Many companies and government offices were unprepared for the COVID-19 pandemic and sustained lockdowns, despite years of warnings and guidance from experts and the federal government. This lack of preparedness cost companies dearly, from delays in setting up work from home software to supply chain disruptions that could have been mitigated against – if not prevented. In addition to better business continuity planning, the use of red teaming could have possibly spared certain organizations’ reputation hits and some monetary losses. Similarly, organizations can use red teaming or a red team mindset to bolster disaster preparedness.
Many organizations engage in business continuity planning and disaster preparedness planning. The thoroughness of these efforts varies depending on executives’ support and the competence of the planners. However, humans suffer from cognitive biases, and groupthink plagues many organizations. Red teaming helps to counter these limitations. According to the U.S. Army University of Foreign Military and Cultural Studies (UFMCS, or “Red Teaming University”), “Red Teaming is a flexible cognitive approach to thinking and planning that is specifically tailored to each organization and each situation.” Although red teaming is ideally conducted by a group trained in its techniques, simply approaching disaster preparedness with a red team mindset can pay dividends. The first known case of red teaming was conducted not by a group, but an individual.
History of Red Teaming
In the early 1500s, Pope Leo X established the position of Promoter Fidei, or Promoter of the Faith. Its formal title was advocatus diaboli (Latin for devil’s advocate). In 1587, Pope Sixtus V formally established the office. The role was to scrutinize beatification and canonization – the last steps in the process of the Catholic Church declaring someone a saint. The devil’s advocate’s scrutiny resulted in a drastically reduced number of canonizations, until Pope John Paul II downgraded and altered the office in addition to implementing other changes in 1983.
Militaries have also used red teaming after major losses or surprises. After the Prussian army’s losses to the French in the 1790s, a Prussian officer invented Kriegsspiel, the first table-top war game used by a modern military. It is credited with contributing to the Prussian defeat of the French in 1871. After the Israeli government ignored numerous indicators in 1973 of an impending Syrian and Egyptian invasion that became the Yom Kippur War, Israeli military intelligence established a devil’s advocate office.
This critical thinking tool on unlikely yet plausible events challenges an organization’s assumptions and presumptions about triggering and cascading events.
Three Types of Red Teaming
Red teaming has three forms: vulnerability probes, simulations, and alternative analysis. Vulnerability probes, also referred to as penetration testing, is the most common. They are used in both the cyber and physical security fields. Red teaming can also be simulations such as tabletop exercises. The New York Police Department conducts these exercises ahead of major events. For example, prior to Pope Francis’ visit in 2015, the NYPD simulated a hurricane hitting New York City, which would have eliminated the use of maritime or aerial assets. The third type of red teaming is alternative analysis, which provides decision makers with viewpoints that are usually outside the “mainline” or authoritative analysis.
Although it cannot predict or prevent a disaster, red teaming can better prepare communities to respond to the disaster. Two scenarios demonstrate how red teaming could have mitigated the devastating consequences of past disasters.
Scenario 1: “Red Teaming” Threats to the 1972 Munich Olympics
In the early 1970s, terrorist attacks were common, including in Europe. Prior to the 1972 Olympic Games in Germany, Munich Police psychologist Georg Sieber developed 26 terrorist attack scenarios. Scenario #21 was very similar to the actual Munich hostage crisis and involved an attack on Israeli athletes in the early morning hours. Based on Sieber’s scenarios, he recommended that athletes be housed together in the Olympic Village by sports instead of by nationalities. According to Seiber, “There were all kinds of agencies, from America to China, who said, ‘We heard something and this and that will happen’.”
Seiber was not mentally constrained by groupthink or the fact that there had never been a terrorist attack on the Olympics. However, his scenario planning was ignored, including by the Munich police chief, who was responsible for the games’ security. On 5 September 1972, the Palestinian terrorist group Black September stormed the Israeli dorm in the Olympic Village, killing two Israelis. Nine Israelis and a German police officer were killed in the failed hostage rescue attempt at a NATO (North Atlantic Treaty Organization) air base.
Scenario 2: Black Swan Fallacy of COVID-19
Many corporate executives have claimed that the COVID-19 pandemic could not have been expected or planned for – that it was a “black swan” event. Black swans are extremely negative events or occurrences that are unexpected and nearly impossible to predict. In essence, they are unknowable. However, red teaming or any semblance of such an effort might have noted a few events over the past two decades that could have facilitated pandemic preparedness.
- The 2003 outbreak of the Severe Acute Respiratory Syndrome (SARS) coronavirus (named SARS-CoV) resulted in more than 8,000 cases and almost 800 deaths in 26 countries, a case fatality rate of 9.6%. In six months, the outbreak cost the world an estimated $40 billion.
- In June 2009, the World Health Organization declared the start of the first flu pandemic in 40 years. The novel H1N1 flu virus (the so-called swine flu) killed an estimated 284,000 around the world from April 2009 to April 2010.
