Information Warfare and Deterrence
Appendix D. Defensive Information War: Problem
Formation and Solution Approach
Dr. David S. Alberts
Director, Directorate of Advanced Concepts, Technologies,
and Information Strategies
National Defense University
This briefing was prepared, at the request of the Deputy Secretary
of Defense (DepSecDef), for participants in a series of interagency
meetings about Defensive Information Warfare (IW-D). In addition
to providing some background about the nature of "information"
attacks and their potential consequences, this presentation also
proposes a strategy for dealing with the defensive challenge of
protecting against such attacks.
It is hoped that the IW-D strategy suggested here serves to stimulate
and focus discussion about the ways in which each of the represented
organizations can work together, on a continuing basis, to come
to grips with the daunting task of preparing our Nation to deal
with what may become one of the most vexing problems of the Information
Information Warfare (IW) has grown to become a "catch-all"
term that encompasses many activities long associated with competition,
conflict, and warfare, such as propaganda (including Media War),
Deception, Command and Control Warfare (C2W), Electronic Warfare
(EW), and Psychological Operations (Psyops). This briefing does
not attempt to address all of these aspects of IW, but rather
focuses its attention upon the subset of IW that involves attacks
against information and systems, including what has become known
as "Hacker War" and a more serious form dubbed "Digital
Analogies and Realities
Defending against "Information Attacks" appears to
have a number of characteristics in common with societal efforts
to combat disease, drugs, and crime. Noting these similarities
helps to put this problem into perspective, provides some potential
useful lessons learned, and serves as a relative benchmark.
Before reviewing the specific similarities between combating
Information Warfare (IW) and these long-standing problems, it
should be noted that, while "eradicating" IW may not
be a realistic expectation, significant progress can be made in
defensive IW (IW-D) -- enough so that the risks can be kept at
The problem of IW is similar to the "wars" on disease,
drugs, and crime on a number of dimensions. First, the solution
to any of these problems requires the efforts of a number of organizations,
both public and private. Second, it is unlikely, given the competition
for resources, that any of these problems will be "fully
funded." Therefore, we can expect that there will never be
what those of us who have IW-D responsibilities think are a sufficient
level of funding for IW-D programs. Third, these are not static
problems. Drug cartels and criminals certainly learn from their
mistakes. Even viruses "learn." Thus, defense forces
will be continuously locked in a battle to keep up with attackers.
Fourth, awareness and concern will reach peaks, often accompanied
with frenzied efforts to solve the problem. These relatively short
periods of interest will be followed by longer periods when the
urgency of the problem will give way to apathy. Maintaining funding
and progress during these periods of waning public interest will
be one of the key challenges of leadership in this area. Fifth,
organizations and individuals will learn to make adjustments in
their behavior to deal with IW attacks and their consequences,
many of which will not be predicted. These adjustments will be
made so that those organizations and individuals can accommodate
some level of pain -- a dynamic equilibrium of sorts -- as the
cost of doing business in the Information Age. Finally, solutions
will, of necessity, be compromises. This is due to the natural
tensions that exist among the various stake holders. Tensions
between the law enforcement and civil liberties are a classic
example that has already arisen in the information domain.
Attacks on information systems are already a fact of life in
the Information Age. Although a small portion of these attacks
result in significant loss or damage, the vast majority of them
result in little or no damage -- the crime equivalents of trespass,
public nuisance, minor vandalism, and petty theft. It has been
estimated that over 90 percent of these attacks are perpetrated
using available tools and techniques (based upon incidents reported
to CERT), that only one successful attack in 20 is noticed by
the victim, and that only one in 20 gets reported (these last
two statistics were a result of a DISA study and similar rates
have been reported by others).
Of more concern is the presence of a technically feasible "Strategic"
threat. That is, the means exist to cause significant damage and
disruption to U.S. public and private information assets, processes,
and systems and to compromise the integrity of vital information.
Analysts also have no difficulty identifying groups with the motivations
and opportunities to launch such attacks. Given our present vulnerabilities
as a Nation, a well planned, coordinated IW attack could have
"Strategic" consequences. Such an attack or the threat
of such an attack, could thwart our foreign policy objectives,
degrade military performance, result in significant economic loss,
and perhaps even undermine the confidence of our citizens in the
Government's ability to protect its citizens and interests.
