Good afternoon. It is a pleasure to be here to share the IIEA's work on hybrid and grey zone threats to Ireland. Ireland’s national security is the basis for its national and social prosperity. However, at present, we are seeing the rise of a growing type of threat to our security and prosperity that members may be familiar with already. That is grey zone threats, which are transnational and incremental, operate below the threshold of conventional conflict and do not respect borders, sovereignty, or delineations between civilian and military targets.
Since December 2022, the IIEA has been conducting a project that reflects on the changing character of warfare as a consequence of increasing international competition and tensions. Notably, revisionist actors such as the Russian Federation, which are dissatisfied with the present geopolitical status quo and seek to tilt the balance of power in their favour at the expense of European states, are using a variety of instruments generally understood to be grey zone techniques. The grey zone as a concept is the spectrum of hostile and aggressive activities which exist above the peaceful normal activity of international politics but below the threshold of kinetic warfighting. They are generally low cost and low risk for the perpetrator but have a significant destabilising effect on the target state and its society.
Grey zone activities include the use, either in isolation or combination, of disinformation, election interference, espionage, intellectual property theft in key industries such as defence, life sciences and technology, and also the use of military manoeuvres designed to intimidate target states such as what was planned in February 2022 or cyberattacks designed to disrupt the normal functioning of society such as the attack on the HSE in 2021. Though occasionally some of the more high-intensity forms of grey zone activities attract headlines, these forms of activities are designed to be incremental and difficult to detect with the overall goal of changing the strategic landscape before the target state has realised what is happening. They are designed to sap the political and economic strength of the target state, to undermine social cohesion, and ultimately to leave them unable to respond to the revisionist state's increasingly assertive international posture.
Moreover, we expect to see a greater proliferation of the use of grey zone activities against European states, in particular those originating from the Russian Federation in connection with its war in Ukraine. Activities such as cyberattacks, and most recently the reported presence of Russian vessels mapping cable infrastructure, are designed to intimidate Europeans, to highlight their vulnerabilities and most importantly to undermine European support for Ukraine.
Ireland is increasingly and demonstrably at risk of such grey zone activity. Its ever-growing role in the interconnected economies of the Euro-Atlantic area, its importance in global technology and communications, its position in the EU and its relative diplomatic power, coupled with its limited capacity to protect itself, makes it a prime and under-defended target.
Russia has shown its willingness and preference for targeting civilian critical infrastructure as part of its grey zone campaigns to maximise disruption in target societies. What should be clear is that not only is the monetary cost of state-backed cyber warfare operations high, but the potential societal cost in terms of loss of confidence in the state’s ability to protect its citizens from harm is significant. As a second order consequence of cyberattacks, the effect on public trust in institutions could also leave societies more vulnerable to the disinformation campaigns that often accompany these types of attacks.
The paper published by the IIEA that Dr. Colfer mentioned, entitled Black Swans in the Grey Zone, which was circulated in advance of today’s discussion, focuses on threats posed to Ireland energy infrastructure as a part of grey zone activity. Examining the potential escalation trajectory of Russia's war in Ukraine, we believe that it is possible that as Russia military campaign continues to stall, in particular as it faces increasing volumes of western-supplied military hardware, the Russian Federation may choose to carry out cyberattacks against electricity infrastructure in Europe to try to erode Europe’s willingness to continue to support Ukraine.
Russia has demonstrated that it has the capability to carry out such an attack on energy grid infrastructure when in December 2014, after months of targeting and preparation, it carried out a devastating cyberattack on Ukraine’s power grid causing nearly a quarter of a million customers to lose power following a synchronized attack on three regional electric power distribution companies. Furthermore, the signalling from the Kremlin itself indicates that European energy infrastructure could be a target of some form of attack. In Vladimir Putin’s own words, "any critical infrastructure in transport, energy or communication[s] ... is under threat - regardless of what part of the world it is located, by whom it is controlled, laid on the seabed or on land".
