Citizens must play role in beefing up resilience to devastating gray zone threats, UK report says
A new parliamentary report sounds the alarm “to reconnect with the country to build a whole-of-society approach to protecting the UK” from gray zone threats that could cripple critical infrastructure and undermine national security.
The House of Commons Defence Committee inquiry was started in 2023 in response to “significantly increased” gray zone threats seen from Russia in the wake of its 2022 invasion of Ukraine. The gray zone is defined by the UK as murkier conflict “between peace and war,” and can range in hostility levels from disinformation campaigns to espionage, cyberattacks, sabotage or assassinations, with combatants including “sub-state actors such as rebel groups, mercenaries, criminal gangs or cyber ‘hacktivists.’”
“Significantly, although grey zone activities inherently operate subthreshold, they can also have a critically debilitating impact on a state and its society,” the report Defence in the Grey Zone states, citing about 60 undersea communications and energy cables that are vulnerable to disruption or destruction. Some units within the UK’s Ministry of Defence were identified as being “particularly adaptable to operating in the grey zone” but were hamstrung by factors such as different priorities and understaffing. The UK is also “unable to provide continuous seabed protection across multiple areas” despite reports of undersea tracking sensors found off the coast.
“Defence has a significant role in deterring and defending against grey zone threats, especially those of a more severe nature, including attacks on critical national infrastructure such as undersea data cables and energy pipelines,” the report concluded, recommending that the UK “consider how current capabilities can be further expanded to deter and defend against grey zone threats.”
The report also discusses the reaction of alliances to gray zone zone threats, including the possibility of such an attack triggering NATO’s Article 5 response. The Joint Expeditionary Force — Denmark, Estonia, Finland, Iceland, Latvia, Lithuania, Netherlands, Norway, Sweden and the UK — if properly equipped and potentially expanded “offers the prospect of extended deterrence to countries closer to Russia, such as Finland and the Baltic states, where there have been repeated grey zone attacks on undersea infrastructure, but also in the increasingly important High North/Arctic region as well as in the North Sea and around the shores of the UK and Ireland.”
Cyber resilience is key, the report said, to address “significant weaknesses” that could be exploited in gray zone conflict.
“The weakest link in Defence’s cyber protection is likely to lie in public and private organisations that support the defence enterprise, such as industry, sub-contractors and service providers. For example, in May 2024, 270,000 armed forces payroll records on a contractor’s network were compromised,” the report noted, adding that the National Cyber Security Centre (NCSC) is “not currently designed or resourced to provide cyber security services at scale to the rest of Government and the wider public and private sectors, except on an ad hoc basis.”
With the Strategic Defence Review’s recent recommendation to create a new Cyber and Electromagnetic Command, “a general move seems likely towards the UK Government being more interventionist in terms of protecting its wider digital networks and supply chains” including recruiting and retaining a workforce with specialized cyber skills, the report states.
Homeland resilience also needs to be built for the possibility of not only conventional military attacks but the potential of “a large-scale grey zone cyberattack disabling key infrastructure such as power plants, telecommunication centres or transportation hubs” — using the “more integrated homeland security and resilience plans” of Russia’s neighbors as a guide. For example, Finland teaches kids about disinformation in primary schools.
In addition to “building substantial counter hybrid expertise” at the defense level, the report advocates, the ministry can engage “with wider society … to build a common consensus of the threats faced by the UK and the contribution citizens can make.”
The Dutch counter hybrid unit, for example, involves “providing support to wider government, private industry and society so that each of these groups can be better prepared themselves to take on a greater role in enhancing the resilience of the Netherlands.”
And Latvia focuses on defining critical services for the military, the state and society, such as the ability of the financial sector to allow people to access their money during a crisis. “Significantly, Latvia established an ‘internal internet’ that ensured all critical data was retained in the country so that vital services could continue to function even if Latvia were to be electronically cut off due to the severing of data cables in the Baltic Sea,” the report noted. This kind of preparedness, along with building cyber awareness and survival skills, is not “particularly resource intensive” but requires government coordination and planning across sectors.
“A dedicated Homeland Security Minister would be more likely to drive through the urgent changes required to improve the UK’s current levels of preparedness and resilience,” the report recommended.
“At societal level, the Ministry of Defence should draw on its understanding of the threats faced to make a greater impact by proactively engaging far more with wider society, both public and private — for example, critical national industries, schools and communities — to help generate a dialogue around those threats to the UK and build consensus around a common response,” it added.