For those interested in the "nuts and bolts", this summary is adapted from the transcript of a session presented by Project Seshat at the 2021 (virtual) conference of the International Association for Conflict Management (IACM). It has been edited for length and clarity.
Featured here are four of the project’s security experts:
Calvin Chrustie is described at the Who We Are page.
Chris Corpora is director of strategy and research at IN2 Communications, a consulting firm which focuses particularly on Africa, the Middle East and Southeast Asia. Now based in Istanbul, Chris was previously a professor of practice in intelligence studies at Mercyhurst University, and before that served with multiple US government agencies in security related work, including with the US Department of State, the Office of the Director of National Intelligence and the Department of Defense.
John Gilmour was employed for 37 years with Canada’s federal government, most recently as the Head of Strategic Planning and Operational Analysis in the Counter-Terrorism Division of the Canadian Security Intelligence Service (CSIS). He is now focusing on academic pursuits, instructing on terrorism, counter-terrorism and intelligence issues at both Ottawa University and Carleton University.
Anne Leslie is a senior managing consultant in cybersecurity at IBM, based at its Paris office. With previous expertise in banking, her focus is on helping international corporations, particularly financial services firms, keep pace with an ever-changing threat landscape, and her special interest is in the human dimensions of cybersecurity.
Véronique Fraser, Chris Honeyman and Barney Jordaan (Moderator) also spoke. Most of their comments, however, duplicated material found elsewhere on this website, and are omitted here.
Barney: I’d like to start with three questions. First: What’s in a name? Some people refer to grey zone conflict, others to hybrid warfare or other terms. Does it matter what we call it?
Anne: It’s hard to land on a single definition. That’s better than being dogmatic. We’ve been debating it and being intellectually curious. The multiple definitions show different priorities, and the language we use shows our different focus. This is a central attribute of the wicked nature of the problem.
John: We are looking at different ways of defining it. Russians tend to call it nonlinear warfare; Chinese call it unrestricted warfare. We’ve also heard unconventional or nonconventional warfare. The main difference seems to be in one view considering hybrid warfare as consisting only of the soft power kinds of influences, such as cyber warfare or media influence, but there’s no integration with conventional warfare. But the Russians, when they talk about nonlinear or hybrid warfare, are more than willing to also consider conventional warfare within their definition. If your response is geared only toward the soft power tools while your opponent is treating conventional warfare as one of the elements, that’s a problem.
Calvin: This question has generated a lot of dialogue, in the effort to create a group understanding of what hybrid warfare etc. really is. Even using the same term, different parties understand different things, and we’ve tried to take an all-encompassing view. We want to have a better understanding of all the possible implications for various forms of negotiation and conflict management, including a cascading impact on practitioners. We have yet to land on or accept a single meaning.
Barney: Does a state actor have to be involved, for a campaign to qualify as hybrid warfare?
Calvin: I find it useful to be inclusive of state actors in the definition, to allow us to understand the broader activities and risks.
John: I agree that the nature of the strategy is that the state is part of it, that’s required for central control, although non-state factors can be involved—such as GAZPROM and cybercriminals in the case of Russia, or the triads in the case of China. But for there to be a central strategy, the role of the state is essential.
Anne: I’d concur. An example is drug cartels, and the locus of power. A state actor is still involved, but their power is not necessarily what you’d think—it varies in different situations. As a cybersecurity professional I had a very business-focused frame of reference, I hadn’t been systematically thinking about state involvement in my daily conversations, and the multidisciplinary composition of our team helps us counteract our natural biases.
Chris C: Yes. War itself, as we understand it in the modern era, involves states, so states should be included even in cases of surrogacy (large governments outsourcing much of their war work, including the U.S.). But in grey zone conflict, states themselves are always in play.
Barney: How does hybrid warfare or grey zone conflict fit into the larger geopolitical situation?
Calvin: I think we’re seeing hybrid warfare fit into all social media, with attacks from China, Russia and Iran, and that cascades into financial, political and diplomatic negotiations. And not just into the higher end, strategic type disputes, but these geopolitical disputes are even cascading into your own community.
Barney: Some people say this is all the business of the security agencies, and not really anyone else’s problem. Are western security agencies well equipped to deal with hybrid warfare threats, or should others be involved in this domain?
John: Most of the targets of hybrid warfare are in the private domain, requiring a multi-sector response including states. This is no longer an intelligence or even whole of government response, but beyond that.
Chris C: Certainly there should be interest. But it would be naïve to expect states to share secrets. States don’t interact well with other sectors. It’s a culture shift for the agencies.
John: And as to “are western agencies equipped to deal with these threats?” Most of the attacks center on commercial and private domains right now. It’s necessary that agency leadership explain in the clearest possible terms the nature of the possible threats. For example, there could be a need for public information campaigns about how disinformation works. It’s no longer an intelligence or even a while-of-government response that will work, but multi-sector. That includes the sharing of information. There’s always been a challenge in sharing information with front line responders who aren’t cleared.
Chris C: There is a lot to learn. Sometimes there are competing conceptions, not just interests, among the states. Authoritarian vs. democratic: There are laws in Western states that limit some kinds of activities; not so much for authoritarian states. It’s the logic of how we understand our societies. The authoritarian states seek to preserve their power structures, not necessarily the interests of their citizens. There’s a logic there, but it’s a completely different logic than we’re used to. Same with transnational criminal activities. Modern policing is often a step behind, because of the shackling of police authority and the broad sweep of activity.
John: I look at it from three different circles. Agencies—intelligence or police—may be best positioned to analyze how diaspora from given nations may be supporting hybrid activity or attacks. When it comes to disinformation campaigns, that’s something for a partnership between these agencies and social media or conventional media. When it comes to cyber attacks, I think that's where private sector or commercial interests, through osmosis or evolution, have assumed leadership in identifying and countering them. They are always leagues ahead of the public sector at least when it comes to identifying or responding, and that's where most of the attacks are taking place right now. So it's sort of a phased approach, but I think intelligence or law enforcement agencies from the government certainly have a critical role when it comes to identifying or ensuring that private sector companies have the ability to identify threats and to train against threats.
Barney: Which is a perfect point to move to Anne. Anne, that's pretty much your business, right, cyber threats? And how in your experience do those impact negotiations, for example decisions on whom we even deal with, or issues of confidentiality, strategy, ethics and so on?
Anne: Absolutely. I should first say that this is not linked to my employer—just in general. What I’ve seen in the private sector—I’d actually go a step further than what John was saying—is that it's not that we need just a sectorial response, we need private sector leadership to contribute to almost the whole of national responses. One of the things that concerns me about the private sector is that while there is definite sophistication, and expertise, and arguably an ability to detect and respond to threats faster than the public sector, I worry about the incentives, and I worry about how the private sector frames the issue. We have a tendency, from what I’ve seen, to look at cyber-attacks in isolation. At best we might look at a series of attacks as a campaign. But we very rarely take a step back and say “what might this be executed in the service of?” And that's where the frame of reference of the public sector and the intelligence agencies is extremely important, because corporations and particularly large corporations are beholden to their shareholders, and we function on a quarterly basis and we mitigate immediate risks. Whereas there is an aspect to the hybrid / grey zone conflict which includes very long-term campaigns of attrition, with potentially barely visible effects if you're looking at them on a quarterly basis. What I wonder about the private sector is, will a category of leaders emerge spontaneously because it's the right thing to do? Will the public sector and notably government have to intervene, and push/urge/coerce action through legislation, so that there is a different type of behavior? Because left to its own devices, right now there is some change in the private sector, but is the pace of change adequate? I don't see corporations integrating the potential threat to national security into their decision-making mechanisms unless there is external influence coming from a government, for example.