With this in mind, the IIEA has identified that Ireland’s energy grid may be a preferred target for a cyberattack against the EU, either through repeated small-scale attacks or from a single large-scale attack. As a host to 30% of all European data, as well as cable infrastructure critical to global communications, sustained and large-scale power outages would not only likely disrupt Irish communications, society and undermine Ireland’s image as a safe and stable place to do business, but it would also have the potential to disrupt life in other EU member states.
What options are available to us to counter grey zone aggression? Though most of our recommendations focus specifically on protecting Ireland’s energy infrastructure, successful implementation would make Ireland’s society more resilient and better protected against the broader spectrum of grey zone threats. As a collective, our recommendations focus on how we can either make best use of or augment existing structures in Ireland.
Overall, we believe that the best means of defending Ireland against this form of aggression will require a mindset shift in how we approach national security. Ultimately, as Irish businesses, resources, people and society become the targets of grey zone activities, the security services of the State alone will not be enough to deal with these threats. Instead, it will require a whole-of-society approach to defence, which includes industry, NGOs, think tanks, academia as well as individual citizens, in protecting their society from harm by antagonistic actors.
Our first recommendation is that Ireland could enhance its resilience through greater co-operation between the public and private sectors. With private sector actors and Government having access to different types of data, in what we term the cybersecurity data gap, greater information sharing between the public and private sectors when it comes to cyber incidents would be mutually beneficial.
Second, the State needs to continue to build awareness in critical industries about cyber risks to operational technology and their role in national security.
Third, the State could enhance the resilience of Ireland’s electricity grid though greater redundancy and a focus on microgeneration programmes, such as the existing €2,400 grant for households to install solar panels. Not only would this assist the State in meeting its climate targets, but it would also enhance the State’s resilience to outages that may arise from a cyberattack against the national grid.
Fourth, we should consider the development of a threat-led penetration testing framework, modelled on the existing threat intelligence-based ethical red teaming, TIBER-EU-IE framework for our energy system. TIBER is an EU framework developed by the European System of Central Banks to stress-test individual banks' readiness in case of a cyberattack. Intelligence on cyber threats and best practices are shared across the framework’s EU network. Such a framework for the energy system would enable operators in Ireland to stress-test their ability to respond to cyberattacks in a systematised and regularised approach.
Our fifth recommendation is that Ireland should develop and enhance its intelligence capabilities to counter hybrid threats. At present, Ireland’s intelligence capacities are not in line with comparator countries. In short, they are insufficient for the present hybrid threat environment. By developing the State’s intelligence capacities, both in the Defence Forces and An Garda Síochána, the State will be able to make better and more rapid decisions in the instance of a crisis. This, coupled with a greater ability to attribute either hybrid or cyberattacks, should enable the state to deter this type of aggression and will potentially reduce the likelihood of an attack happening in the first place.
Our final recommendation is that the Government should examine the implications of the development of offensive cyber capabilities for defensive purposes to increase costs for perpetrators of cyberattacks against Irish critical infrastructure. This would also be in line with the 2022 Commission on the Defence Forces' recommendation for the development of a joint cyber defence command in the Defence Forces that would be able to conduct limited offensive cyber operations. We believe exploring the use of offensive cyber for defensive purposes would play an important role in changing the cost-benefit calculus for potential aggressors.
To conclude, we find ourselves in a changing and more threatening security landscape. Ireland faces a degree of threats that it likely has not faced before in its history, as potentially everything from social media to globalisation, international trade and the Internet can now be weaponised. Though before I close, I would like to emphasise there is cause for optimism. A mental shift to a whole-of-society approach to national defence would not only allow the full strength of the nation’s resources to be harnessed, but it would also give all stakeholders - Government officials, NGOs, the military, universities, business and, most importantly, the general public - agency in the State's future national security strategy, ultimately creating a more resilient and more robust society that is best positioned to deter would-be aggressors’ hybrid warfare campaigns. I thank members for their attention and I look forward to their questions.