This chapter will address Complexity, Systemic Risks and Converging Technologies from a different point of view to raise awareness of possible challenges we will face from Converging Technologies, which might not be the focal point of current considerations of the Security Sector.

Network Centric Warfare

I would like to start my considerations 15 years ago when Network Centric Warfare (NCW) was also a big topic in the Austrian Armed Forces. We discussed how we can improve our military capabilities to hit enemy forces in a better way because of new technologies and the possibility to connect sensors, command and control systems and actors in a much better way than we could ever have done before.

But what really happened?

Not specific to the Austrian Armed Forces, because we were luckily not engaged in major military conflicts. But as an example of the US Forces which were the major driver behind Network Centric Warfare. We could say they were really successful by using this concept in military operations, as in Iraq or in Afghanistan, at least at the beginning of the wars. But was this sustainable too? Not really. The hightech forces, especially the supply chains, were successfully targeted by enemy forces and caused major causalities and cost an enormous amount of money. This was done by using simple but highly sophisticated low cost techniques, like using mobile phones to build efficient road side bombs, for example. The so-called Islamic State succeeded in establishing itself and spread within a very short time to a very large area also by using modern technologies like Social Media to recruit followers and to broadcast propaganda. And also mass migration from the former war theatres started, which also occupied the Austrian Armed Forces, but in a completely different way from we had thought before. So the primary military operations were very successful by using new technologies and the concept of Network Centric Warfare, but it was not possible to bring peace and democracy to the countries, which was the official trigger for using military forces in those countries.

Missing holistic approach and view

So my conclusion is that our preparations for Network Centric Warfare were important but did not extend to the whole topic. The focus had been mainly on hard military targets – which is the main task of military forces – but missed major developments alongside. And it had been assumed that the opposing forces were not connected, or not using similar systems to those of the military forces. With hindsight this was short-sighted and a wrong conclusion.

The focus had been on hard military targets but the real enemy was soft and poorly organised as we assume enemy forces to be. This current enemy is using new civil technologies with capabilities, of which we dreamed 15 years ago in military forces and we still do. Everybody can communicate wirelessly worldwide, using GPS – originally a military system – to beat hightech military forces, having always the latest maps from all over the world; all this does not cost much money and it fits in everybody’s pocket. We have missed the fast technological improvement on the non military side, which also led to the possibility of hitting military forces hard with less effort.


If we had considered Moore’s Law or exponential growth as described by John Casti in chapter 1, we could have been more mindful and aware of possible developments. This should be also a major lesson learned for the future. Therefore both of these chapters with an off-topic consideration at first appearance are so important for addressing possible future developments in the sector of Converting Technologies, even if we will still not be able to predict the future. But if one knows how complexity works and which challenges are connected to it, one will be much more able to handle these developments.

Did we learn the right lessons?

Back to Network Centric Warfare. We still have to ask if we learned the right lessons from the past within the Security Sector and especially in Military Forces. Aren’t we still focusing on air strikes to beat enemy forces which are mainly diffuse, asymmetric forces and not organised as we were used to during the Cold War? Isn’t it unclear what we are really achieving and how big the collateral damage is? Did this change anything about the political aims for the area, or in general? Did this change anything in our military planning?

As we have already learned, the main driver for the said developments was – and is – interconnectivity by easily available ICT (information and communication technology) and, therefore, the amount of available information. So the question is, do we now have the capabilities to control information of hostile forces? Can we disturb their information flow? Do we know what is going on? Can we stop virtual support? Not really, even if the drone war of US Forces is based on information gathering and tracking of digital traces. But most other Security Forces do not have these capabilities.

Even if we are very careful with this topic; these capabilities could also be misused (non-intended side-effects). However, we will not be successful if we only focus on hard military targets and on solutions which were successful in the past.  We also do not want to have a mass surveillance as e.g. NSA does. The question is whether we really need this on a very large scale, or could it also work on a small, focused scale, as described by the concept of Electronic Warfare. We should not throw the baby out with the bath water. So broader discussion and transparent decisions will be needed to answer these questions.


This is also a good example for the fact that we live in so-called VUCA-times, the acronym for volatility, uncertainty, complexity and ambiguity which is directly connected to the increasing complexity caused by the ongoing man-made interconnectivity between everything. In particular, we are not used to dealing with ambiguity.

Transformation to Network Society

During the Industrial Age we had simple structures and clear hierarchies which worked very well most of the time. But we are now, reaching back to the 1950s, in the transformation to the Network Age or Society which will change the way of life and societies fundamentally.  In considering ongoing developments, it is dangerous to adhere currently to the knowledge and experience of former times, even if past solutions were successful in their day.

One major challenge will be that Industrial Age structures and thinking will not completely disappear, but they will lose more and more influence and importance. This will increase complexity and requirements for those who must keep up with the developments and will have to cope with new challenges.