Barney: Calvin, do you think that business understands the interconnectedness between the various forms of activity, or are they so focused on dealing with one issue at a time that they don't see the bigger picture, the whole systemic aspect of hybrid warfare?
Calvin: When I look at the key stakeholders and go back to the original discussion that Chris Honeyman and I had at the outset, you know we looked at lawyers and businesspersons being almost the first responders in many of these disputes that we were seeing in this area, in terms of financial takeovers etc. But do they have an understanding? I don't think even the public sector really has an understanding. If you talk to people in the military, professionals in the whole area, they look at it historically, through terrorism and other “traditional” aspects of it. They weren't really looking at how transnational organized crime was connected to it. And you get the cyber people looking at it through the technical lens, and even they don't look at it sometimes through the human element lens, and this is actually a criminal activity, and you know—where's all the money going? And what it's being used for? So I think neither the public sector nor the private sector has a complete understanding of it. I’d highlight a book called Discourse, Dissent and Strategic Surprise (2006: Janne Nolan and Douglas MacEachin 2006. Available at https://isd.georgetown.edu/sites/isd/files/Discourse_Dissent.pdf). They really talked about some of these emerging threats and how problematic it is for leaders to grasp the complexity of them. I really encourage people to take a look at that, because I think it highlights both the psychological challenges and some of the conflicting objectives and policy impediments.
Barney: So you're saying it's not just businesses that are focused on individual aspects of the cyber, or the hybrid warfare threat, it's sometimes the agencies themselves, right?
Calvin: The mind always shifts to simplicity, looking at things more in a linear way because it's probably easier to process. But in this particular case the complexities and the interconnectivity of the activities, I think, are critical to understand, if one is to be effective or efficient with these issues in a dispute situation or in a negotiation process.
Chris C: I couldn't agree more. It's an institutional issue. We've gone to almost hyper-specialization, especially in the West, while technology has gone to being available to a broader and broader set of people. So, we don't have really solid generalists anymore. Especially in government, agency structure and focus follow the budget streams. You know: “I work for agency X and agency X is funded to do Y and so that's where the focus is.” And even if you're interested, or you do see the connection points, it's very difficult even in this era with all the talk of interagency cooperation. I can't speak for the Canadian experience, but in the private sector the issue really is “is action in their interest right now and dead-on?” That’s about shareholder value, so any commercial activity is a very different thing than the public sector stakeholder value, so there's already a competition or a disconnect there. There have been some attempts to bring these sectors together a bit more, and get them not to make it too normative, but cooperate and participate in these areas. But the best way to get the private sector involved is to show them how they're going to lose money, or their business is going to be damaged. Normally it's around IP or brand issues. For example, this is why you see many clothiers now, and other types of producers paying a lot of attention to ethical labor standards. Corporations have not historically been the biggest supporters of labor rights—we all know the history—but now there's a recognition that “oh wow people are gonna stop buying my chocolate or stop buying my clothes, if I’m seen to be a bad player in this space.” So they're incentivized now to do better. The governments just don't have the ability to intervene on every single one of these cases. So it really behooves these companies to have more of an investigative mindset, and to be a bit more aware and interactive. Another issue that limits public-private cooperation is the hesitancy to share any information that puts the corporate reputation at risk if known to the public. Companies avoid airing their dirty laundry with others because it often has a direct negative impact on the bottom line. So, it is rare for them to share information about an internal threat or an exploited weakness with government agencies because of the risk of leaking the information, which is very often a constraint on cooperation.
Barney: John and Anne, the question that's linked is, is the focus perhaps too much at the moment on cyber security, to the exclusion of other aspects of hybrid warfare or other threats associated with it? And what can organizations that specialize in, for example cyber security, do to help create bigger awareness of the total package, the whole scope of the threats?
Anne: Is there too much focus now on cyber security? Arguably yes but that's an easy criticism, with the scale and the volume, the severity of attacks right now, you couldn't not pay attention to it. Indeed, that said, there's a lot of underappreciated merit in security to doing simple things much better than we do. We do have a tendency as an industry to not be brave enough to have common sense conversations about what could we do better. We have a lot of conversations about why we can't. We have a lot of conversations about why there isn't enough money and why we don't have enough people. I would love to see leaders, particularly C-suite leaders, push their management teams by asking simple questions. Such as, if we got hit by a ransomware attack today or tomorrow, each of you, what would you be doing? And if they don't get a clear answer, that's when you know you have work to do, because if you're well prepared the answer is simple, because people know. I would really love to see management in companies start having these conversations and to stop prevaricating, and a lot of it is common sense. So, is there too much focus on cyber security? No I don't think there's too much focus, I think it's necessary focus; but it would be a mistake to focus only on cyber security to the exclusion of other things. The impetus now should be looking at the scale and the severity of the attacks. That is an impetus to start sharing information differently, to behave differently. If we keep on behaving the way we're behaving right now, we're going to keep having the same results, trying to put out fires after they've happened. We need to do better. But it doesn't necessarily mean it has to be more complex; it means making better choices and being more focused and interacting differently with stakeholders in the ecosystem.
Barney: Anne, you yourself are involved in consulting on cyber security. Would you think that your peers in that sector are sufficiently equipped to advise businesses on the broader threat, the broader kinds of actions that might be associated with cyber-attacks, but might be invisible elements involved as well, in what seems on the surface to be a straightforward commercial deal? Or is it also so specialized in your sector that people only focus on the cyber security element and not the bigger picture?
Anne: At the risk of doing some people a grave injustice, for which I will apologize up front, my view on that would be no, we’re not well equipped. We have a frame of reference which is focused on managing proprietary business risk. In some sectors like financial services, where the nature of the business means that there is a relatively well understood systemic risk, that's where you start to see public sector supervisory agencies getting involved, saying we need to share better, we need to orchestrate better, because your proprietary risk is not just your own. The banks and the nature of the financial services sector means that there are interactions and connectivity issues between institutions. Since maybe 2018 this has become much more of a focus for supervisory agencies. Coming back to your question about people like me, broadly I would say ”no”: we are asked (regardless of our employer) as consultants to serve the present needs of a particular company, and they are in my experience never framed in terms of considerations that go beyond the confines of that company. Even when we might be talking about advanced persistent threats that could be coming from nation-state actors, we will look at it through the lens of the impact for a company. I’m not shedding blame or casting aspersions on anybody, it's just a fact, we don't look at it in terms of the societal impact, what it might mean in the aggregate for a nation. It's looked at through the lens of business risk and impact, potential profit/loss for a company. My personal view is that needs to change, because even with the best of intentions of not being manipulated or instrumentalized, the reality is that people—and I refute the statement which says people are a company's weakest link—we need to put in place mechanisms that protect employees. We need to train them, make them aware, and allow them to apprehend the threat themselves. Calvin has a great saying that he borrowed from somebody else which is “You may think that you're too small for geopolitics to care about you, but it does.” And regardless of their company or their role, everybody needs to realize that this is a cause that is bigger than ourselves. We have to be aware of it, to have a questioning mindset, to wonder and to be inquisitive about things that may well impact us in the context of our work.
