26 November 2020

The End of Sanctuary

by Elvira N. Loredo, Karlyn D. Stanley, Ryan Consaul, Jordan R. Reimer, Anita Szafran

The United States has entered a new phase of global conflict in which adversaries might seek to delay or disrupt Army installations' ability to power project, mobilize forces, and conduct other wartime missions. As noted in the 2018 National Defense Strategy, "it is now undeniable that the homeland is no longer a sanctuary." Adversary actions might involve complex attacks that are conducted over an extended period of time and targeted at multiple continental United States (CONUS) installations, their surrounding communities, and critical communication nodes. To address this challenge, RAND researchers cataloged innovative and emerging threats to installations, identified deficiencies in the Army's current threat assessment methodologies, and developed a framework to assess potential solutions and the resources required to defend against these threats. The framework was presented to and discussed with a group of experts at an Army installation and at U.S. Army North.In practice, most of the threat and risk-assessment methodologies used by the Army focus on known threats. For example, emphasis is placed on terrorist attacks, active shooters, and cyberattacks. However, it is unlikely that future threats to power projection in a contested environment will mimic previous events. Although the assessments provide valuable information, they are not calibrated to measure how well Army installations would respond to a coordinated attack by a capable adversary employing a combination of effects. Significant changes need to take place to ensure that installations are adequately protected from a capable adversary's ability to disrupt CONUS installations' wartime missions.

Key Findings

The innovative use of emerging and existing technologies by adversaries will continuously create threats to the wartime mission of Army installations

Such emerging technologies as unmanned aerial systems, fifth-generation (5G) communications technology, and the use of social media disinformation by adversaries all pose potential threats to installations that might not have been anticipated.

An installation's ability to perform its wartime mission in a contested environment is not adequately considered under current threat assessment methodologies

Multiple Army and U.S. Department of Defense organizations provide oversight and guidance about how to conduct installation threat assessments. The assessments have many commonalities but lack consistency and frequency of application. For example, some assessments are conducted every three years and cover only a subset of all installations, while others are conducted only at the request of the garrison commander.

Threat assessment methodologies do not include many emerging threats

The Army assessment processes for identifying current threats do not include manipulation of artificial intelligence, smart city technologies, biometrics, nanotechnology, information warfare, commercial satellites, social media, or industrial control system attacks.

Threat assessment approaches do not consider the combined effects of multiple threats

When these threats are part of a coordinated effort involving the installation and the surrounding community, they might overwhelm an installation's capabilities.

Army installations are protected using traditional physical security, antiterrorism, and emergency preparedness approaches

Current Army policies, doctrine, and assessments are focused "inside the wire" and fail to imagine the innovative use of existing or future threats on surrounding communities that will impede the flow of forces on road, rail, and at the ports of debarkation.

Recommendations

The Army should adopt a comprehensive threat assessment and risk mitigation process. The proposed framework for this process comprises six steps: (1) identify innovative and emerging threats, (2) determine critical functions and processes related to achieving the mission at installations, (3) identify key enablers of those functions, (4) understand vulnerabilities and estimate the risk of given threats, (5) develop mitigation strategies, and (6) conduct wargaming or red-teaming exercises.

The framework that RAND researchers have proposed should be incorporated in Army policy if it is to be effectively implemented. The framework also should be tested using a pilot project to define the roles of the multiple organizations involved. The pilot could be led by Army Materiel Command (AMC) and U.S. Army Installation Management Command (IMCOM) with the involvement of relevant Army organizations.

The Army should review current assessments and modify or replace them (as needed) to ensure that they measure how a capable adversary will use combined effects to disrupt an installation's wartime mission.

The proposed framework's results should be applied during exercises and deployments to training centers to achieve the Army's "train as you fight" goal.

AMC and IMCOM should update all existing installation contracts with adjacent utilities and critical infrastructure to include current cybersecurity standards.

No comments: