysis.
And if companies are saying, look, we are not critical infrastructure, or we don’t own critical infrastructure and we haven’t been hit yet, and there’s so many things I need to be spending money on, how do I justify spending money now on. Preparing for an attack, preparing for some sort of a hybrid warfare disruption to my company. How do I justify spending that when there’s so many other things that business leaders need to be spending their really precious capital on?
Tim Stevens: Yeah, I mean, there’s a couple of things to say about that. The first, I mean, I don’t like the phrase every company is a tech company. I’ve heard that so many times, but, there is a, grain of truth in it, which is that all companies large and small depend upon various sorts of technology infrastructures [00:30:00] to do their daily business and to generate the income that they need to support their everyday existence and to invest in the future.
Now, that’s a very sort of top level pitch. And, um, you know, every FTSE 100 board has heard that a thousand times, no doubt. But the thing about this conversation is that, it’s all about understanding your dependencies. And you can’t just draw a line around a company, construct a perimeter and just say, you know, bad things aren’t coming in. and we’ll do everything we can to prevent it, because that’s not how these systems work.
everything is interconnected. You are connected to the energy grid. You are connected to water. Your supply webs are, probably transnational and I doubt you’ve even got visibility of the whole thing. And, it’s understanding your dependency because your dependency is both conceptually and practically a vulnerability.
And there’ll be many different types of vulnerability that come from many different types of dependency and through. A proper risk assessment, and then management of that risk, you can begin to understand those vulnerabilities and dependencies and really think about what happens if. Disappear. What happens if it breaks? What happens if we can’t access our data center for 36 [00:31:00] hours? What happens if X, Y, and Z and actually enumerating and quantifying the, direct effects on the company in question.
And that’s before we consider all the secondary effects, effects that it has on clients, on consumers, on suppliers. and of course on a whole range of other actors in which every single company is embedded now starting from scratch. To do that, is difficult and particularly for small to medium enterprises who can’t necessarily invest resources in these types of risk assessment and management practices.
they can’t necessarily buy in third parties to advise them on it. They don’t necessarily have, you know, the, the financial legal expertise to think about the implications of it. But they have to start somewhere, which is why, you know, many countries are beginning to, or have already implemented certification or self-certification schemes that, that start from a relatively low level and say, let’s get the basics right.
You know, do you have offsite cloud storage? you shouldn’t be operating a business these days without that, for example. So you are essentially purchasing a third party storage, function from a data storage, [00:32:00] company. You know, something as simple as that.
have you got password protection on your every, company machine? starting from a very low level and then building up slowly and gaining certification. One of the things that you can tell, of course, a director of a company or a board is saying, is encouraging them to think about these as marks of quality and as marks of trust.
So if you have an ISO 27,001 certification, it says that you are doing information security rights, then that should be something that you could brand yourself with. Say, we’re a trusted company, we’re doing everything we can. if you don’t have that, then you need to be asking questions and you need to ask questions of your suppliers as well.
So what you doing? For information security because we depend on you. We rely on you. But if your information security or other forms of security are poor, that’s gonna affect us. So demanding that in contractual terms, that everybody in the supply web is doing, its bit to raise the levels of security and resilience, but that can only really happen.
If you like, there are some very good examples of sectors that do that. The finance and banking sector, for [00:33:00] example, is really good at doing this because they’ve had enormous resources to throw at it. But if you look at construction or if you look at legacy systems in healthcare that have been sometimes there for, for years and years without being updated or assessed in any way, it’s really difficult to think about what resources they could possibly spare.
You look at your mom and pop stores in the States, you look at cash strapped US municipalities. You look at builders merchants in the UK or across Europe and so on and so forth. These companies don’t have it, but there are some steps that they can take to begin to raise the bar a little bit and therefore make themselves more secure in the short term and more viable in the long term.
Dominic: And whilst I am always the first to want to avoid getting bogged down in, in regulation, and, we know that the European Union are experts at creating regulation to strengthen society and sometimes slow down business perhaps, but nevertheless. I need to be careful what I say, or we might find that there’s new regulations created for our podcasting.
