Navigating Complexity: Lessons from D-Day for Cyber Leadership

By Andrew Fitzmaurice, CEO, Templar Executives
11th June 2024

“Eighty years ago, the UK and its allies demonstrated a clear grasp of how to prepare for and successfully manage complexity. Their legacy provides blueprints for managing very complex environments.”

This year’s theme of the Cyber Leadership Symposium, to be held on the 18th and 19th September 2024, is ‘Maintaining Progress in the Face of Complexity’. As I sit writing this today, two major news events are happening: the anniversary of D-Day and the critical state of play in our hospitals under Cyber attack. So what do these two very different events have to do with Cyber leadership?

D-Day’s Blueprint for Cyber Defence

First, the 6th of June marks the 80th anniversary of D-Day. Sir Winston Churchill described D-Day as the most complex operation ever undertaken in the history of mankind. Approximately 150,000 service personnel landed on the beaches of Normandy from 6:30 in the morning supported throughout the day by a myriad of naval and civilian vessels as well as some 11,000 aircraft. All this was to commence the liberation of Europe.

Are there any lessons from D-Day that bear similarity or relevance to the complexities we all face in managing information flows in Cyber space, and the relentless threats from malign actors?

Effective command and control are key components of success in any complex environment. All elements of the command structure must be fully aware of their responsibilities, boundaries of authority and the roles they need to play to ensure a successful outcome. Whilst D-Day itself was top secret, key leaders were appointed and briefed on what was expected in preparation for the operation. In the lead-up to this anniversary, the media has detailed the efforts of all participants in understanding their roles in making this complex operation a success. For instance, the BBC programme Countryfile recently devoted an entire episode to the scenario planning and the impact these rehearsals had on local communities and the countryside. Many rehearsals for the landings were conducted in early 1944, often using live ammunition to ensure the environment was as realistic as possible.

Looking across all reported Cyber incidents, we have seen a pronounced trend. Very few reported attacks are now directed at prime organisations; instead, they target areas of complexity, which in today’s modern society are the interfaces within ecosystems. An interface where valuable information is exchanged often provides opportunities for bad actors to disrupt or compromise vital information flows.

Way back in 1944, the D-Day planners clearly understood that extending the task force from southern England over the Channel to Normandy produced huge complexities in coordination, making them potentially vulnerable to enemy attack. To achieve success, they used techniques that we would recognise today.

In terms of security, information exchange was encoded with cyphers that it was hoped the enemy could not break. For coordination, three tank landing ships had radar and communications equipment installed and were strategically placed to provide pivotal hubs for information exchange for all five landing sites. This allowed the extension of command and control networks from mainland UK to Normandy, enabling successful coordination of land, air, and sea assets – in modern parlance, to successfully manage risk.

In addition, subterfuge was also employed. Operation Moonlight utilised a number of specialist aircraft to electronically simulate mass raids of Allied aircraft aimed at Holland, creating the illusion of an attack much further north than the reality. This was, in effect, a type of ‘honeypot’. Both physical and electronic honeypots are widely used today.

Addressing Modern Cyber Attacks

The second major news event is a Cyber attack against several London hospitals, severely impacting services, including blood transfusions and cancer treatments. At the time of writing, the impacts of this are still in the early stages. Reflecting on the planning and operational execution of D-Day, I would ask fundamental questions about how this successful attack was allowed to occur and whether different actions could have effectively mitigated the obvious harm caused by the attack.

To address this, we should focus on the area of complexity most at risk: the interface between the IT supplier Synnovis and the hospitals themselves. Using the preparation, planning and execution of D-Day as a framework, several questions come to mind.

First, what level of importance is afforded to Cyber risk at the board level of both the prime and the supplier? Was this risk understood and taken seriously? Consequently, was there sufficient oversight (command and control) to effectively manage the interface between the organisations and the supplier?

Next, was an adequate level of risk management accurately reflected in the contractual agreements between the parties? If you look at D-Day, the Allied operations were being extended into a different operating environment – an extremely hostile one. Now when primes reach out to their suppliers, one hopes it is a benign environment, but if the prime asks all the difficult ’what if’s’, they can then be addressed through the procurement and contractual process. So once the contract is in place, how was its efficacy maintained? Did both parties regularly train together to mitigate the effect of a Cyber attack on the interface between the two organisations? Have the organisations produced and tested detailed recovery plans to minimise the impact of any successful Cyber attack?

Connecting the Past and the Present

Eighty years ago, the UK and its allies demonstrated a clear grasp of how to prepare for and successfully manage complexity. Their legacy provides blueprints for managing very complex environments. Today, in Cyber space, we constantly guard against states and criminals who seek to exploit our weaknesses. Increasingly, Cyber attacks are resulting in physical harm to organisations and individuals and we need to do better.

At our Cyber Leadership Symposium 2024, held in partnership with Lancaster University, we will hear from modern-day leaders on how they utilise proven leadership principles to manage the complexities of today’s evolving Cyber environment and safeguard both themselves and their supply-base. I look forward to the stimulating discussions and seeing you all there.

Templar Executives and Lancaster University invite you to attend our third annual international Symposium on Cyber Security Leadership to be held at Lancaster University on 18th and 19th September 2024.

Hosted by Templar Executives and Lancaster University, this two-day Symposium is a unique opportunity to share thought leadership perspectives and network with like-minded professionals. Whether you’re seeking progress in your career or are a seasoned Cyber leader, this event is tailored for you.