While no "smoking keyboard" has been found to validate
such a threat, the very existence of the means to carry out such
an attack, when coupled with the myriad of motives and the opportunities
that exist, results in our present state of vulnerability. These
circumstances have created a situation that calls for prudent
defensive actions to be taken in the public interest. We need
to be proactive rather than be forced to react after an Information
Age "Pearl Harbor." Moreover, a successful strategic
attack would point the way and encourage others to plan similar
attacks. Hence, we need to go on the offense with a vigorous defense.
Each age has seen war transformed by "modern" means
and concepts. The Information Age promises to be no different.
Some have called the Gulf War the first "Information War"
-- others have called it the last "Industrial Age" war.
The power of information was clearly demonstrated in the context
of "traditional" conflict. Information was leveraged
to significantly improve the effectiveness of all aspects of warfare
from Command and Control, Communications, Intelligence, Surveillance,
Reconnaissance (C4ISR) to logistics.
The effectiveness of the United States and its allies in the
Gulf War has surely somewhat deterred potential adversaries from
taking on our forces in the rather symmetrical manner that Iraq
attempted, and has stimulated thinking about other strategies
for countering conventional forces. "Digital War," enabled
by advances in technology and its wide-spread adoption as well
as the globalization of economics and commerce, is surely a strategy
that potential adversaries are thinking about to achieve some
of the objectives that have previously been sought by means of
Digital War, a subset of what we call Information War, may be
defined as "non-physical" attacks on information, information
processes, and information infrastructure that compromise, alter,
damage, disrupt, or destroy information and/or delay, confuse,
deceive, and disrupt information processing and decision making.
Digital War intrinsically possesses the ultimate form in some
of the same characteristics that traditional military planners
are striving for -- low cost precision guided munitions, standoff,
and stealth. Digital War threatens the ability of a Nation State's
military to interpose itself between its population and "enemies
of the state," thereby causing a loss of sanctuary. The importance
of sanctuary can be inferred by our willingness to spend significant
resources on air, sea, and missile defenses.
How does one respond to a serious set of information attacks?
Responding with traditional military forces may be politically
unacceptable or in fact, may be ineffectual. Currently there is
no consensus, even among those in the defense establishment that
think about these issues, regarding how to deal with such an attack.
Another characteristic of information attacks stems from the
loss of sanctuary. Attacks of this sort, particularly when they
consist of more than an isolated incident, create a perception
of vulnerability, loss of control, and loss of confidence in the
ability of the State to provide protection. Thus, the impact can
far exceed the actual damage that has occurred. This non-linear
relationship between actual damage and "societal damage"
makes the problem of Digital War a particularly challenging one
because it creates a mismatch between "rational" defense
responses and their effectiveness.
Given the potential effectiveness of Digital War, particularly
as an instrument of power for niche competitors and non-State
actors, we need, as a society, to take this Information Age form
of war very seriously. If we do not, and if we rely solely on
traditional weapons and concepts of war, we may be building our
own 21st Century Maginot line that can literally be flanked with
the speed of light.
Formulating the Problem
The first step in tackling any problem involves developing an
understanding of the possible environments that may be faced (or
the "states of nature"), one's options, and the objective
that is being sought (Figure 1). This requires an identification
of the variables that are relevant, that is, those that can significantly
influence the outcome as well as the subset of these relevant
variables that are controllable, which form the basis for designing
In a problem as complex as defensive information war, working
to formally formulate the problem accomplishes three things. First,
it provides a useful framework for discussion. Second, it serves
to keep the focus on those specific areas that are either unknown
or in dispute. Third, it serves as a benchmark for measuring progress.
In this case, the states of nature correspond to the nature of
the threat that will be faced vis-a-vis the vulnerabilities of
our information infrastructure while our options correspond to
the strategies we adopt and the actions we take to defend ourselves.
The objective being sought corresponds to a level of infrastructure
performance, its definition and measure being a major challenge
in and of itself.
