Information Warfare and Deterrence
Chapter 1. Terms of Reference
Background and Purpose
The Workshop on Information Warfare and Deterrence was held at
the National Defense University as the sixth in a series sponsored
by the Directorate of Advanced Concepts, Technologies, and Information
Strategies (ACTIS). The topic arose both from (1) issues that
surfaced in earlier workshops on subjects as diverse as Coalition
Command and Control (C2), Technologies and Operations Other Than
War (OOTW), and Command Arrangements for Peace Operations; and
(2) interests expressed by ACTIS sponsors in the Joint Staff (J-6)
and the Office of the Secretary of Defense, Assistant Secretary
of Defense for Command, Control, Communications and Intelligence
As with past ACTIS workshops, this one brought together senior
analysts and technical experts, as well as active military leaders
and action officers with operational responsibilities in the affected
areas, for a non-attribution discussion working toward consensus
or clear articulation of alternatives and their consequences.
The list of attendees is included as Appendix A. The overall goal
of the workshop series is to conceptualize and develop Mission
Capability Packages (MCPs) that will support effective decision
making and command and control in arenas where DoD has significant
responsibilities. As Figure 1 illustrates, MCPs are coherent blends
of doctrine, command organization, education, training, systems,
and force structure that increase the likelihood of mission accomplishment
across a range of anticipated situations and threats. Workshops
are a beginning point for MCPs, suggesting novel concepts for
later revision and analysis. As this process develops, the MCP
is refined and its implications become better understood until
an implementable concept emerges which can be passed from the
research and development community to the practical world of implementation
When exploring new or relatively new concepts like the relationship
between IW and deterrence, analysts can be fairly certain that
outcomes will likely be different than expectations. With this
in mind the workshop sought to bound the initial explorations
to those that might logically be achieved in a two-day effort.
The workshop focused on three principal issues:
- What, in today's world, do the terms "deterrence"
and "information warfare" mean and how are they related?
- How might IW attacks on the United States be deterred, if
at all? This issue was broken, for practical analysis, into
"cyber-attacks" and "media warfare" attacks.
- Can the United States use IW to deter other kinds of attacks
on itself, its allies, or its interests?
This workshop was conducted at the Secret level (except for one
unclassified discussion of media war). Being restricted to classification
levels no higher than Secret inhibited discussion of some topics
largely by preventing discussion of particular systems and examples.
However, the participants were still able to engage in a rich
give-and-take and achieved a high degree of candor. A series of
more focused roundtables (smaller working groups with selected
expertise) is planned to follow up on significant issues left
unresolved or where more sensitive issues need to be considered.
Evidence Based Research, Inc. served as workshop organizer and
rapporteur for the discussions.
Key Concepts and Implications
On one level, deterrence and information warfare are well matched.
Both belong to the world of robust ideas with broad implications.
Both are highly relevant to the post-Cold War era in which conflict
has been transformed from bipolar global structures to multi-sided,
local and regional contests in which the military element is a
crucial part of, but not the driving force for, competition and
conflict. On the other hand, the two topics can be seen as orders
of magnitude apart. IW is a huge domain, ranging from media wars
to electronic combat and from economic competition to strategic
conflict waged against civilian populations. Deterrence is actually
a narrow topic that only applies when a set of quite restrictive
assumptions apply. Not surprisingly, therefore, the workshop participants
found the relationship between the two concepts to be spottyùhighly
relevant on some topics, marginally so on others, and not at all
relevant in many areas.
Deterrence as a Concept
Many of our common notions of deterrence arise from the recently
concluded Cold War. Strategic deterrence was equated with deterring
both a Soviet invasion of Western Europe or a first strike on
the United States, by the assured ability to reply with a devastating
nuclear attack on the Soviet UnionÆs homeland. The workshop
participants were well aware that most ôdeterrence theoryö
is largely a product of that Cold War era. This suggests that
those whose experience is from that era may bring extraneous concepts
or baggage to the topic. Hence, they also heavily agreed that
deterrence applications outside the nuclear war arena must be
thought through carefully and should be exposed to domain experts
from the appropriate arenas before they are considered mature.
Throughout history the primary form of deterrence has been defenses.