Barney: John?
John: I guess three thoughts on that. First of all, most successful cyber security attacks are a bolt out of the blue, they're unexpected, they're difficult to defend against. And the nature and the scope of the attacks, because they're new, because there is no means to defend against them, becomes somewhat sensationalized. And so there's a lot of public focus on that, which leads to the second point. I think there is something of a symbiotic relationship between those who are attacked or the attackers and the media, because the media will of course focus on the nature of a specific attack, saying “200,000 bits of private information have been leaked” as a result of this attack and of course individuals say “oh my god am I affected” and it sort of snowballs after that. So I think the nature and the scope and the unexpected nature of cyber-attacks creates something of a symbiotic relationship between the media and the nature of the attacks, so it gets a lot more exposure. But I think the big difference is that while there's a tendency to focus on the specifics of an attack, the broader strategies related to hybrid warfare are not touched on to a similar degree, within the media or other platforms that get to the general public. For example, you're not going to hear a lot about influence activities on the part of Russia and local media in Estonia or Belarus or Ukraine or anything along that line, because they may not realize it's happening. You may not hear a lot about Chinese influence in cultural community groups in Canada, or how they influence Chinese students who are studying in Canada, and the obligations or the pressures put on them in Canada as part of broader hybrid warfare, because there's a challenge in appreciating that particular tool. So cyber-attacks just by their nature and the relationship with the media get a lot more attention, and by virtue of that, get greater visibility, and governments and the private sector are asked to do something. But for 80% of the other tools that are employed by states as part of their broader hybrid agendas or strategies, you hear very little. Not to say that they're not going on, and not to say in the case of Russian influence activities or information influence activities they're not just as important in the long term, in terms of the objectives or the strategies of hybrid warfare of individual states.
Barney: How do we bring that awareness through to executives and students, via law schools, business schools and so on? What kind of training should we be doing to try and bring this awareness to the business world in particular?
Véronique: I think the first thing is that MBA and law students should be educated about these new threats. I remember when Chris H started this project he rarely encountered somebody that even had heard about hybrid warfare. A lot of people in our field, this dispute resolution field, had never heard about it, didn't even know it existed. So I think the first thing is to be sensitive to the fact that it exists, and also understanding exactly what it is what it entails. And I think one of the most important things, once you know that it can exist, is being able to recognize the signs that we are maybe facing a hybrid warfare case. Second, as part of the dispute resolution field I focus really on negotiation. Once you're able to recognize the signs, you should be able to know what are the alternatives to negotiation. Is this a case where you have to engage in negotiation, or are there other alternatives? Can you go to government, can you raise a flag? So what are the options? And if we choose or do have to negotiate, what negotiation techniques would work? What do we do in a case like that?
Barney: John, your thoughts on that?
John: I guess to some degree my thoughts only emphasize what Anne and Chris have already said. With the allure of easy money that serves to enhance stock prices or save a threatened industry, it's often hard for domestic-based industries or communities to resist. So how do how do governments compete, promoting what is essentially an intangible security-related narrative that may otherwise serve as a disincentive to proceed with the deal? What's the response to business, who is always going to ask “what's in it for me?” when it comes to promoting strategies to counter hybrid warfare? Until you're in a position to answer those kinds of questions fairly succinctly, and short of the public shaming which Chris C touched on already, how do you culturally address those kinds of questions of “what's in it for me?” when the students get out into the real world and they are faced with the demands from their CEOs and COOs to increase stock prices? Or keep the company afloat? Or sell 50,000 more widgets? Until you're in a position to say “what's in it for me” that kind of education in a sterile academic environment is probably easy to do; but when they get out into the real world, that's where the challenge is going to be. The commercial industry and the legal industry, in my view, has to look on it from a due diligence perspective: to say “in the interest of the company is this something that we need to tunnel down and take a hard look at?”
Chris C: One thing that I think flows from this is ethics. Business ethics need to be rethought to some extent, it's really what Anne’s getting at as well. We can't expect some kid coming out of school even with an MBA to stand up, you know like David and Goliath. They're going to get eaten alive, and even if they survive, they'll go do something else. It has to come through leadership from the top, as Anne suggested. And one of the things we've seen is, some of the behaviors change when the courts get involved, and actually start putting real penalties on people for doing the wrong thing, for turning the blind eye. I mean the FATF (Financial Action Task Force) has been great for this for money laundering. But also, if we look at the cigarette industry, when the courts started really adding zeros to the penalties for “we don't care who we wholesale our cigarettes to” it started to affect the bottom line for real, as well as the reputational side of it, because the courts are very public with those verdicts. So, I think it's a hard thing to do, because now we're talking about public-private partnership, but we're also talking about the public sector in some ways holding the private sector more accountable.
Barney: So if you have them by the purse, the hearts and minds might follow.
Calvin: Could I just add another dimension that hasn't really been looked at. in the world that I live in, I often get called by law firms or CEOs, and quite often they don't know the dispute that they're engaged in. They don't really understand who they're having the dispute with. It may look like there's a mouse across the table but there's actually an elephant across the table. And I think, aside from those ethical arguments which is one dimension of this, that was really what motivated me to reach out to Chris H to initiate this. I just saw so many people sitting at a boardroom table, whether they were dealing with a state kidnapping, whether they were dealing with some type of internal threat from some client that they didn't quite understand that perhaps wasn't just a crazy person but was maybe a state actor, whether they were in a real estate transaction with a foreign entity and they were not thinking that their whole negotiation strategy with their legal team was completely transparent to the other side because of the cyber capabilities of the other party. And the list can go on and on. But I really think that business leaders and lawyers are where most of this first response happens, and they don't even know what they're really dealing with, in a dispute or a negotiation. I think they're at a disadvantage and a power imbalance, because they don't even have an awareness what that power imbalance is. So I think it's super important also just from the negotiation / dispute resolution process point of view.
Chris H: Barney, you have your own expertise, you're teaching MBA students and perhaps undergraduate business students as well, and you're dealing with the next generation of business executives. They will have to work their way up and they are going to start with no power. But I would ask, what barriers do you see, and what possibilities do you see, for courses in this material to be created in business schools? Or following what I’d call the Len Riskin model of how to teach lawyers, embedding hybrid warfare or gray zone conflict problems into courses that ostensibly are not about that, for business students? What are the prospects there?