A good place to start is to try to develop an understanding of
the nature of the threat, or more accurately, the spectrum of
relevant threats. This involves the identification of potential
threats and the estimation of their likelihood. Normally one would
construct a set of states of natures that are mutually exclusive
and collectively exhaustive so that a probability density function
could be used. For the purposes of this discussion, the states
of nature referred to correspond to potential threats grouped
in some logical fashion to facilitate analysis of how well each
defense strategy does in dealing with each of these threats.
Having an initial concept of the nature and range of potential
threats, one can develop alternate defensive strategies and corresponding
sets of action to counter one or more of these threats. A great
deal depends upon what variables we believe we can and should
Each defensive strategy, with its corresponding set of actions,
then needs to be analyzed with respect to each of the threats.
The results of these analyses will be a characterization of the
results or outcomes from pursuing each of the defensive strategies
with respect to each of the threats. These outcomes, which are
basically descriptions of results (e.g., number of penetrations
and their consequences), then need to be translated into "value"
measures that represent their impact. These costs and benefits
provide a rational basis for determining an appropriate defensive
strategy. Much will depend upon how we measure success.
Given the central role that the threat topology plays in problem
formulation, we will now turn our attention to examining this
The irregular shape of the graph in Figure 2 is intended to show
that boundaries are not well defined. The consequences associated
with a failure to counter a specific attack range, on the one
hand, from isolated and limited consequences to, on the other
hand, consequences of catastrophic proportions.
The threat space can be divided into three areas. On the left
side of the space we can group the vast majority of the threats
that occur everyday. These Everyday threats, while exacting a
certain price, do not pose a threat to our national security.
On the right hand side of the threat spectrum is a small area
that represents those Strategic threats having national security
implications. The third area contains threats that may have national
security implications. These Potential Strategic threats represent
a particularly difficult challenge.
For example, beyond those sets of threats that clearly fall into
either the Everyday or Strategic categories, there are classes
of threats that span the threat spectrum.
Attacks on our national, or for that matter international, infrastructure
do not fall neatly into one area of the threat topology but in
fact populate all three classes of threat (Figure 3). These attacks
on our public safety, energy, financial and communications systems
and services have different implications and consequences depending
on the specific nature of the attacks and the circumstances surrounding
The vast majority of attacks on infrastructure are by hackers
whose motives run the full gamut from having some fun to more
serious forms of antisocial behavior. Some of these attacks are
motivated by profit. While some of these attacks may have serious
consequences in the form of significant loses of data, interrupted
services, or stolen assets or services, only a small number of
these lone perpetrator attacks is likely to have potential strategic
consequences. This is not to say that it is impossible that some
set of circumstances would result in the snowballing of one of
these "hacker" attacks into a National Security concern,
but rather that this outcome is unlikely.
However, infrastructure attacks can be quite serious if they
are well planned and coordinated. Arguably this would require
an adversary with seriousness of purpose and with some sophistication
and organization. This kind of attack would be better named Digital
Warfare rather than be included as part of the group referred
to as Hacker attacks. Depending upon the level of sophistication
of a Digital Warfare operation, its consequences could range from
a "high- end" Hacker attack to an attack with Strategic
So far we have seen the threat topology we face is multidimensional,
somewhat messy and, with respect to the consequences of information
attacks, can behave in a chaotic manner (Figure 4). The dynamic
and interactive nature of the threat makes defending against them
all the more demanding.
Attackers and defenders are locked in an ongoing battle of wits
and resources (Figure 5). Unfortunately, the attackers possess
some inherent advantages. For example, clearly the attacker can
pick the time, place, medium, and method of the attack. The technology
edge also goes to the attacker, for it is very difficult to develop
defenses for unknown methods of attacks -- thus offensive technology
usually is one step ahead of defensive technology. Those who choose
to orchestrate coordinated attacks on infrastructure also have
the advantage that comes from being able to control their attack
more easily than can a number of loosely coupled defenders.
