Making Democracy Great Again

Originally posted in FPRI, Geopoliticus

It wasn’t the World Economic Forum in Davos, Switzerland, and it wasn’t meant to be. Bono wasn’t there, nor was Beyoncé, but former U.S. Vice President Joseph Biden and former British Prime Minister Tony Blair were. The event was the first Copenhagen Democracy Summit held on June 22, 2018. No glam, no glitz, just serious policy discussions from an array of former and current world leaders to discuss the precipitous slide in democracy and democratic values the world over. I had the privilege to attend as a board member of the Alliance of Democracies Foundation, which was supporting the conference. Here are my impressions.

The brainchild of former Danish Prime Minister and NATO General Secretary Anders Fogh Rasmussen, the Democracy Summit is dedicated to strengthening the resolve of the world’s democracies by providing a high-level forum exclusively focused on the cause of democracy. With democracy under threat from nationalist movements, autocracies, and terrorist organizations, the Summit seeks to meet the need to revitalize the world’s democracies by bringing together current and former heads of state as well as leading business executives, academics, and dissidents into open dialogue to support the maintenance of shared democratic values.

Sounding a somewhat familiar mantra, Summit Chairman Rasmussen opened the conference by declaring to the 350 participants from over 40 nations, “We are here to make democracy great again.” In a time when the world’s democracies are being challenged both from internal and external forces, this Summit did a deep dive why long-accepted democratic norms such as free speech, human rights and free trade are under assault from populist, nationalist and nativist forces at home as well as autocratic nations abroad.

Opening the conference was a sobering statistical study by Dalia, an international research organization. Using its Democracy Perception Index 2018 (DPI), the single largest study measuring citizens’ trust in government, Dalia found that democracies are facing a severe crisis in faith in the eyes of the public. The DPI 2018 found that a majority of people living today in democracies no longer believe that government works for them. Among the report’s findings, a surprising 51% of people living in democratic countries think their voice “rarely” or “never” matters in politics. Moreover, in democracies, a majority of the population, 64%, believes that their governments “rarely” or “never” act in the interest of the public compared with only 41% saying the same in non-democracies.

This tocsin of democracies in peril was addressed throughout the Summit, but most notably in an extraordinary panel discussion with the former heads and deputy heads of state of Canada, Spain, Estonia, Mexico, and the United Kingdom. The panelists agreed that for many, democracy is perceived as deaf, cut off from the needs and aspirations of immigrants, unresponsive to the fears of workers caught in rapidly re-tooling economies and sclerotic in its ability to respond quickly to disasters or update crumbling infrastructures. “People tell us they are unhappy, we must listen,” said former Canadian Prime Minister Stephen Harper. “We have to show that democracy can adapt and innovate to meet challenges of a changing society,” opined Nick Clegg, former Deputy Prime Minister of the United Kingdom.

Indeed, democracy did not get off lightly at the conference. Speaker after speaker bemoaned the back-sliding, seemingly epidemic in democratic nations today where their governments are perceived as inept, incompetent, or worse, indifferent. Joe Biden was most forceful in his assessment that “the threat to democracy isn’t just Russia. Authoritarianism is on the rise in every region.” Biden called for a re-dedication to the principles that form the bulwark of democracies: inclusive institutions, the rule of law, equal protection, and equality of opportunity for all. Concluding with a strong statement meant to throw down the gauntlet to the democracies of the world, Biden said, “Democracy demands diligence. Democracy demands engagement. And sometimes democracy demands sacrifice of its citizens. That’s how we keep it.” “Let’s not forget who the hell we are.”

Another panel delved into the current conundrum of “fake news” and how movements and forces use it to sow discord and fear in the electorate. Indeed, many fingers were pointed to the Russians as masters of these dark arts, while criticism was also subtly leveled against the current U.S. administration for labeling political opponents and news organizations as purveyors of the trade.

Running a close second to the “fake news” topic was cyber security and hacking and how democratic institutions are besieged by a blitz of hacking from Russia, China, Iran, and North Korea. Often, this activity goes beyond the simple stealing of data and intellectual property and seeks to undermine public confidence in the electoral system of many Western democracies.

Tony Blair closed the conference with a plea for a more “muscular” democracy as a statement that those who hold it dear will fight to keep it. He urged participants and governments alike to spread the gospel of democracy and to communicate that it does work and that it is worth fighting for. Pointedly, he said, “Democracy needs to revive its spirit.”

As is often the case, the real value of these conferences was not what was said at the podium by the speakers, but was whispered in the halls amongst the participants. Time and time again, we Americans were questioned by our European colleagues about the direction of our government regarding NATO, free trade, and immigration. While anger was never apparent, confusion and frustration were. The confusion was based upon a general befuddlement over current policies towards Europe and the frustration stemming from an inability to understand our seeming rejection of 73 years of collective security in favor of warmer relations with Russian autocrats. As one conferee noted at lunch, “The autocrats and the despots are on the march again. They think this is their time.”