- In 2009, the Occupational Safety and Health Administration, a U.S. Department of Labor entity, published its Guidance on Preparing Workplaces for an Influenza Pandemic. It warns that a pandemic could be “an extended event” with outbreaks that might occur over a year or more. The document also outlines measures recommended by governments and medical professionals 11 years later such as the stockpiling and use of personal protective equipment, administrative controls (e.g., policies that encourage ill employees to stay at home without fear of any reprisals), work practices (e.g., social distancing), and engineering controls (e.g., installing sneeze guards between customers and employees).
- In 2012, Middle East Respiratory Syndrome, a novel coronavirus identified as MERS-CoV was first reported in Saudi Arabia. From 2012 into 2019, MERS-CoV infected 2,442 persons and killed over 800 around the world – a case fatality rate of 35%. There is no vaccine for MERS.
- The 2014 Ebola epidemic in West Africa was the first in history. It ended in early 2016 with more than 28,600 cases in 10 countries (most of the cases were in Sierra Leone, Liberia, and Guinea) and 11,325 deaths. The case fatality rate is 40%, although the rate could be as high as 90%. The U.S. Food and Drug Administration approved an Ebola vaccine in December 2019.
- The 2017-2018 flu season is possibly the worst in recent U.S. history. There might have been 61,000 deaths and over 800,000 hospitalizations, based on preliminary data.
Additionally, for at least the past two decades, government officials and medical experts have repeatedly warned about the possibility of a global pandemic, especially as deforestation increases human contact with wildlife. However, many organizations suffered from the failure of imagination that prevented them from preparing for any type of pandemic. Red teaming, for example, might have prompted companies and government agencies to test and exercise processes and software for remote work long before the start of lockdowns in March or April 2020.
Red Teaming Natural Disasters
The UFMCS manual notes that natural disasters can be used in a couple of red team techniques. For example, natural disasters can be a triggering event in high-impact/low-probability analysis. Organizations can use this critical thinking tool on unlikely yet plausible events like black swans. So, a natural disaster could be a plausible but unpredictable trigger that causes cascading effects, challenging an organization’s assumptions and presumptions. Another critical analysis tool in red teaming is “what if” analysis, which examines less intuitive and less likely outcomes. It challenges expectations. If an organization has the expectation that roads and bridges used by a key supplier will always be available because they have always been available – even after major disasters – it can be best to ask “What if that is not the case?”
Organizations on the west coast – especially in Washington, Oregon, and northern California – would be remiss if they did not red team the potential effects of “the big one” on their organizations. The big one refers to potentially devastating 8.0 to 9.0 magnitude earthquake caused by the Cascadia subduction zone, a fault line that extends from northern California to southern British Columbia, from well offshore to eastern Washington and Oregon. An earthquake of this magnitude and ensuing tsunami might kill 13,000 and injure over 25,000. In Washington, 350 bridges might take two or more years to repair or replace, and some highway segments might take more than two weeks to repair.
Other potential disaster types in other regions and parts of the world should drive organizations to pursue red teaming. Businesses on the Gulf Coast or those that rely on products from the Gulf, for example, should consider potential consequences of the big one. The effects of climate change – regardless of what is causing it – that are already evident in recent natural disasters makes a new cognitive approach even more urgent. Red teaming is not the panacea for every possible disaster or crisis an organization might face. And the practice often fails to get the support from decision makers that it should. The defunding of the U.S. Army’s Red Teaming University, which takes effect on 1 October 2021, and other similar military programs are examples of the low priority given to red teaming.
However, groupthink and using the black swan excuse to not think outside the box to prepare for future disasters might be setting up an organization for failure.
Kole (KC) Campbell
K. Campbell, CBCP, CPP®, is a security and intelligence professional with experience and training in intelligence; risk, threat, and vulnerability assessments; security management; and business continuity. He is a Certified Protection Professional (CPP), board certified in security management by ASIS International. He has also earned his Certified Business Continuity Professional (CBCP) certificate from DRI International. During his prior career as a U.S. military intelligence officer, his responsibilities included classified and protective intelligence operations, counter-WMD and counterterrorism recommendations, war and contingency planning, and leading highly sensitive intelligence planning efforts against Iran and North Korea. He has led security risk assessments for the U.S. government, private industry, and nonprofits. Mr. Campbell has training in behavioral threat assessment with various structured professional judgment tools. He has presented three times at the Global Security Exchange, the 20,000-attendee flagship conference for the international security industry. He obtained a Master of Arts degree in global risk from Johns Hopkins University’s School of Advanced International Studies, a Master of Arts degree in military operational art and science from the Air Command & Staff College at the U.S. Air Force’s Air University, and a Bachelor of Arts degree in political science from Virginia Tech.