In any event this is a learning environment for both attackers
and defenders -- a dynamic one at that. In this organic environment,
attacker learn from undetected attacks, whether successful or
not, while both sides learn from detected attacks, whether successful
or not. Both attackers and defenders make adjustments and the
This aspect of the threat means that defense is not a one-time
thing -- it must be a continuous activity. It also means that
collection and analysis of information about attacks are vital
to maintaining parity with attackers. Finally, it means that defenders
must be proactive and undertake efforts designed to anticipate
methods of attack so that timely defenses can be developed.
The proposed "defense in depth" strategy consists conceptually
of three lines of defense (Figure 6). Each line of defense is
designed specifically to counter the threats associated with a
particular region of the threat topology.
The first line of defense is to defend against Everyday attack,
which constituted most of the threat topology. Based upon the
information available, the vast majority of these attacks can
be handled with basic defenses.
The higher hurdles associated with the Potentially Strategic
and Strategic attacks are then responsible for handling more sophisticated
but far fewer attacks from fewer potential sources. For example,
attacks with strategic implications would need to get through
the first two lines of defense that should filter out all but
the most skilled, resourced, and persistent adversaries. This
means we can concentrate our intelligence and monitoring efforts
on a smaller population which in turn increases the chances of
This defensive strategy also means that we can take different
philosophical approaches with each line of defense depending upon
the nature of the threat. The two endpoints of the philosophical
spectrum can be thought of as the "information first"
and "security first" approaches. In the Everyday region
of the threat topology our approach has been to emphasize access
to information. In the Strategic region, we put security first
by restricting access and connectivity to the point of degrading
performance and efficiency.
Division of Responsibility
Figure 7 graphically depicts a suggested division of primary
responsibility for IW-D between the Public and Private sectors
as a function of the threat topology. The modifier "primary"
is used to make the point that, despite the assignment of responsibility
in a particular area to either the Public or Private Sector, both
Public and Private organizations have responsibilities in each
The topological regions associated with either Everyday or Strategic
threats are the most straightforward. Primary responsibility for
the everyday threat should be the responsibility of the Private
Sector. Handling such threats is simply the cost of doing business
in the Information Age. With the availability of relatively low
cost defenses against these threats, the burden placed on the
Private Sector is affordable. Furthermore, organizations are clearly
in the best position to understand their own systems and the needs
and concerns of their customers.
Responding to Strategic threats is clearly the job of the Public
Sector, although an adequate defense will involve some coordination
with Private Sector and International organizations, particularly
when it comes to the region of the threat topology that contains
threats associated with attacks on the National Information Infrastructure
or other institutions providing vital services.
Framework for Progress
While we have come a considerable distance in our journey to
better understand the nature of this problem, many of us have
been frustrated by the lack of a "supportive" environment
for progress. Although we can continue to make progress, even
on the rocky path we are currently forced to travel, progress
in the six areas identified in the graphic will greatly smooth
out our path and accelerate our progress.
First, one of the key prerequisites for progress is to create
awareness of the problem and its complexities, as well as to foster
a climate that will facilitate discussion and cooperation among
the many groups and organizations that need to be a part of this
effort. Given recent events surrounding some aspects of information
security, we need to start by rebuilding bridges between some
Public and Private Sector groups and organizations.
Second, it is important that we work towards a well defined vision
that clearly lays out what we are trying to achieve and the appropriate
role of Government.
Third, the "rules of the game" need to be developed
and promulgated. Many of our current laws and regulations have
not caught up with the realities of the information age. A set
of "rules" needs to address the establishment of information
security standards, or a minimum level of defense to be associated
with different kinds of data and information services. These would
be similar to the recent development of privacy standards.
Fourth, self-interest, even enlightened self-interest and the
desire of individuals and organizations to be a good citizens
are not enough to ensure that appropriate actions and defenses
will be developed and employed. Resources need to be provided
for Government organizations to help implement this framework
for progress and to develop and implement the needed defenses.
We also need to provide incentives that encourage Public Sector
organizations to do what is collectively needed. In some specific
cases, the Government will need to actually provide funds to Private
Sector organizations to implement enhanced security.
Fifth, the solution to this problem depends on a great deal of
cooperation among disparate groups and organizations. Mechanisms
to facilitate and enhance cooperation including the establishment
of panels, groups, and clearinghouses need to be developed.
