Information Warfare and Deterrence
How Might IW Attacks on the United States Be Deterred?
As information age technologies become more useful and valuable
across all arenas and levels of interaction, vulnerabilities to
disruption, deception, penetration, theft, and destruction increase
as well. The vulnerabilities cluster around two basic areas: the
computers that form the heart of most information systems and
increasingly control operating systems, and the communication
networks that tie them together. Workshop participants noted that
recent studies indicate that all too often computer security is
still given short shrift. Records that would be locked up if they
were paper are often left unprotected in computers. When computers
are networked, they become even more vulnerable because information
can be accessed from remote locations. Both locally and remotely,
data can be manipulated, viruses inserted, and records stolen
or destroyed. When the data being manipulated or moved represents
money or other things of value, the manipulation is theft. Presently,
the banking system is reportedly losing millions of dollars each
year to computer theft. At the Department of Defense, hackers
have penetrated DoD networks and systems (mostly unclassified).
Moreover, recent tests indicate that only about five percent of
attacks are detected, and of those detected, only five percent
reported. If these figures are correct, the likelihood of knowing
about an attack is .0025 (one-quarter of a percent) and the risk
of being caught must be, by definition, even lower. Other military
systems are likewise vulnerable. In many cases that vulnerability
cannot be reduced by isolation because military systems depend
on the national information infrastructure for about ninety percent
of their traffic. Over ninety-five percent of all U.S. Government
telecommunications within the U.S. travel on commercial circuits.
From the banking system to air traffic control, from military
logistics to the telephone networks, from the stock exchanges
to computer controlled trains, the United States, its economy,
and its security are inexorably bound up in information technology.
Many of the key systems lack safeguards or redundancy. Some, including
some defense systems, are extremely fragile and easily disrupted.
Most are vulnerable in one way or another. The U.S. information
infrastructure is easily the world's biggest IW target.
Given these vulnerabilities, what can be done to enhance security
and improve the likelihood that the United States can deter IW
attacks? What are the DoD's responsibilities, and where are the
boundaries of those responsibilities? Since U.S. forces cannot
fight effectively without being well connected to the national
information infrastructure, the responsibility would appear to
go well beyond the protection of military systems alone. The workshop
noted that this is a broad national security issue that the military
cannot ignore. Since IW defense and deterrence are essential to
military effectiveness, a crucial issue is to determine what role
the professional military should have in this mission.
Beyond the attacks that one might envision in the context of
classic IW and C2W, there are other vulnerabilities. For example:
- Attacks by creative individuals skilled and determined enough
to exploit communications systems and computer networks for
illegal gain or to disrupt society.
- Criminal organizations (terrorists, drug smugglers, illegal
arms merchants, international poachers, and rogue banking groups)
that sit across any one country's boundaries, move money or
information from jurisdiction to jurisdiction, and all too often
represent a poorly met challenge.
- Coalition warfare in which military cooperation and interoperability
are essential, but political goals are not fully compatible
and intelligence sources and methods must be protected.
- Psychological warfare waged against a general population in
order to undermine confidence in leaders or the wisdom of their
actions, often exploiting ethnic, social, or moral cleavages
in the target society.
This wide range of possibilities caused considerable discussion
before the group could agree on the various types of computer
attacks that must be considered. Initially, some felt the discussion
should focus only on protection of internal DoD systems, while
others wanted to include broad strategic or operational attacks
on the banking system or other commercial or quasi-governmental
arenas. The workshop was aware, however, of an ACTIS analysis
of Defensive Information Warfare (Appendix
D, the third and final part of the workshop read-ahead material)
that differentiates attacks by their targets and implications
- Day-to-day or routine attacks with limited or diffuse impact
on U.S. interests. These include "normal" hacking
for fun and profit, typical white collar crime, and other attacks
with discrete impact.
- Potentially strategic (catastrophic) attacks. These are limited
attacks with unpredictable consequences that could, under some
circumstances or in some combinations, have catastrophic implications
for U.S. interests. For example, an attack on a single bank,
even if the losses are large (millions), is no threat to the
U.S. banking system. However, an orchestrated and publicized
series of successful attacks on individual banks could undermine
confidence in the banking system and create a much more serious
problem, even though the specific attacks were each quite limited.
- Strategic (catastrophic) attacks are those which, if successful,
will in themselves do great harm to the United States. Destruction
of the systems that control systems in key industries and leave
them so they cannot be repaired promptly would fall into this
In addition, workshop participants stressed that not all information
warfare attacks on computer systems need take the form of computer
intrusion. Physical destruction of crucial telephone switching
stations or other national information infrastructure assets would,
in them-selves, be very damaging.