Barney: I think one aspect is business ethics that one should sharpen the focus on. On business ethics, why should companies be doing the right thing amounts to two arguments: because it is the right thing to do, or because it's in their own interests—"what's in it for me.” The challenge is to make out a case to say, whether you think it's the right thing to do or whether you do it for your own self-interest, you ought to be doing this and this and this. And probably because it will affect your pocket, even if it's the right thing to do, it will in any event be the best thing to do for you as a business. I think refocusing teaching on business ethics is the other aspect—and at Vlerick this is what we are busy doing. We can also link it to this basic business philosophy. And I think until the Milton Friedman idea that “the business is there only to take care of its shareholders”—until that idea is dead and buried, finally, and people start talking about “the role of the business is to look beyond just the shareholders to the society at large as well” I think that also has to be addressed. The emphasis on sustainability, I think, is at the moment the right angle to take. There are more and more companies talking about sustainability, looking at stakeholder interests, not just the shareholder interests. So I think what one can do is package business courses both for executives and for MBA students that specifically focus on this. But not on its own—as part of sustainability, as part of business ethics, as part of risk management. If you can link it to any of those topics, I think it starts making business sense. But you can't go and preach it as the right thing to do for the sake of society only. I think there are very few businesses that will buy into the idea only for that reason; it's back to the old thing of “what's in it for us?” What we're doing at Vlerick is pretty much incorporating these things now, and I think the cases that we're busy developing in the different teams will certainly assist a great deal to create that awareness. At business school level it's quite easy to create awareness by using cases. I think it might be a little bit more difficult at law school to do so, but in business school it becomes a bit easier to create that awareness, because of the way one teaches there.
Barney: Questions?
Roy Lewicki: I’m retired teaching from a business school and I would have two reactions. The first is, the structure of business school education is to segment all the pieces of managing a business into separate courses that don't talk or relatively rarely talk to each other. So accounting and finance and marketing and statistics and whatever all have their own lenses, their own frames. We're sort of looking at a business problem and pulling it apart using the tools of that particular lens. What you’re suggesting, what we're talking about here, is an integrated or a broader frame that brings many perspectives together. And quite frankly that's been a major failure of business education, in the capacity to be able to do that, in other words to restructure the curriculum so that they can see multiple perspectives on the same problem. The second thing I would say is that business ethics is one example of another frame that can come out as a business problem. I’ve taught business ethics and leadership ethics in the business school for at least a decade. The hardest thing to do is to get people to understand that that's an appropriate lens for looking at a problem, and understanding that that lens suggests action strategies, which accounting or finance or law or something else might not be able to do. Again my point here is, understanding these complex problems requires a series of integrating and/or showing how multiple perspectives work on the same problem, and business education has not been well suited to do that, for a whole variety of reasons regarding the way the way it gets taught. Maybe political science or psychology would do that, but I’m not confident about this in business schools.
Barney: Maybe I’m in a fortunate position. At our school we teach particular themes, and bring faculty from different disciplines in for example around sustainability. And that includes issues of the UN development goals, it includes issues of ethics, it includes issues of corporate social responsibility, and so on. So there's certainly an effort to do that, and I agree with you that's probably the only way to do it is to start getting faculty to actually coalesce around particular themes that can incorporate the kind of things we are talking about someday.
Sanda Kaufman: I hate to say this, but planners and environmental studies people are slightly ahead on this because our students have practicum and capstone experiences where they treat a subject and bring in different expertise. Barney sounds like he's doing that too. But for us it's been a tradition, and we actually have to. You can't treat a planning issue as if it were a business, it's a totally different thing, it's in the public domain with multiple stakeholders who all have a say and voice. And so we do that all the time. And we bring in a standard list of who you need to bring in on a consensus building problem. It always includes scientists, but it also includes various specific transportation and other aspects that are specialized, but brought together for the specific topic.
Chris C: I’ve taught the last five years full-time, and generally in the international security space and in some unique places. But still the whole siloed approach to understanding even just international security or international politics is problematic. The educational approach should be more multi-disciplinary because we must start recognizing the relationships between these sectors or silos. There needs to be a movement, not away from specialization, but a balance between specialization and general, functional knowledge. We don't spend enough time giving our students a solid foundation, as well as a capstone experience that brings it all together and forces them to see the ugly truth of how complex some of this really can be. I think that's one of the best things you can do for your students, spend maybe a little bit more time at that foundational level and make sure they really get a solid capstone at the back end. Certainly in international security and studies of complex conflict that’s effective.
Roy Lewicki: I think we have to at least get some idea about the beginning set of analytical tools that you want a student or a group of students to come at that situation with. I don't know how you start pulling the strings apart and seeing what's there, without some primitive set of tools or whatever for analyzing whether it's a stakeholder analysis, whether it's a multi-group interest-based negotiation, whatever it might be. I would not want to go much more than two or three classes with students without this, in order to give them some help as to what approaches or perspectives are most useful for at least beginning to pull that situation apart and understand it more thoroughly.
John: Is that accomplished really by bringing academic and practitioners together, as opposed to just academics in an academic society?
Roy Lewicki: Well, listening to the four of you who are practitioners, and trying to listen for what you know analytically, how you come at these situations, I’ve got a little hint of that. But I think that kind of collaboration would be critical.
Chris H: In a rudimentary attempt to start to think about mitigation of harm: Who can we work with for the future? The discussion today suggests to me two possibilities for getting past the “what's in it for me as a firm right now” mentality in the private sector. First, when private firms want to act in concert on some kind of problem (and that requires that they perceive it, of course), they tend to do this through industry associations. Because that's an established structure, it raises the question: are we overlooking a possible ally here? The parallel question that struck me as John was talking was, are we overlooking the insurance industry as a potential ally? Because the really core business-lines insurance companies, like Chubb, are engaged in insuring against big business risks, and when you started talking about risk management being a possible focus, that raised the question: Are we overlooking a possible group of allies there?
Anne: That's a really interesting point on the insurance sector because no later than last week there were some developments within that industry where they've been mobilizing as a grouping to put together a tool to actually (a) aggregate data across the sector with relating regards to ransomware and (b) to educate. Now this is where incentives are important and where there is a collectively beneficial aspect to the “what's in it for me?” mindset because it is in the insurance companies’ best interest to educate widely, so that the aggregate level of cyber hygiene across their policy holders is higher and in turn the overall incidence of claims is lower. Because the thing about ransomware insurance is that it's been used as a quick fix to mitigate a business risk, without the underlying vulnerabilities being addressed. But the nature of ransomware is actually different to a lot of insurable risks, in that ransomware could potentially be catastrophic across all companies, generating a cataclysmic ransomware event that you can't insure against. The insurance industry is already struggling to find underwriters, with an absence of historical data to cost the risk. The nature of the risk means that, well does anybody really want to underwrite it? In these circumstances, what's interesting is that the insurance sector isn’t simply saying “we're no longer going to insure this risk” but they’re taking proactive measures to make cyber risk and ransomware a manageable risk. So absolutely, I think there's a very interesting strand there around orchestrating better at an industry level with the insurance sector leading in showing a way forward.
Chris C: And it wasn't long after 9/11 that Marsh McLennan bought Kroll Security; so an insurance company bought one of the largest security companies at the time—I mean just bought it, whole cloth. I think that there's been interest in that sector for quite a while.