Sixth, we need to fix responsibility for the many tasks involved
in IW-D. We need to decide questions of jurisdiction. We need
to make liabilities known and well defined. Finally, we need to
clearly establish the responsibility of each organization. The
nature of organizational responsibilities is discussed in more
None of these six aspects of the framework for progress is likely
to be accomplished anytime soon. One only need review the legislative
process and experiences with the translation of privacy concerns
into a set of rules of the game to realize that it will be quite
a while before each of these foundational pillars is in place.
However, we must begin now to foster discussion of these issues
and try to keep attention focused on this subject.
Responsibilities: Everyday Threats
The primary responsibility for the Everyday region of the threat
topology falls upon the Private Sector (Figure 8). First and foremost,
Private Sector organizations must assume responsibility for the
protection of their own systems. When "security" laws
and regulations are legislated and formulated, these organizations
will, of course, also be responsible for adhering to these rules
of the game.
Given the time it may take to develop and put in place a legal
and regulatory framework to deal with the myriad of information
security issues, it is proposed, that on a voluntary basis, Private
Sector organizations assume the responsibility for reporting incidents.
It is hard to overstate the importance of the collection of information
related to information attacks and its analysis. Without the development
of a body of knowledge concerning these attacks, efforts at building
defenses will be severely hampered.
The Government (includes Federal, state, and local levels) must
assume certain responsibility for this region of the threat topology
as well. Clearly, the Government bears the responsibility for
protecting its own systems and for the enforcement of appropriate
laws and regulations. Given the importance of gaining international
cooperation on this problem which knows no state boundaries, the
Government must take on the negotiation of the necessary treaties
Clearly, the collection of incident data with respect to its
own systems is also a Government responsibility. But given the
importance of pooling information to gain a more accurate situation
assessment, Government must also put in place appropriate mechanisms
for data sharing and analysis and for its dissemination. Issues
related to classification and security of this data and its analysis
products will need to be addressed. A way must be found to get
this needed information to individuals and organizations.
For those of us who thrive on challenges, this is a great line
of work. The five key challenges we face have been identified
- Increase awareness and understanding of the threat/vulnerabilities;
- Develop a strategy for IW deterrence;
- Implement defense in depth strategy;
- Improve I&W capabilities; and
- Develop responses to IW attacks.
Success requires that everyone be on board. Therefore, it is
important that we continue to work to increase awareness of this
problem and to develop a better understanding of both the nature
of the threat and our vulnerabilities.
The first line of defense is deterrence. Not enough effort is
being devoted to developing and gaming possible strategies. In
mid-February ACTIS is sponsoring a workshop on this subject and
we hope to gain a better idea where the latest thinking is on
this subject, stimulate more thinking about the subject, and bring
some key issues into sharper focus.
Given the trifurcated threat topology and the very different
nature of each of the three threat regions, implementing the proposed
"defense in depth" strategy will be a considerable undertaking.
This challenge, as well as the first two challenges just mentioned
will be discussed in great detail below.
The fourth challenge is to improve our ability to see an attack
coming, or provide "indications and warning" (I&W)
of attacks in a timely fashion. Given that currently, in many
cases, an attack in progress is not even recognized, this will
be a tall order.
The remaining "top five" IW-D challenge is to develop
responses to IW attacks. Responses to attacks include identification,
interdiction, apprehension, and punishment (possibly including
We have much to learn and many to educate. When many of the individuals
who need to become more aware of the threat and its potential
consequences are exposed to the subject only by reading novels
or going to the movies, we cannot really expect to develop the
degree of understanding required. When the only exposure to the
subject is through fiction, it is no wonder that the threat may
be dismissed as fictional. There are still many individuals in
key positions in both the Public and Private Sector who need to
have a better appreciation for this problem and to be more motivated
to work the issues.
On the other hand, admittedly we are not in possession of a great
abundance of factual information. While we have clear indications
that some potentially serious attacks, even crippling attacks,
are technically feasible, as has been pointed out, there is no
"smoking keyboard" to show. Yet it should be pointed
out that the time it took to create a working atomic bomb from
the time its theoretical feasibility was recognized surprised
many, even the most knowledgeable scientists.