But where is the link to Converging Technologies now?

It is the transformation to Network Society and the digitalisation process which leads also to Converting Technologies and Emerging Risks. On the one hand, these developments just allow the fast and far-reaching improvements and, on the other hand, this leads to completely new challenges and risks and, therefore, to the Security Sector too. In our culture we are often used to having only an either-or-view or thinking, which will no longer address future developments in the right way. It may have worked more or less in simple Industrial Age structures, but will not do so in complex Network Age structures. Therefore we will need an as-well-as-thinking to address reality and ambiguity as we can see it already on an almost daily basis. Other statements and points of view may sound easier and give short clear answers; however, in complex surroundings those are often false and harmful in the long term perspective as can be seen in the increasing populist tendencies at the moment. They have short and very simple answers to many open questions and people believe them, even though we already know that they will not function and are dangerous for our societies.

Systemic risks

This will also be similar to developments and reactions to Converging Technologies. We often try to address new possible risks with successful methods from the past which can hardly cope with increasing interconnectivity and complexity. So the rise of systemic risks is hardly observed. Systemic risks are characterised by a high degree of interconnectivity and interdependencies and missing outreach limitation. Cascading effects are possible. Because of complexity and feedback loops, there are no simple cause-and-effect-chains and the triggers as well as the impact are systematically underestimated by responsible persons and organisations.

From my point of view, the most dangerous systemic risk in the short term perspective is contained within the Europe-wide electrical power system. If this system failed, the effects could have major cascading and disruptive effects on the entire European society. Also the Network Centric Warfare example showed up the underestimated developments. Therefore systemic risks are the root for X-Events, as described by John Casti in Chapter 1.

What does complexity mean?

Complexity is already a part of everyday language usage, even if different meanings are often related with it which could be described by opacity, uncertainty, dynamic and so on. To address complexity in a very short way, it can be also described by some typical characteristics:

  • Changing system properties because of feedback-loops and therefore the possibility for emergent new properties of the system. As an example: oxygen and hydrogen are flammable gases; those two elements combined with aqua lead to a liquid that disguises a fire. Even if we knew the character of the gases, we would not be able to foresee the character of the new element.
  • This also causes non-linearity where our approved risk management systems inevitably fail and predictions are difficult or impossible. They may work for a time as usual, but in one moment the system behaviour could change completely.
  • Interconnectivity leads to an increasing dynamic (faster and faster …) because the opportunities of the system behaviour are increasing.
  • This leads also to irreversibility (no way back) and the impossibility of reconstructing the causes or restarting at a well known point. As an example of a complex system, take a creature: you can not cut creatures into well-structured pieces, analyse them and put them together again. It will not work. And this is valid for all complex (alive) systems. This only works with complicated (“dead”) systems (machines).
  • Another very well known characteristic is that small causes could lead to large effects (“butterfly effect”). A small problem in a supply chain link could bring down the whole system/production, as we have seen recently.
  • Yet another characteristic that is often underestimated are delayed and long term effects. Especially in our very short-range focused economy. The figures are orientated towards quartiles. We know that apparent short-term solutions often have a negative impact on a long-term view and that for long-term success acceptance of short-term disadvantages is often needed. You can take asbestos as an example of long-term effects. It was for years a “wonder material” with great qualities until people learned that it also has some negative long term side-effects and causes cancer. Now it has to be removed in compliance with high security requirements and at high cost. Imagine what such an example could mean in terms of GN-technologies. It will not be possible because of the size of the material. As described by John Casti, an X-Event could be the consequence.

Which challenges are we facing?

First we have to know that in nature there are only complex, open systems. But they are new on a technical level, especially the increasing interdependencies (vulnerabilities). And we are still used to dealing with linear simple machines and not with complexity which is caused mainly by a lack of education and training. Especially in the education system we often still train and teach as was necessary for the Industrial Age but that is hardly what is needed in the upcoming Network Age; even a black and white description is too simple.

Lack of knowledge and systemic thinking

There are of course improvements but, in general, they can not keep up with the fast developments on a technological basis. Even though there are people who have the necessary knowledge to develop these emerging and converting technologies, most of the people do not have such knowledge, including in areas where they should have, such as in public authorities or regulatory bodies to protect public interests. In particular, administrative bodies are often still organised under good old hierarchical structures which are hardly able to cope with the fast changing VUCA-developments. Not to mention the fact that often interconnected special knowledge and fast reaction are needed. Today nobody could know everything any more and therefore we have to arrange more flexible ad-hoc networks and interaction among different experts to address complex dynamic challenges. We improve and raise interconnections between technical systems more and more but the necessary interconnection between people and organisations to cope with non-intended side effects is lagging behind. This leads again to complexity gaps which implicates systemic risks and danger of X-events!