Featured here are four of the project’s security experts:
Calvin Chrustie is described at the Who We Are page.
Chris Corpora is director of strategy and research at IN2 Communications, a consulting firm which focuses particularly on Africa, the Middle East and Southeast Asia. Now based in Istanbul, Chris was previously a professor of practice in intelligence studies at Mercyhurst University, and before that served with multiple US government agencies in security related work, including with the US Department of State, the Office of the Director of National Intelligence and the Department of Defense.
John Gilmour was employed for 37 years with Canada’s federal government, most recently as the Head of Strategic Planning and Operational Analysis in the Counter-Terrorism Division of the Canadian Security Intelligence Service (CSIS). He is now focusing on academic pursuits, instructing on terrorism, counter-terrorism and intelligence issues at both Ottawa University and Carleton University.
Anne Leslie is a senior managing consultant in cybersecurity at IBM, based at its Paris office. With previous expertise in banking, her focus is on helping international corporations, particularly financial services firms, keep pace with an ever-changing threat landscape, and her special interest is in the human dimensions of cybersecurity.
Véronique Fraser, Chris Honeyman and Barney Jordaan (Moderator) also spoke. Most of their comments, however, duplicated material found elsewhere on this website, and are omitted here.
Barney: I’d like to start with three questions. First: What’s in a name? Some people refer to grey zone conflict, others to hybrid warfare or other terms. Does it matter what we call it?
Anne: It’s hard to land on a single definition. That’s better than being dogmatic. We’ve been debating it and being intellectually curious. The multiple definitions show different priorities, and the language we use shows our different focus. This is a central attribute of the wicked nature of the problem.
John: We are looking at different ways of defining it. Russians tend to call it nonlinear warfare; Chinese call it unrestricted warfare. We’ve also heard unconventional or nonconventional warfare. The main difference seems to be in one view considering hybrid warfare as consisting only of the soft power kinds of influences, such as cyber warfare or media influence, but there’s no integration with conventional warfare. But the Russians, when they talk about nonlinear or hybrid warfare, are more than willing to also consider conventional warfare within their definition. If your response is geared only toward the soft power tools while your opponent is treating conventional warfare as one of the elements, that’s a problem.
Calvin: This question has generated a lot of dialogue, in the effort to create a group understanding of what hybrid warfare etc. really is. Even using the same term, different parties understand different things, and we’ve tried to take an all-encompassing view. We want to have a better understanding of all the possible implications for various forms of negotiation and conflict management, including a cascading impact on practitioners. We have yet to land on or accept a single meaning.
Barney: Does a state actor have to be involved, for a campaign to qualify as hybrid warfare?
Calvin: I find it useful to be inclusive of state actors in the definition, to allow us to understand the broader activities and risks.
John: I agree that the nature of the strategy is that the state is part of it, that’s required for central control, although non-state factors can be involved—such as GAZPROM and cybercriminals in the case of Russia, or the triads in the case of China. But for there to be a central strategy, the role of the state is essential.
Anne: I’d concur. An example is drug cartels, and the locus of power. A state actor is still involved, but their power is not necessarily what you’d think—it varies in different situations. As a cybersecurity professional I had a very business-focused frame of reference, I hadn’t been systematically thinking about state involvement in my daily conversations, and the multidisciplinary composition of our team helps us counteract our natural biases.
Chris C: Yes. War itself, as we understand it in the modern era, involves states, so states should be included even in cases of surrogacy (large governments outsourcing much of their war work, including the U.S.). But in grey zone conflict, states themselves are always in play.
Barney: How does hybrid warfare or grey zone conflict fit into the larger geopolitical situation?
Calvin: I think we’re seeing hybrid warfare fit into all social media, with attacks from China, Russia and Iran, and that cascades into financial, political and diplomatic negotiations. And not just into the higher end, strategic type disputes, but these geopolitical disputes are even cascading into your own community.
Barney: Some people say this is all the business of the security agencies, and not really anyone else’s problem. Are western security agencies well equipped to deal with hybrid warfare threats, or should others be involved in this domain?
John: Most of the targets of hybrid warfare are in the private domain, requiring a multi-sector response including states. This is no longer an intelligence or even whole of government response, but beyond that.
Chris C: Certainly there should be interest. But it would be naïve to expect states to share secrets. States don’t interact well with other sectors. It’s a culture shift for the agencies.
John: And as to “are western agencies equipped to deal with these threats?” Most of the attacks center on commercial and private domains right now. It’s necessary that agency leadership explain in the clearest possible terms the nature of the possible threats. For example, there could be a need for public information campaigns about how disinformation works. It’s no longer an intelligence or even a while-of-government response that will work, but multi-sector. That includes the sharing of information. There’s always been a challenge in sharing information with front line responders who aren’t cleared.
Chris C: There is a lot to learn. Sometimes there are competing conceptions, not just interests, among the states. Authoritarian vs. democratic: There are laws in Western states that limit some kinds of activities; not so much for authoritarian states. It’s the logic of how we understand our societies. The authoritarian states seek to preserve their power structures, not necessarily the interests of their citizens. There’s a logic there, but it’s a completely different logic than we’re used to. Same with transnational criminal activities. Modern policing is often a step behind, because of the shackling of police authority and the broad sweep of activity.
John: I look at it from three different circles. Agencies—intelligence or police—may be best positioned to analyze how diaspora from given nations may be supporting hybrid activity or attacks. When it comes to disinformation campaigns, that’s something for a partnership between these agencies and social media or conventional media. When it comes to cyber attacks, I think that's where private sector or commercial interests, through osmosis or evolution, have assumed leadership in identifying and countering them. They are always leagues ahead of the public sector at least when it comes to identifying or responding, and that's where most of the attacks are taking place right now. So it's sort of a phased approach, but I think intelligence or law enforcement agencies from the government certainly have a critical role when it comes to identifying or ensuring that private sector companies have the ability to identify threats and to train against threats.
Barney: Which is a perfect point to move to Anne. Anne, that's pretty much your business, right, cyber threats? And how in your experience do those impact negotiations, for example decisions on whom we even deal with, or issues of confidentiality, strategy, ethics and so on?
Anne: Absolutely. I should first say that this is not linked to my employer—just in general. What I’ve seen in the private sector—I’d actually go a step further than what John was saying—is that it's not that we need just a sectorial response, we need private sector leadership to contribute to almost the whole of national responses. One of the things that concerns me about the private sector is that while there is definite sophistication, and expertise, and arguably an ability to detect and respond to threats faster than the public sector, I worry about the incentives, and I worry about how the private sector frames the issue. We have a tendency, from what I’ve seen, to look at cyber-attacks in isolation. At best we might look at a series of attacks as a campaign. But we very rarely take a step back and say “what might this be executed in the service of?” And that's where the frame of reference of the public sector and the intelligence agencies is extremely important, because corporations and particularly large corporations are beholden to their shareholders, and we function on a quarterly basis and we mitigate immediate risks. Whereas there is an aspect to the hybrid / grey zone conflict which includes very long-term campaigns of attrition, with potentially barely visible effects if you're looking at them on a quarterly basis. What I wonder about the private sector is, will a category of leaders emerge spontaneously because it's the right thing to do? Will the public sector and notably government have to intervene, and push/urge/coerce action through legislation, so that there is a different type of behavior? Because left to its own devices, right now there is some change in the private sector, but is the pace of change adequate? I don't see corporations integrating the potential threat to national security into their decision-making mechanisms unless there is external influence coming from a government, for example.