Our ignorance about the nature of potential attacks is mirrored
by a lack of knowledge about the effectiveness of current and
developing defensive techniques and strategies.
When our systems are not being adequately monitored and incidents
are not being adequately recorded and investigated, it is hard
to see how we can develop the vastly improved understanding of
both the threat and the effectiveness of defenses we require.
Increased collection and analysis is clearly needed to provide
the empirical foundation required to a) increase awareness, b)
increase our understanding, c) support planning, and d) develop
IW Deterrence Issues
With the dawn of the atomic age came the recognition that developing
strategies for deterrence and counter proliferation needed to
be pursued with a sense of the utmost urgency. IW differs from
atomic warfare in a number of significant ways and therefore lessons
learned from our experience in developing a workable strategy
for deterrence may not apply directly to the problem of deterrence
of IW attacks, but certainly may provide a starting point or checklist
The chart above lists some of the compelling issues related to
the development of a deterrent to IW attacks.
While raising the defensive threshold, thereby making attacks
more difficult and costly as well as limiting the damage they
can do, is widely recognized as an important component of any
deterrence strategy, an issue that needs to be addressed relates
to the "height" of the threshold. What is more defense?
When does more defense become counterproductive?
Another critical issue is whether or not having and indicating
a willingness to employ a potent offensive IW capability would
be an effective deterrent, and if so, in which particular set(s)
Given the low cost and small footprint required, non-state and
even individual actors may gain the wherewithal to pose a strategic
threat. How can one gain the leverage on these kind of adversaries
to deter them from launching such attacks?
Other key issues include the nature of preemptive actions that
could be employed and the relationship between punishment (or
retaliation) and deterrence.
Building defenses into systems presumes we have the means to
do so. Many of the defensive capabilities we currently have are
not adequate for certain known levels or types of attacks, not
to mention technically feasible but undocumented attacks. The
following are some areas in which we could use some advances in
Real-time intrusion detection is clearly a key element in any
set of defenses. Our ability to detect, in real time, intrusions
into our systems and the identity of the intruder is currently
It does not take very long to carry out an information attack.
Damage can occur in an instant. Clearly an automated capability
to respond to an intrusion that can prevent or limit the damage
would be highly desirable.
Given our increasing reliance on COTS, we need ways to cost-effectively
make sure that the software we buy does what we want it to and
only what we want it to. Any Information Age organization buys
millions of lines of code each year whose exact origins are not
known with any degree of confidence. Automated tools to perform
quality assurance (QA) and to verify and validate (V&V) the
code would be an immense help.
Knowing for sure that data was not altered or compromised and
that the source of a piece of data or a message was verified would
go a long way in the effort to combat certain types of IW attacks.
More work needs to be done to provide cost-effective data and
The problem is real. Our citizens and the organizations that
provide them with the vital services they need can find no sanctuary
from these attacks. The low cost of mounting these attacks has
enlarged the field of potential adversaries and complicated efforts
to collect intelligence and array our defenses. The consequences
of a well planned and coordinated attack by a relatively sophisticated
foe could be serious. Even the threat of such an attack or "digital"
blackmail is a distinct possibility. How the public will respond
to the threat of IW infrastructure attacks or to actual attacks
is unclear, but their reactions will be a major determinate of
future policy and actions.
This situation is getting worse with the rapid proliferation
of information technology and know-how. We are becoming increasingly
dependent upon automation in every aspect of our lives. As information
technology becomes an essential part of the way organizations
and individuals create products and provide services, the need
for interconnectivity and interoperability increase -- and with
these increased need for exchanges of information (and product)
vulnerabilities increase. Finally, the increased reliance on COTS
makes it more and more difficult for an organization and individual
to control their own security environment.
Given this situation we need to focus upon two things. First,
we need to find a way to protect ourselves against catastrophic
events. Second, we need to build a firm foundation upon which
we can make steady progress by continually raising the cost of
mounting an attack and mitigating the expected damage.
Table of Contents