I think that's right. I think you're exactly right that not every crisis is a disaster. In other words, if we're built for it, we can—for any type of attack—survive something if we're prepared for it.
It becomes—in words that I quote from the NATO language—“destructive” if you cannot manage even the smaller things. They build on each other. This is the notion of cascading losses. If you cannot stop the harm close to the vulnerability...although you don't even know what those impacts will be downstream, especially in the cyber context, which is what we've experienced with critical infrastructure here in the United States. In a simple ransomware attack like the Colonial Pipeline, which was really simple and not that sophisticated, because they did not have a response capability, it meant the whole system was down for a week. That's not sophisticated.
One way to think about the relationship is.... As a nation and as a government, you're really focused on—from Russia—the destructive stuff. I think NATO made that clear in its language. It's not going to define what the difference is between a disruptive attack and a destructive attack. I think that's been good. In other words, that is actually keeping enough vagueness in the system so that the adversary doesn't know where the line is. The last thing you want to do is to say, “We would view this as destructive and this as only disruptive”.
I think the best response.... This is, now, not the world of rocket science. The fact that we talk about cybersecurity or cyber-attacks make them seem technological. On the response side, it's really not that sophisticated. You don't need to know coding. A lot of it is having communication systems that have multiple defences and systems that stop the cascading losses, in other words, bifurcated or divided regional support systems that can service mutual aid. If an energy system went down, you could share or get systems from others. Those are tried-and-true emergency management capabilities.
I've spent a lot of years trying to focus the cybersecurity world on how you don't have to reinvent the wheel. A lot of what we've learned from both disruptive and destructive attacks was already known.