Barney: Calvin, do you think that business understands the interconnectedness between the various forms of activity, or are they so focused on dealing with one issue at a time that they don't see the bigger picture, the whole systemic aspect of hybrid warfare?
Calvin: When I look at the key stakeholders and go back to the original discussion that Chris Honeyman and I had at the outset, you know we looked at lawyers and businesspersons being almost the first responders in many of these disputes that we were seeing in this area, in terms of financial takeovers etc. But do they have an understanding? I don't think even the public sector really has an understanding. If you talk to people in the military, professionals in the whole area, they look at it historically, through terrorism and other “traditional” aspects of it. They weren't really looking at how transnational organized crime was connected to it. And you get the cyber people looking at it through the technical lens, and even they don't look at it sometimes through the human element lens, and this is actually a criminal activity, and you know—where's all the money going? And what it's being used for? So I think neither the public sector nor the private sector has a complete understanding of it. I’d highlight a book called Discourse, Dissent and Strategic Surprise (2006: Janne Nolan and Douglas MacEachin 2006. Available at https://isd.georgetown.edu/sites/isd/files/Discourse_Dissent.pdf). They really talked about some of these emerging threats and how problematic it is for leaders to grasp the complexity of them. I really encourage people to take a look at that, because I think it highlights both the psychological challenges and some of the conflicting objectives and policy impediments.
Barney: So you're saying it's not just businesses that are focused on individual aspects of the cyber, or the hybrid warfare threat, it's sometimes the agencies themselves, right?
Calvin: The mind always shifts to simplicity, looking at things more in a linear way because it's probably easier to process. But in this particular case the complexities and the interconnectivity of the activities, I think, are critical to understand, if one is to be effective or efficient with these issues in a dispute situation or in a negotiation process.
Chris C: I couldn't agree more. It's an institutional issue. We've gone to almost hyper-specialization, especially in the West, while technology has gone to being available to a broader and broader set of people. So, we don't have really solid generalists anymore. Especially in government, agency structure and focus follow the budget streams. You know: “I work for agency X and agency X is funded to do Y and so that's where the focus is.” And even if you're interested, or you do see the connection points, it's very difficult even in this era with all the talk of interagency cooperation. I can't speak for the Canadian experience, but in the private sector the issue really is “is action in their interest right now and dead-on?” That’s about shareholder value, so any commercial activity is a very different thing than the public sector stakeholder value, so there's already a competition or a disconnect there. There have been some attempts to bring these sectors together a bit more, and get them not to make it too normative, but cooperate and participate in these areas. But the best way to get the private sector involved is to show them how they're going to lose money, or their business is going to be damaged. Normally it's around IP or brand issues. For example, this is why you see many clothiers now, and other types of producers paying a lot of attention to ethical labor standards. Corporations have not historically been the biggest supporters of labor rights—we all know the history—but now there's a recognition that “oh wow people are gonna stop buying my chocolate or stop buying my clothes, if I’m seen to be a bad player in this space.” So they're incentivized now to do better. The governments just don't have the ability to intervene on every single one of these cases. So it really behooves these companies to have more of an investigative mindset, and to be a bit more aware and interactive. Another issue that limits public-private cooperation is the hesitancy to share any information that puts the corporate reputation at risk if known to the public. Companies avoid airing their dirty laundry with others because it often has a direct negative impact on the bottom line. So, it is rare for them to share information about an internal threat or an exploited weakness with government agencies because of the risk of leaking the information, which is very often a constraint on cooperation.
Barney: John and Anne, the question that's linked is, is the focus perhaps too much at the moment on cyber security, to the exclusion of other aspects of hybrid warfare or other threats associated with it? And what can organizations that specialize in, for example cyber security, do to help create bigger awareness of the total package, the whole scope of the threats?
Anne: Is there too much focus now on cyber security? Arguably yes but that's an easy criticism, with the scale and the volume, the severity of attacks right now, you couldn't not pay attention to it. Indeed, that said, there's a lot of underappreciated merit in security to doing simple things much better than we do. We do have a tendency as an industry to not be brave enough to have common sense conversations about what could we do better. We have a lot of conversations about why we can't. We have a lot of conversations about why there isn't enough money and why we don't have enough people. I would love to see leaders, particularly C-suite leaders, push their management teams by asking simple questions. Such as, if we got hit by a ransomware attack today or tomorrow, each of you, what would you be doing? And if they don't get a clear answer, that's when you know you have work to do, because if you're well prepared the answer is simple, because people know. I would really love to see management in companies start having these conversations and to stop prevaricating, and a lot of it is common sense. So, is there too much focus on cyber security? No I don't think there's too much focus, I think it's necessary focus; but it would be a mistake to focus only on cyber security to the exclusion of other things. The impetus now should be looking at the scale and the severity of the attacks. That is an impetus to start sharing information differently, to behave differently. If we keep on behaving the way we're behaving right now, we're going to keep having the same results, trying to put out fires after they've happened. We need to do better. But it doesn't necessarily mean it has to be more complex; it means making better choices and being more focused and interacting differently with stakeholders in the ecosystem.
Barney: Anne, you yourself are involved in consulting on cyber security. Would you think that your peers in that sector are sufficiently equipped to advise businesses on the broader threat, the broader kinds of actions that might be associated with cyber-attacks, but might be invisible elements involved as well, in what seems on the surface to be a straightforward commercial deal? Or is it also so specialized in your sector that people only focus on the cyber security element and not the bigger picture?
Anne: At the risk of doing some people a grave injustice, for which I will apologize up front, my view on that would be no, we’re not well equipped. We have a frame of reference which is focused on managing proprietary business risk. In some sectors like financial services, where the nature of the business means that there is a relatively well understood systemic risk, that's where you start to see public sector supervisory agencies getting involved, saying we need to share better, we need to orchestrate better, because your proprietary risk is not just your own. The banks and the nature of the financial services sector means that there are interactions and connectivity issues between institutions. Since maybe 2018 this has become much more of a focus for supervisory agencies. Coming back to your question about people like me, broadly I would say ”no”: we are asked (regardless of our employer) as consultants to serve the present needs of a particular company, and they are in my experience never framed in terms of considerations that go beyond the confines of that company. Even when we might be talking about advanced persistent threats that could be coming from nation-state actors, we will look at it through the lens of the impact for a company. I’m not shedding blame or casting aspersions on anybody, it's just a fact, we don't look at it in terms of the societal impact, what it might mean in the aggregate for a nation. It's looked at through the lens of business risk and impact, potential profit/loss for a company. My personal view is that needs to change, because even with the best of intentions of not being manipulated or instrumentalized, the reality is that people—and I refute the statement which says people are a company's weakest link—we need to put in place mechanisms that protect employees. We need to train them, make them aware, and allow them to apprehend the threat themselves. Calvin has a great saying that he borrowed from somebody else which is “You may think that you're too small for geopolitics to care about you, but it does.” And regardless of their company or their role, everybody needs to realize that this is a cause that is bigger than ourselves. We have to be aware of it, to have a questioning mindset, to wonder and to be inquisitive about things that may well impact us in the context of our work.