One significant finding was that the workshop participants consistently
found themselves assuming that a visible set of defenses was the
beginning point for deterring attacks on important computer systems.
In essence, the argument was that attacks are instrumental acts
and will not occur if the attacking party perceives little opportunity
At the same time, the workshop also noted that "success"
has very different meaning for different types of actors. Some
individuals, particularly those with "typical" hacker
attitudes, would be likely to perceive a more robust defensive
posture as a challenge, not as discouragement. This, of course,
is a lesson in the need for specific contexts when discussing
deterrence and IW. What works in some circumstances may be very
wrong for others.
Regardless of whether good defenses necessarily deter attacks,
there was consensus that the set of defenses now in place is inadequate
for discouraging any but the least well prepared intruder. As
mentioned earlier, many systems are poorly protected, very few
intrusions are detected, and very few of those detected are actually
reported. Improved indications and warning, as well as improved
reporting of detected attacks, are essential elements of improved
defensive systems. In essence, the workshop concluded that assessing
the ability of DoD or others to deter attacks will require much
better documentation and understanding of the pattern of attacks
Deterrence of cyber-attacks was also understood to depend on
the nature of the attacker. On one level, deterrence requires
identification of the values held by the potential attacker as
well as the capacity to communicate with that attacker. Neither
is possible without information about the nature of the person,
group, or entity to be deterred. The variety of potential attackers
is vast, which makes it impossible to create a "one size
fits all" deterrence policy that will be effective. However,
cyber-attacks and physical attacks on key computer systems can
be prevented or discouraged by aggressive, visible, effective
defensive systems. Analogies were drawn to terrorists, who also
act from a variety of motives against a wide range of targets
(including information domain targets), but who have been deterred
in selected instances by explicit threats and retaliatory actions
implying future threats unless the terrorists cease to attack
some types of targets.
There is no single, simple solution. However, combinations of
defensive measures are important initial building blocks. Further,
defense against information attacks should be viewed as a continuing
process rather than a "finishable" project. The process
begins with awareness of the issues and problems and proceeds
to indoctrination, education, training, and physical defensive
measures. Awareness, education, and security training are being
taught within the DoD but need to be improved across all levels.
It would also appear that DoD should reach out further and address
the issues to other government agencies and relevant non-governmental
organizations through interagency seminars, vulnerability analysis,
Systems vulnerability analysis is a critical first step. We should
lay out our potential target sets and interconnecting networks
and look for actual and potential vulnerabilities. Defensive nodal
analysis (like that conducted in offensive command and control
warfare) is particularly important. Once the weaknesses are identified,
defensive measures should be put in place. Table 1 lists some
of the common and accepted system defenses.
Systems vulnerability analysis and improved design can yield
three positive results. Besides the obvious result of reducing
vulnerability, the systems can be made less attractive targets;
that is, successful attacks would yield less damage and publicity.
As stated by VADM Cebrowski (the JCS J-6, and workshop luncheon
speaker), decoupling IW attacks from their objectives is an effective
deterrent technique. Since IW attacks, like almost all types of
attack, are assumed to be conducted for instrumental purposes,
he argued that de-coupling the attack from its goal was an important
way to ensure such attacks were unsuccessful and also to deter
the attacks themselves because the attackers saw little opportunity
for success. Good design can also raise the potential costs of
attacking in terms of time and equipment needed to penetrate.
This also has a deterrent effect. Hardening and protective measures
should be designed into all systems. This is an enormous field
that spans the spectrum from satellite antenna design to electrical
protection of personal computers and workstations.
Security training is absolutely essential at all levels, and
without it other defensive measures are less effective. Password
protection, for example, can make information systems less accessible,
but bad procedures can defeat its purpose. One of the workshop
participants described security exercises where he was able to
penetrate password-protected computer networks by manipulating
the password protection system itself. Perhaps more important,
almost every penetration and technique tried on that exercise
and those in the experience of other workshop participants had
been successful in the vast majority of cases. Hence, the need
for basic system security design, improved security procedures,
and better training within DoD.
Other key steps include redundancy and backup. These methods
reduce or limit the harmful effects of an attack or system penetration.
Frequent backup can minimize the damage caused by lost, stolen,
or disrupted data, and information can be rapidly restored or
reconstituted. Redundant baseline data can also be used to check
against unwanted changes or clandestine data manipulation.
Aggressive domestic and international law enforcement can certainly
have a deterrent effect on potential adversaries. Since cyberspace
recognizes no borders, international agreements and laws are necessary.
This is particularly important because many information systems
are not only national, but also worldwide. Telecommunications
and international banking systems are prime examples. Further,
hackers appear motivated by the challenge of defeating defenses.