Notwithstanding attendees’ confusion and frustration, it was clear that America does matter, America is the key, and America is indispensable to democracy and to global leadership. They just don’t know if America agrees.

The Future of Cybersecurity, a Conversation With Jack Thomas Tomarchio of Agoge Group, LLC - From Drexel University

Original Post, by Patricia Connolly, Found Here

 

Today’s boardrooms continue to sharpen their cybersecurity oversight in preparation for an inevitable cyber incident. Patricia Q. Connolly, Executive Director of the Raj & Kamla Gupta Governance Institute, sat down with cyber expert Jack Thomas Tomarchio, Principal at Agoge Group, for a conversation around growing cybersecurity concerns and the ways boards can ensure they are equipped to handle cyber-attacks.

The following is an edited transcript of the conversation.

Patricia Q. Connolly: In my work at the Raj & Kamla Gupta Governance Institute, I have had many boards raise questions around cyber preparedness. In your experience, do boards fully understand the scope and severity of cyber threats?

Jack Tomarchio: Some boards understand the scope of cyber threats, but many or most boards do not. Cybersecurity has become an agenda item, but directors and management don’t fully understand the severity of possible threats. And it’s hard to be prepared for a threat when you are unsure of what you are facing.

Security is always the last line item on a corporate budget, because it represents money out and no money in. There’s no profit in security; it’s not “sexy.” It’s like insurance—you don’t know you need it until you experience a disaster and are unprepared, but at that point it is too late to do anything about it.

Q. What should boards be doing differently now regarding cybersecurity?

It is incumbent upon boards to educate themselves on the risks of cyber-attacks and strategies to mitigate those risks. On April 24, 2018, Altaba (formerly known as Yahoo) settled with the SEC and agreed to pay $35 million for failing to adequately disclose a cyber breach—the first time a public company has been fined by the SEC for this. Headlines like that should get the board’s attention—this should be the impetus for everyone to act on cyber issues. When cyber-attacks occur, it’s a big headline. CEO’s are fired, along with other members of the C-Suite, and ultimately board members end up running the risk of personal liability outside of the insurance limitations.

But, for some reason, it’s often not enough to force companies to act on these risks. And that is an issue because most companies are currently unable to sufficiently handle a cyber-attack. Boards must develop useful responses to cyber-attacks. It’s not about “checking a box,” or simply having discussed cyber; there needs to be a real conversation around mitigating the risks. They tend to be reactive, but these are real assaults on companies for data, intellectual property, and money, and you cannot win a battle by being passive.

I’ve personally witnessed cyber warfare attacks through my work in the US Intelligence Community, and it is intense. You never want to end up saying, “now what do we do?” You always want to be prepared. There is help and partnership available, which many boards are unaware of or actively choose not to seek. The FBI offers outreach partnerships, but they don’t often get called. You only need to ask for help, and there’s an opportunity to have it.

“Boards have to be cognizant of the fact that cyber risks are now part of the business landscape and culture.”

Q. How have you seen governance practices evolve in response to major cyber-attacks?

We are seeing some boards attempting to recruit directors with cyber experience or skills. However, it’s not as common as it should be. All boards of directors need at least one individual with cyber expertise. The full board needs to be informed and responsible for cyber-oversight, but there needs to be one person with that background who can then educate others and measure the company’s preparedness regarding cyber planning.

I often hear from directors, “my Chief Technology Officer (CTO) or Chief Information Security Officer (CISO) is handling that.” This is a mistake. Boards cannot be relying solely upon the CTO or CISO for guidance on these issues, but should instead be reviewing their work and asking them to enforce board-directed strategies. It should be the role of the board to ask them the tough questions, and to do that, you need a board member who knows what questions to ask.

“Cyber warfare is an attack, and boards must treat it as such. If you don’t understand the threat or the ramifications, you won’t be able to withstand an attack.”

Q. In February 2018, the SEC issued an interpretive release to guide public companies when preparing disclosures about cybersecurity risks and incidents. How should a board be prepared to speak about their plans to confront cybersecurity risks and threats?

Boards shouldn’t show their entire hand—you don’t want to put the details of the company’s response plan out there for all the world to see. However, they should lay out two to three pages on the corporation’s cybersecurity plan in the annual report. There doesn’t need to be a great level of detail, as investors will gloss over that anyways, but the board should demonstrate the resiliency of the company in the cyber realm. Outlining what the company has done, steps that have been taken, tests that have been performed, can be helpful to show that they are taking cyber threats seriously and trying to be proactive.