I would like to give you another example. Are we prepared for the challenges which are connected to Cyberspace? At the moment we are mainly focusing on cyber crime and data breaches. But this is just the beginning. We should be much more aware and worried about our Critical Infrastructures (CI). Yes we have established Critical Infrastructure Protection, Cyber Security and Cyber Defence. But protection is not enough because there is no 100% security, anywhere.

Therefore we have to rethink our system design, because the way we have organised not only our infrastructures but also our reaction capabilities is not appropriate for handling X-events. We are not prepared for dealing with major infrastructure interruptions either. And with the ongoing establishment of interconnectivity and interdependencies, especially in our infrastructures, the danger of far-reaching X-Events is growing.

We still have different “silos” from those we had in the past. So we have a Critical Infrastructure Protection and Cyber Security where the police are responsible. Military forces should be responsible for Cyber Defence. But if Cyber Security fails and cascading effects bring down infrastructures, there will be no second line of defence where Cyber Defence could be successful. The only task will be to clean up the mess on a very basic level, not virtual.

So what does this mean in the context of Converging Technologies?

The main question is what are we speaking about? Are we speaking about possible military developments, which are of course there, but mainly concentrated on a small scale like Network Centric Warfare?

Or should we speak and focus more on possible other realities which should concern us more and will occupy us as Security Sector any way? Like drones over Critical Infrastructures which could lead to major cascading effects, or drones which hit aeroplanes and could bring them down. Or about already existing biological invaders which could lead to an environmental collapse? And how much more easily could this happen with GNR-technologies? Therefore we have to recall complexity and some of its characteristics: Small causes, large effects, delay/long term effects, irreversibility, increasing dynamic and so on.

Possible consequences for the Security Sector?

The main question is: Who is responsible? – It is not defined, because nothing major has happened until now. But that is not the way to deal with uncertainty. Military Forces are principally qualified to think ahead and to address security developments before they escalate.

This requires us to be vigilant. To have early warning systems and to be mindful of weak signals. Because developments always follow an s-curve. Very slowly and on a low level at the beginning. But at one point, the development increases in an exponential way and soon a critical point will be reached with no way back. If the weak signals are missed, you can hardly follow up the developments. And we are really poor at understanding exponential developments.

The only chance to keep up with VUCA-developments and GNR is to stay flexible and agile and not to resort to past military core skills. The challenges will not come only from the known side / enemy. Therefore we need an as-well-as-thinking: we need both and need to look on both sides of the coin. So the Security Sector will be confronted with rising requirements.

Of course there is still the question as to who is now responsible. Nobody and everybody. These topics are new to our society and therefore a new way of thinking and acting will be needed. Less than we did until now because an increasing technical connectivity also needs a joined-up systems thinking, not only in the military forces but also within the whole Security Sector.

Learning from nature – “small is beautiful”

Therefore we should also learn more from nature which has a very long history and development phase. Only survivable structures and organisms were successful and are still here. We often miss the so-called “silent witnesses”, those who did not survive and are not to be found in history books. So one major structure which succeeded is: “small is beautiful.”

  • Small structures are more flexible and robust against strokes (asymmetry).
  • People are more resilient in small structures.
  • You can not prevent the development, but early warning is an important part of navigation and we have to prepare to cope with uncertainty and with major incidents/disruptions (X-events).
  • It is all about communication and knowledge. If people and decision makers know the challenges, they can react and prepare before crisis/disruption or change the path.
  • Security Communication will be a main driver to increase resilience of people and to be capable of acting in case of uncertainty and after X-Events.
  • “Understanding the problem is half of the solution” as Albert Einstein stated.

So we are moving on a very narrow path. Benefits and risks are very close together. One main question is, therefore, are we mature enough?

The good news at the end:

  • Near future X-Events will most likely not be triggered by GNR – even if we cannot give a guarantee.
  • But we should consider major temporary infrastructure collapses and social unrest, because there have been/are many weak signals which we have ignored until now.
  • We also have to be mindful of weak signals on other topics – like GNR.
  • And we should learn more from history – and transform this knowledge into the future; even though history will never repeat itself, there are similarities we should search for.

This conference and this book will be just the start to increase awareness of new challenges for the Security Sector in respect of Converging Technologies and Emerging Risks.



Herbert Saurugg has been a career officer in the Cyber Defence Section of the Austrian Armed Forces until 2012. Since then he has been on leave and is engaged in raising awareness about the increasing systemic risks due to the rising interconnections and dependencies between many Critical Infrastructures, which is contributing to extreme events. He is known as an expert on the topic of blackout – a Europe-wide power-cut and infrastructure collapse, where he has initiated a civil society initiative to raise awareness and preparation among all stakeholders throughout Austrian society. He is also a founding member of the association Cyber Security Austria which is the master mind behind the European Cyber Security Challenge. As a result of his systemic reflections he is calling for more efforts to raise awareness and resilience throughout our societies to face major extreme events in the foreseeable future.