Defenses alone apparently just make hacking more enjoyable. To
deter hackers, there must be a realistic threat of capture and
Tagging information systems hardware and software with electronic
IDs can also deter would-be penetrators and attackers. The analogy
is similar to caller ID, where those who penetrate systems are
identified, and a record of the penetration is made.
"Embracing" is a concept that engages potential attackers
by including them as stakeholders in the information system. By
embracing and educating these possible adversaries, they may be
less likely to consider attacks that could potentially cause self-harm.
The concept is already in effect since many systems are worldwide,
and an attack by one nation on another could have cascading effects
beyond those intended. An attack on the banking system in one
nation, for example, could have unintended consequences and cause
disruptions around the world. Embracing would appear to have deterrent
effect only on rational nation-states. There are two weaknesses
to the concept. First, it is doubtful that cyber-terrorists would
be deterred in such a scenario; rather, cascading consequences
might actually make the attack more attractive. Second, what may
be viewed as embracing by one party may instead be an opportunity
for infiltration by the other. Again no "one size fits all"
deterrence policy is available because of the range of motives
that may be encountered.
Finally, we must develop an effective system of IW attack indications
and warnings (I&W). The adage of "forewarned is forearmed"
is particularly relevant here. Indications of attack can come
from traditional intelligence sources, monitoring of events and
activity, and perhaps other cyber-tags that we have yet to discover.
Penetration warning systems should be designed and built into
critical information networks, nodes and stations. Cyber I&W
is an area that needs much more careful study, analysis, and debate.
Many of the defensive measures discussed are not unique to the
deterrence arena, but rather reflect the workshop participants'
assumption that some attacks will be deterred by effective defenses.
The technical representatives in the workshop also stressed that
for the foreseeable future the advantage will lie with the offense
in the cyber-war arena. Hence, building defenses does not guarantee
success, and creating redundancy as well as the capacity to contain,
recover from, and reconstitute in spite of successful attacks
are essential elements of a successful strategy.
An interactive exercise scenario introduced the topic of "SOFTWAR,"
which is a trade name for one concept of media war. This concept
involves the use of television images to change or modify the
political will of an opponent. SOFTWAR was defined as "the
hostile utilization of instantaneous global television to shape
another nation's will by changing its view of reality." The
main technique of SOFTWAR is to unglue the adversary government's
hold on the unifying national mass communications system, the
most powerful medium of which is television, and distribute alternate
video productions (or some other form of video manipulation) in
its place. The speaker asserted that the controlled projection
of video information has joined economic, political, and military
power as a pillar of national security and that it will become
a co-equal power by the year 2020.
The exercise scenario involved a campaign aimed initially at
public attitudes in friendly and other regional countries whose
cooperation is essential to major U.S. operations in and around
the Persian Gulf, and later at public attitudes in the United
States. In the demonstration scenario, the U.S. was the victim
of a carefully orchestrated television campaign aimed at both
the U.S. TV audience and at a selected Middle East and North Africa
audience within the footprint of a direct broadcast satellite.
The thrust of the argument was that prudent, even essential, military
actions could well be called into question through media attacks
with primarily political messages.
Some workshop participants were skeptical about the impact such
a campaign might have on U.S. resolve and action. There are, however,
past examples of how TV has affected U.S. political action going
back to the Vietnamese War when rather primitive TV reporting
(by today's standards) brought bloody battlefield images into
U.S. homes for the first time. There is little doubt that television
coverage of Vietnam changed or eroded the will of the U.S. population
to sustain the conflict. Likewise, TV images of the bombing of
the U.S. Marine Barracks in Lebanon tested our resolve and hastened
More recent examples include the Somalian relief mission where
graphic, quite gruesome TV images of relatively light U.S. casualties
soured the support for continued presence and led to an early
U.S. pullout. In Haiti, TV images of U.S. soldiers standing by
while Haitian police beat innocent people celebrating the arrival
of U.S. forces caused an overnight change in policy as to how
Rules of Engagement (ROE) were interpreted. The workshop agreed
that indeed, television is an extremely effective, and potentially
dangerous, medium for propaganda. Given the ability of modern
technology to manipulate images, it becomes an even more powerful
IW weapon. Several other conclusions emerged from the media war
- First, because of its democratic traditions and freedom of
speech considerations, the United States will almost certainly
be placed in a reactive mode if a hostile media war campaign
- Second, foreign powers will find it difficult to intimidate
U.S. leaders or to put forward obviously false information toward
the U.S. public without effective U.S. media responses, but
may be able to communicate quite inaccurate images to selected
foreign publics who are predisposed toward them.