Public company boards do need to disclose their cyber preparedness, and they should insist on a written information security policy and an incident response plan that gets to the point. You don’t want an 800-page plan—no one looks at that and it isn’t useful. And boards not only need to prepare these types of items, but they need to regularly and continuously evaluate their usefulness and update the materials based on the evolving threats in the cyber realm. Your plans are only useful if they are designed for the current landscape.

Q. How can a board take the extra step to assure itself that the company has the proper protocols in place to evaluate, and respond to an incident quickly and effectively?

Yes, some boards are taking some smart steps regarding their cybersecurity plans. Small things, like not using the same IT guy when you perform penetration tests, can make a big difference. And those are actions that the board can easily take. You want to think about cybersecurity like baseball. A pitcher on the mound faces many different batters. If that pitcher only has one pitch, every batter knows exactly what to expect, and they can prepare for it. So the pitcher must mix it up and surprise batters; in other words, don’t always throw a fastball. Boards can think about cyber-attacks in the same way. They want to catch their attackers off-guard and not make it easy for them to gain access.

Q. What other steps might a board take to protect itself from a cyber-attack, and how can they manage the results if such an attack should occur?

One of my favorite tools to train boards on the risks, management, and mitigation of a cyber-attack is the use of the tabletop exercise. Originally developed by the military as war games to plan strategy and tactics, the tabletop exercise is a perfect pedagogical tool to teach boards how to respond to a cyber event.

When I run a tabletop exercise, I put the entire C-Suite and board through a cascading cyber crisis that challenges company leaders to make hard decisions under extreme pressure. The results are often eye-opening. Executives uncover gaps in their incident response plan, realize that they have serious systemic failures in inter-company communications, or learn that their crisis response is confused and disorganized. The exercise is designed to shed light on these types of deficiencies. I conduct a post-mortum afterward to discuss what the weakness were and methods to address them. Often the C-Suite will leave a tabletop exercise with a laundry list of fixes to be undertaken.

Furthermore, tabletop exercises allow the board to understand their role in the cybersecurity process versus the role management should play. The exercise provides the board with a hands-on experience to better understand what a cyber-attack entails, and what it means to be properly prepared to combat one. Board members can utilize these interactive sessions to further their own knowledge and ensure management has the proper crisis management and disclosure protocols in place.

Russian Military Embraces 21st Century Tactics

The familiar version of the Russian military is of the ponderous Cold War juggernaut that invaded Hungary in 1956 and Czechoslovakia in 1968, heavy on armor and artillery but light on agility, maneuverability and independent action when necessary. Not so much anymore. With Russian adventurism in Crimea, Ukraine, and Syria, its military is the recipient of an array of new technologies using artificial intelligence, high-resolution geo-spatial imagery, robotics and sophisticated drone technology. While Russia still lags significantly behind the United States in defense spending, $46 billion to the US’s $700 billion, what is important is that Russia is making strides to improve how its military fights and even more importantly where it fights. Russian submarine stealth technology is first rate with boats of the new Yasen and next-generation Husky classes quieter and stealthier than ever while Russian ground and sea-launched ballistic missiles allegedly packing more thrust and accuracy than ever before.

Russian military thinking is also undergoing a revolution. Historically Russia has always fought large defensive wars such as the Patriotic War of 1814 against Napoleon and the Great Patriotic War against Germany (World War 2). New Russian tactics, however, now call for taking the war to the adversary early and with stunning lethality. Chief of the Russian General Staff, General Valery Gerasimov in recent remarks to the Russian Military Academy stated, “The objects of the economy and the state administration of the enemy will be subject to immediate destruction, in addition to the traditional spheres of armed struggle, the information sphere and space will be actively involved.” With this shift in traditional tactics the Russians now seek to push conflict away from its borders and to the heart of its enemies. With Russia’s loss of its traditional “near abroad” (the 14 former socialist republics of the USSR) and “nearer abroad” (the Warsaw Pact allies) buffer states, Russian military thought now views it as a strategic imperative to take the fight to the adversary. Moreover, Gerasimov recognizes that in order to prevail in future conflict Russia must be prepared to fight a multi-dimensional war targeting a foe’s economic, information, energy and financial infrastructure, all critical instruments of national power. A future war with Russia will assuredly see attacks on all of these “fronts” as warfare enters an age of “inclusive lethality”, further blurring the old combatant/noncombatant targeting paradigms of the past.

This new Russian strategic mindset is itself a carryover of Russia’s traditional way it sees the world and its place in it. Obsessed with encirclement and invasion, Russia now seeks to control the tempo of world events by shifting away from its historic defensive posture to a new deep strike capability that will carry the war to the heartland of its enemies.

For NATO and especially the US, the challenge will be to ensure that Western capabilities in space, information warfare, submarine technology and other military modalities remain robust, technologically superior and nimble. Not to do so would be a mistake whose consequences will be paid for at a future time. The price may not be something we will be pleased to pay.