Barney: John?
John: I guess three thoughts on that. First of all, most successful cyber security attacks are a bolt out of the blue, they're unexpected, they're difficult to defend against. And the nature and the scope of the attacks, because they're new, because there is no means to defend against them, becomes somewhat sensationalized. And so there's a lot of public focus on that, which leads to the second point. I think there is something of a symbiotic relationship between those who are attacked or the attackers and the media, because the media will of course focus on the nature of a specific attack, saying “200,000 bits of private information have been leaked” as a result of this attack and of course individuals say “oh my god am I affected” and it sort of snowballs after that. So I think the nature and the scope and the unexpected nature of cyber-attacks creates something of a symbiotic relationship between the media and the nature of the attacks, so it gets a lot more exposure. But I think the big difference is that while there's a tendency to focus on the specifics of an attack, the broader strategies related to hybrid warfare are not touched on to a similar degree, within the media or other platforms that get to the general public. For example, you're not going to hear a lot about influence activities on the part of Russia and local media in Estonia or Belarus or Ukraine or anything along that line, because they may not realize it's happening. You may not hear a lot about Chinese influence in cultural community groups in Canada, or how they influence Chinese students who are studying in Canada, and the obligations or the pressures put on them in Canada as part of broader hybrid warfare, because there's a challenge in appreciating that particular tool. So cyber-attacks just by their nature and the relationship with the media get a lot more attention, and by virtue of that, get greater visibility, and governments and the private sector are asked to do something. But for 80% of the other tools that are employed by states as part of their broader hybrid agendas or strategies, you hear very little. Not to say that they're not going on, and not to say in the case of Russian influence activities or information influence activities they're not just as important in the long term, in terms of the objectives or the strategies of hybrid warfare of individual states.
Barney: How do we bring that awareness through to executives and students, via law schools, business schools and so on? What kind of training should we be doing to try and bring this awareness to the business world in particular?
Véronique: I think the first thing is that MBA and law students should be educated about these new threats. I remember when Chris H started this project he rarely encountered somebody that even had heard about hybrid warfare. A lot of people in our field, this dispute resolution field, had never heard about it, didn't even know it existed. So I think the first thing is to be sensitive to the fact that it exists, and also understanding exactly what it is what it entails. And I think one of the most important things, once you know that it can exist, is being able to recognize the signs that we are maybe facing a hybrid warfare case. Second, as part of the dispute resolution field I focus really on negotiation. Once you're able to recognize the signs, you should be able to know what are the alternatives to negotiation. Is this a case where you have to engage in negotiation, or are there other alternatives? Can you go to government, can you raise a flag? So what are the options? And if we choose or do have to negotiate, what negotiation techniques would work? What do we do in a case like that?
Barney: John, your thoughts on that?
John: I guess to some degree my thoughts only emphasize what Anne and Chris have already said. With the allure of easy money that serves to enhance stock prices or save a threatened industry, it's often hard for domestic-based industries or communities to resist. So how do how do governments compete, promoting what is essentially an intangible security-related narrative that may otherwise serve as a disincentive to proceed with the deal? What's the response to business, who is always going to ask “what's in it for me?” when it comes to promoting strategies to counter hybrid warfare? Until you're in a position to answer those kinds of questions fairly succinctly, and short of the public shaming which Chris C touched on already, how do you culturally address those kinds of questions of “what's in it for me?” when the students get out into the real world and they are faced with the demands from their CEOs and COOs to increase stock prices? Or keep the company afloat? Or sell 50,000 more widgets? Until you're in a position to say “what's in it for me” that kind of education in a sterile academic environment is probably easy to do; but when they get out into the real world, that's where the challenge is going to be. The commercial industry and the legal industry, in my view, has to look on it from a due diligence perspective: to say “in the interest of the company is this something that we need to tunnel down and take a hard look at?”
Chris C: One thing that I think flows from this is ethics. Business ethics need to be rethought to some extent, it's really what Anne’s getting at as well. We can't expect some kid coming out of school even with an MBA to stand up, you know like David and Goliath. They're going to get eaten alive, and even if they survive, they'll go do something else. It has to come through leadership from the top, as Anne suggested. And one of the things we've seen is, some of the behaviors change when the courts get involved, and actually start putting real penalties on people for doing the wrong thing, for turning the blind eye. I mean the FATF (Financial Action Task Force) has been great for this for money laundering. But also, if we look at the cigarette industry, when the courts started really adding zeros to the penalties for “we don't care who we wholesale our cigarettes to” it started to affect the bottom line for real, as well as the reputational side of it, because the courts are very public with those verdicts. So, I think it's a hard thing to do, because now we're talking about public-private partnership, but we're also talking about the public sector in some ways holding the private sector more accountable.
Barney: So if you have them by the purse, the hearts and minds might follow.
Calvin: Could I just add another dimension that hasn't really been looked at. in the world that I live in, I often get called by law firms or CEOs, and quite often they don't know the dispute that they're engaged in. They don't really understand who they're having the dispute with. It may look like there's a mouse across the table but there's actually an elephant across the table. And I think, aside from those ethical arguments which is one dimension of this, that was really what motivated me to reach out to Chris H to initiate this. I just saw so many people sitting at a boardroom table, whether they were dealing with a state kidnapping, whether they were dealing with some type of internal threat from some client that they didn't quite understand that perhaps wasn't just a crazy person but was maybe a state actor, whether they were in a real estate transaction with a foreign entity and they were not thinking that their whole negotiation strategy with their legal team was completely transparent to the other side because of the cyber capabilities of the other party. And the list can go on and on. But I really think that business leaders and lawyers are where most of this first response happens, and they don't even know what they're really dealing with, in a dispute or a negotiation. I think they're at a disadvantage and a power imbalance, because they don't even have an awareness what that power imbalance is. So I think it's super important also just from the negotiation / dispute resolution process point of view.
Chris H: Barney, you have your own expertise, you're teaching MBA students and perhaps undergraduate business students as well, and you're dealing with the next generation of business executives. They will have to work their way up and they are going to start with no power. But I would ask, what barriers do you see, and what possibilities do you see, for courses in this material to be created in business schools? Or following what I’d call the Len Riskin model of how to teach lawyers, embedding hybrid warfare or gray zone conflict problems into courses that ostensibly are not about that, for business students? What are the prospects there?