These defenses have been both passive and active. Passive defenses
include fortifications, moats and natural features such as rivers,
oceans and high ground, and serve to deter by making attacks more
difficult and costly. Active defenses and their ability to deter
can best be summed up by the quotation frequently attributed to
President Theodore Roosevelt: "Speak softly and carry a big
stick." In the aggregate, this involves military defense
Military capability or force is obviously not the only way to
deter. For example, economic self-interest may deter. Just as
an employee is restrained from insulting his employer or a businessman
from annoying his customer, nations may be restrained from some
information adventures either by the direct cost of the adventure
or by the harm to future trade and other economic activity that
may result. Building economic interdependency can therefore be
considered as a form of deterrence. Likewise, information actions
and interdependency might also be a kind of deterrence.
In any sphere, the retaliatory capability need not be real; but
it must be perceived as real. Conversely, capability to deter
may be insufficient if the adverse party is unaware of the capability
or is not persuaded that the capability might be used. Military
examples include the Strategic Defense Initiative as deterrence
through perception management, and the reverse, when the perception
of U.S. military might did not deter Iraq's 1990 invasion of Kuwait.
Saddam Hussein either underestimated our power or our willingness
to use that power.
Deterrence in the Information Age
The workshop readily reached consensus on a basic definition
of deterrence as "prevention or discouragement, by fear
or doubt, from acting." Clearly this definition implies
an actor and a target. Moreover, the group also agreed on a simple
set of conditions necessary for successful deterrence. These were
- A threat to something of value that exceeds the perceived
gain of non-compliance.
- A clear statement of the behavior to be avoided or performed.
- Clear and unambiguous communication of the threat and the
desired or proscribed behavior to the target.
- Credible threat, meaning that the actor is perceived by the
target to have the will and capability to execute the threat.
- Situational constraints that make it impossible for the target
to avoid punishment.
- Controllability of the threat and its implications by the
The Domain of Information and Information Warfare
The simple, but crucial, step of defining what is encompassed
by the term "information" is all too often ignored by
those who write about its importance and its future. Appendix
B is a study of the information dominance concept that was
included as read-ahead material for workshop participants. It
examines the hierarchy of information and the relationships of
information interactions and the players who function in the arenas
of interaction. It further suggests that what is commonly understood
as "information warfare" might be too narrow a focus
that ignores other significant information interactions across
and through the full scope of human activity. Appendix
C (also read-ahead material) addresses information warfare
from perhaps the less theoretical and more practical viewpoint
of a professional military practitioner. In spite of the contrasting
approaches, both papers strongly assert that what we call information
warfare today goes well beyond mere military interactions.
As Figure 2 illustrates, three relatively independent dimensions
were required to capture and describe the information warfare
arena: the degree of conflict/cooperation, substantive focus (political,
military, social, economic, and so forth), and the nature of the
actors involved (individuals, private organizations, nation states,
international organizations, the general public, media, etc.).
The workshop participants generally accepted the broad nature
of the information warfare domain and the central role of information
systems and processes in the world today. However, they inferred
several very important implications from this broad characterization
of the relevant domain.
- First, the term "information warfare" is used to
mean many things, but is often focused on the military domain
or the cyber-war domain dominated by computers. This narrow
definition is inconsistent with the broad policy questions relevant
to competition and conflict using information media.
- Because information warfare is really a broad and diverse
arena, analysis of it must be focused on selected elements,
which must be clearly defined in each application. Overall,
the field is so broad that virtually no meaningful generalizations
can be drawn about it.
- Isolation (except in rare instances), of military, national,
public, and private information systems is all but impossible
today. Even very important military traffic is likely to be
carried on national infrastructure systems. Public and private
information sectors are heavily interdependent, and this linkage
will continue to grow.
- A whole raft of information systems make potential targets
-- banking systems, control systems for railway operations,
air control systems, control systems for pipelines, media systems,
and others. Only a fraction of those are primarily military
or under the direct protection of the Department of Defense.
- As has been stressed by ADM Owens, Vice Chairman of the Joint
Chiefs of Staff, the civilian sector is no longer a sanctuary
that can be protected by interposing military forces between
adversaries and their targets. Traditional military forces can
be flanked at the speed of light by information age attacks
on the general population or key economic systems.
- More profoundly, there is no consensus on the appropriate
boundary between the military and Department of Defense roles
and missions, those of the law enforcement and intelligence
systems, and those of the commercial sector.
Workshop participants were aware of a variety of policy initiatives
to create interagency working groups and coordinating mechanisms
as well as public-private dialogues and mechanisms for both exchanging
information and developing plans for dealing with information
age threats that cut across communities. Considerable progress
has been made in generating better awareness of the threat and
there is some effort toward cooperation. However, the general
consensus was that these helpful activities were only now developing
momentum and were far from successful completion.