So I’ll, I won’t say too much more about that, but is the current [00:34:00] regulatory regime, whether it’s around companies that provide energy or undersea cables or telecommunications, sufficient enough? Or is that one of the solutions to this problem of hybrid warfare?
Tim Stevens: Well, you, you can’t regulate your way out of what is essentially a political situation. you know, Russia isn’t doing this because it’s thinking about how to get around EU regulation. It’s doing it because it wants to generate political and strategic effect. Ultimately, the decision to conduct these operations lies with them, and they’re proving quite difficult to deter through conventional means.
All we can do really is try and make it more difficult for Russia or any other adversary to create those types of effects in our infrastructure and the eu. You know, I know people like to draw attention to it’s, uh, affection for regulation. But when it comes to critical infrastructure, it has undoubtedly done quite a lot over the last decade or so to improve things through the network and information systems directive and also rain, which is now going through its second iteration.
and other, forms of regulation as well around critical infrastructure. Again, It can’t be about preventing [00:35:00] Russian hybrid operations. It can only be about securing and making more resilient the systems that we have control and authority over. And it has done an awful lot in terms of raising that bar. And raising awareness around the issues. And, and I think this is one of the interesting things, we started this conversation by saying that, attacks on critical infrastructure are more visible now than they ever have been.
Well, that is true, but when you ask. Companies, do you understand your estate, whether that’s your physical estate or your digital estate. they often look at you blankly, until they start looking around and then finding that they’ve got, dozens if not hundreds, sometimes relatively unsecured systems on the periphery of their networks, whether that’s, outbuildings, warehouses, computer systems and networks, that may have been there sometimes for decades that are relatively insecure.
So raising awareness about the possible entry points for attackers is a really interesting proposition. The UK government did recent audit of its digital estate and found hundreds of systems that were essentially open to the web. There are local council [00:36:00] websites that had never been properly secured and then they’ve been forgotten about, never been updated, and so on and so forth.
And all of those entry points, because this is one of the interesting things about critical infrastructure. You don’t need target start edge. You worm your way in. And if you think about, supply chain is a bit of a misleading metaphor. they are supply webs that ultimately are serving a central customer, if you like, whether that’s the general public or utilities company or government or whatever.
But you can start at the outside and work your way in. But if you’ve got legacy systems, if you’ve got unsecured facilities, those are potential entry points for a future attacker. And understanding what you actually have, what your assets and understanding the security of those assets is not the worst first step to addressing these issues.
Dominic: Thanks for explaining that, Tim. And just perhaps in the last minute, Tim, when you look around the world, what are your biggest concerns when it comes to international risk and critical infrastructure?
Tim Stevens: I think the biggest concern is that an adversary who is currently playing or meddling with foreign critical infrastructure makes a mistake. They overestimate their own capabilities [00:37:00] or their understanding of the effects of a particular type of operation and cause an incident that leads to civilian harm or death. At which point, if that’s a NATO country, we are in Article Five territory, which is the collective self-defense clause of the North Atlantic Treaty.
And making those miscalculations isn’t just then an issue of insecure industrial control systems or networks. It becomes a political, strategic issue with military implications. And those kinds of miscalculation, misjudgment, I think should be of deep concern to strategic planners.
But also, you know, I don’t wanna concern people overly here, most of these systems have got fail-safes. We have a certain amount of resilience, but we have seen examples where, as you mentioned earlier, major airports are unable to land planes or water is unable to be delivered and power goes out — and ask the Ukrainians how often the power has gone out. And, you know, so it’s that miscalculation, misjudgment and the inability actually to always foresee the implications of one’s actions that I think should be [00:38:00] of deep concern to all of us.
Dominic: Thanks very much for explaining that, and thanks very much for coming on the International Risk Podcast, Tim.
Tim Stevens: It’s a pleasure. Thank you.
Dominic: Well, that was a great conversation with Dr Tim Stevens of Kings College London. He works on cyber risk and the politics of technology, and I think the conversation was really good in helping us understand the vulnerabilities of critical infrastructure, the critical infrastructure that really shapes our connected world.
Today’s podcast was produced and coordinated by Katerina Mazzucchelli. I’m Dominic Bowen, your host. Thanks very much for listening to the International Risk Podcast, and we’ll speak again in the next few days.