Barney: I think one aspect is business ethics that one should sharpen the focus on. On business ethics, why should companies be doing the right thing amounts to two arguments: because it is the right thing to do, or because it's in their own interests—"what's in it for me.” The challenge is to make out a case to say, whether you think it's the right thing to do or whether you do it for your own self-interest, you ought to be doing this and this and this. And probably because it will affect your pocket, even if it's the right thing to do, it will in any event be the best thing to do for you as a business. I think refocusing teaching on business ethics is the other aspect—and at Vlerick this is what we are busy doing. We can also link it to this basic business philosophy. And I think until the Milton Friedman idea that “the business is there only to take care of its shareholders”—until that idea is dead and buried, finally, and people start talking about “the role of the business is to look beyond just the shareholders to the society at large as well” I think that also has to be addressed. The emphasis on sustainability, I think, is at the moment the right angle to take. There are more and more companies talking about sustainability, looking at stakeholder interests, not just the shareholder interests. So I think what one can do is package business courses both for executives and for MBA students that specifically focus on this. But not on its own—as part of sustainability, as part of business ethics, as part of risk management. If you can link it to any of those topics, I think it starts making business sense. But you can't go and preach it as the right thing to do for the sake of society only. I think there are very few businesses that will buy into the idea only for that reason; it's back to the old thing of “what's in it for us?” What we're doing at Vlerick is pretty much incorporating these things now, and I think the cases that we're busy developing in the different teams will certainly assist a great deal to create that awareness. At business school level it's quite easy to create awareness by using cases. I think it might be a little bit more difficult at law school to do so, but in business school it becomes a bit easier to create that awareness, because of the way one teaches there.
Barney: Questions?
Roy Lewicki: I’m retired teaching from a business school and I would have two reactions. The first is, the structure of business school education is to segment all the pieces of managing a business into separate courses that don't talk or relatively rarely talk to each other. So accounting and finance and marketing and statistics and whatever all have their own lenses, their own frames. We're sort of looking at a business problem and pulling it apart using the tools of that particular lens. What you’re suggesting, what we're talking about here, is an integrated or a broader frame that brings many perspectives together. And quite frankly that's been a major failure of business education, in the capacity to be able to do that, in other words to restructure the curriculum so that they can see multiple perspectives on the same problem. The second thing I would say is that business ethics is one example of another frame that can come out as a business problem. I’ve taught business ethics and leadership ethics in the business school for at least a decade. The hardest thing to do is to get people to understand that that's an appropriate lens for looking at a problem, and understanding that that lens suggests action strategies, which accounting or finance or law or something else might not be able to do. Again my point here is, understanding these complex problems requires a series of integrating and/or showing how multiple perspectives work on the same problem, and business education has not been well suited to do that, for a whole variety of reasons regarding the way the way it gets taught. Maybe political science or psychology would do that, but I’m not confident about this in business schools.
Barney: Maybe I’m in a fortunate position. At our school we teach particular themes, and bring faculty from different disciplines in for example around sustainability. And that includes issues of the UN development goals, it includes issues of ethics, it includes issues of corporate social responsibility, and so on. So there's certainly an effort to do that, and I agree with you that's probably the only way to do it is to start getting faculty to actually coalesce around particular themes that can incorporate the kind of things we are talking about someday.
Sanda Kaufman: I hate to say this, but planners and environmental studies people are slightly ahead on this because our students have practicum and capstone experiences where they treat a subject and bring in different expertise. Barney sounds like he's doing that too. But for us it's been a tradition, and we actually have to. You can't treat a planning issue as if it were a business, it's a totally different thing, it's in the public domain with multiple stakeholders who all have a say and voice. And so we do that all the time. And we bring in a standard list of who you need to bring in on a consensus building problem. It always includes scientists, but it also includes various specific transportation and other aspects that are specialized, but brought together for the specific topic.
Chris C: I’ve taught the last five years full-time, and generally in the international security space and in some unique places. But still the whole siloed approach to understanding even just international security or international politics is problematic. The educational approach should be more multi-disciplinary because we must start recognizing the relationships between these sectors or silos. There needs to be a movement, not away from specialization, but a balance between specialization and general, functional knowledge. We don't spend enough time giving our students a solid foundation, as well as a capstone experience that brings it all together and forces them to see the ugly truth of how complex some of this really can be. I think that's one of the best things you can do for your students, spend maybe a little bit more time at that foundational level and make sure they really get a solid capstone at the back end. Certainly in international security and studies of complex conflict that’s effective.
Roy Lewicki: I think we have to at least get some idea about the beginning set of analytical tools that you want a student or a group of students to come at that situation with. I don't know how you start pulling the strings apart and seeing what's there, without some primitive set of tools or whatever for analyzing whether it's a stakeholder analysis, whether it's a multi-group interest-based negotiation, whatever it might be. I would not want to go much more than two or three classes with students without this, in order to give them some help as to what approaches or perspectives are most useful for at least beginning to pull that situation apart and understand it more thoroughly.
John: Is that accomplished really by bringing academic and practitioners together, as opposed to just academics in an academic society?
Roy Lewicki: Well, listening to the four of you who are practitioners, and trying to listen for what you know analytically, how you come at these situations, I’ve got a little hint of that. But I think that kind of collaboration would be critical.
Chris H: In a rudimentary attempt to start to think about mitigation of harm: Who can we work with for the future? The discussion today suggests to me two possibilities for getting past the “what's in it for me as a firm right now” mentality in the private sector. First, when private firms want to act in concert on some kind of problem (and that requires that they perceive it, of course), they tend to do this through industry associations. Because that's an established structure, it raises the question: are we overlooking a possible ally here? The parallel question that struck me as John was talking was, are we overlooking the insurance industry as a potential ally? Because the really core business-lines insurance companies, like Chubb, are engaged in insuring against big business risks, and when you started talking about risk management being a possible focus, that raised the question: Are we overlooking a possible group of allies there?
Anne: That's a really interesting point on the insurance sector because no later than last week there were some developments within that industry where they've been mobilizing as a grouping to put together a tool to actually (a) aggregate data across the sector with relating regards to ransomware and (b) to educate. Now this is where incentives are important and where there is a collectively beneficial aspect to the “what's in it for me?” mindset because it is in the insurance companies’ best interest to educate widely, so that the aggregate level of cyber hygiene across their policy holders is higher and in turn the overall incidence of claims is lower. Because the thing about ransomware insurance is that it's been used as a quick fix to mitigate a business risk, without the underlying vulnerabilities being addressed. But the nature of ransomware is actually different to a lot of insurable risks, in that ransomware could potentially be catastrophic across all companies, generating a cataclysmic ransomware event that you can't insure against. The insurance industry is already struggling to find underwriters, with an absence of historical data to cost the risk. The nature of the risk means that, well does anybody really want to underwrite it? In these circumstances, what's interesting is that the insurance sector isn’t simply saying “we're no longer going to insure this risk” but they’re taking proactive measures to make cyber risk and ransomware a manageable risk. So absolutely, I think there's a very interesting strand there around orchestrating better at an industry level with the insurance sector leading in showing a way forward.
Chris C: And it wasn't long after 9/11 that Marsh McLennan bought Kroll Security; so an insurance company bought one of the largest security companies at the time—I mean just bought it, whole cloth. I think that there's been interest in that sector for quite a while.