Information Warfare and Deterrence
It is clear that the information age has spawned new relationships
and greatly expanded the range of possible interactions. It is
no longer possible to separate and isolate military, national,
public, and private systems. Thus, concepts of national security,
to include protecting information systems and deterring attacks,
need to be expanded to consider the full range of likely interactions.
This would help to determine where the boundary between DoD and
the rest of the national information infrastructure should lie.
It was in this context that the workshop primarily addressed the
relationship between information warfare and deterrence.
At the abstract level, the interface between these two concepts
is dependent on setting the context clearly. First, deterrence
is always from an actor toward a target. The very nature of the
actor and target, as well as the degree of asymmetry between them
is important. A nation state has much greater power than an individual
hacker and has broad powers of law enforcement that can be brought
to bear if the individual is within its borders or the reach of
accepted international laws. However, two nation states are, at
least in legal terms, equal and must exercise the international
system (diplomacy, warfare, etc.) to influence one another's behavior.
Moreover, the nature of the relationship between the parties
is important to the analysis. The use of deterrence is unlikely
in cooperative arrangements, more likely in competitive ones,
and most likely in conflictual patterns. Finally, substantive
context may also make a difference. For example, deterrence is
most likely in military arenas where the credibility of threats
is greatest and easiest to assess. Hence, specification of the
context (type of relationship, nature of the actors, substantive
domain) is essential before any conclusion is possible about the
effectiveness of deterrence.
The Steamroller and the Wrench
The most important insight arising from looking at the two concepts
however, is the fact that they are only relevant to one another
in highly selective contexts. The analogy that emerged was that
of a steamroller and a wrench. Both are tools and depending on
the situation, appropriate wrenches may be useful for, or even
crucial to, the operation of the steamroller. However, most of
the things the steamroller does are irrelevant to the wrench and
most of the things the wrench can be used for do not involve a
steamroller. In many cases, therefore, the workshop found itself
venturing away from a pure consideration of the two concepts and
into meaningful discussions in areas related to one or the other
of the two central topics. These discussions revolved around the
concepts, but kept slipping tangentially to more familiar issues
such as command and control warfare (C2W), or IW in some other
context such as retaliation in kind for an IW attack. It eventually
became apparent that the main reason for frustration was that
the related concepts and issues are grossly mismatched. IW is
just too big and encompasses so much (particularly in the context
of information dominance), while deterrence is limited and almost
always case specific.
In retrospect, the revelation should not have been surprising.
While workshop participants noted that certain IW actions are
as old as warfare (a bluff for example), the exploding vistas
of information technology and cyberspace are only beginning to
be understood. Several of the participants were comfortable discussing
deterrence as it might be related to command and control warfare
(C2W). In this application there are five clearly defined "Pillars"
which include Operational Security (OPSEC), Electronic Warfare
(EW), Psychological Operations (PSYOPS), Military Deception, and
Physical Destruction. The pillars are arrayed both offensively
as "Counter-Command and Control" and defensively as
"Command and Control Protection." Both arrays are dependent
on and supported by intelligence. Any one of the pillars can have
a deterrent effect. For example, in EW the presence of anti-radiation
missiles may deter the use of air defense radar. Likewise, the
adroit use of psychological operations might disrupt the enemy
decision making process to the point where they are deterred from
action, or at least their C2 process is greatly slowed.
While we believe that we understand C2W, the workshop brought
into clear focus the fact that C2W is only a very small subset
of IW, and it is that larger context that needs further exploration
and analysis. Likewise, one size IW deterrence does not fit all.
Equally important to the action itself is the intended recipient.
Without getting into the adversary's mind and understanding his
social, cultural, and religious values, as well as his education
and past history, IW deterrence actions may be like the tree that
falls in the forest and goes unheard. They may even be misunderstood
and, therefore, have unintended consequences. The earlier discussion
of deterrence stressed that creditable deterrence requires that
the message be communicated clearly. Knowing how the adversary
receives and understands messages is essential.
It also became increasingly clear that IW deterrent actions must
be part of an orchestrated and integrated effort. Seldom will
an IW action in and of itself be a creditable deterrent. However,
skillfully combined as part of an overall information dominance
concept, some combination of IW and other actions may produce
the desired deterrence.
Table of Contents | Chapter