- Third, the infrastructure to deliver television images into
distant regions may not be readily available within DoD, particularly
in a non-warfare situation where the sovereignty of foreign
states must be respected. Review of the hardware requirements
for flexible responses that give the National Command Authority
a rich set of options appears to be wise. Equally important,
the workshop concluded that the creation of reserve units or
other mechanisms to ensure the availability of the human capital
needed for commercial quality television production on a sustained
basis, also appears wise.
- Fourth, wargames and seminars involving not only DoD, but
also the range of civilian agencies and industry representatives
necessary for effective television imagery in media wars, appear
to be needed. Incorporation of meaningful media attacks into
appropriate military exercises is an important first step, but
would be inadequate in itself over the long run.
- Fifth, media warfare can put enormous time pressure on U.S.
and allied decision making, particularly when the adversary
is an authoritarian state with little or no necessity for either
internal or international consultation. With proper preparation
and effective technical support, however, this time pressure
can be managed.
Many of the workshop discussions naturally evolved into policy
explorations. Two of the most prominent were: one, "Should
the United States have a declarative policy about its response
to IW attacks?" and two, "Should information be viewed
as a separate element of national power?" Opinion was divided
on both issues. Table 2 highlights the arguments for and against
a declared policy on U.S. response to IW attacks.
The workshop participants were strongly in favor of a declared
policy, with 70 percent voting for such a policy, 17 percent against,
and 13 percent ambivalent. A declared policy was considered essential
if there was to be any deterrent effect. Further, without a policy,
there is no direction for the government, and many agencies are
going their own ways and establishing their own policies. If we
are to have cooperative international agreements and treaties,
a declared policy is an essential starting point. The policy should
be coordinated with industry and public debate encouraged to secure
support and resources required to protect our interests. The overall
workshop consensus was that there should be a broad, publicly
stated, general policy phrased in terms of effects rather than
method or type of attack (e.g., economic, military, social, political).
One recommended statement was: "Attacks on the U.S., its
infrastructure, or other interests (by whatever means) will receive
an appropriate response using the fullest range of U.S. capabilities."
Those who were ambivalent or opposed to a declared policy were
generally concerned that such a policy was premature, that we
lacked sufficient understanding of IW attacks and their effects
and consequences. By not stating a specific policy, we create
ambiguity, which some felt was useful in terms of deterrence.
There is much to think through before declaring an IW policy particularly
in terms of the international implications and complications.
Finally, and somewhat in agreement with those who advocated a
formal policy, one reason not to have a policy is simply that
there is no need to separate IW from other kinds of attacks.
On the second issue, whether information should be viewed as
a separate element of national power, opinion was also divided;
however, most participants viewed information as a separate element
of national power. Table 3 summarizes the comments.
All participants agreed that information was an essential element
of power. The debate ranged around whether that should be stated
explicitly or not. Those in favor (80 percent) cited the growing
importance of information and information age technologies, and
how information is creating a cultural revolution and changes
in the behavior processes between nation-states. For those who
voted "no" (20 percent), the major consideration was
that they viewed information as ubiquitous and pervasive in each
element of power, and not an independent element. One participant
made the analogy that information was like "electricity."
It is subsumed in other elements and systems.
There were numerous other questions with policy implications
and these included:
- What is (what constitutes) an information attack?
- When is an information attack an act of war?
- How do we verify an attack?
- How do we determine or confirm the attacker?
- Does penetration into an information system equate to an attack?
- Can one develop a concept of hostile intent for IW?
- Are there reasonable or potential tripwires?
- How do we respond, and who should respond?
Since at present no one has the charter for IW (in the larger
context -- beyond C2W) responses will be ad hoc at best. The boundary
between DoD and the rest of the national infrastructure is blurred
and undefined. The workshop reached no consensus as to where that
line should be or what DoD's role should be within the larger
IW policy issues emerged as the area that needed much further
study. Without policy definition, concepts like IW and deterrence
can't be fully explored. Policy is essential and the workshop
participants recommended a follow-on roundtable to explore policy
issues. Basic policy statements have begun emerging, but final
work appears necessary.
The Role of DoD
Given the low rate of reporting system penetrations and other
security problems, the U.S. presently lacks the data needed to
know just how serious the unauthorized penetration problem might
be. Are we hemorrhaging or simply suffering "duck bites"?
Better reporting is essential.
The starting point for DoD should be to raise the level of awareness,
not only within the Department, but also throughout the national
information infrastructure upon which it is so vulnerably dependent.
Developing and implementing cyber I&W should also take high
priority. One note of concern voiced was that the DoD procurement
cycles and information technology growth cycles are greatly mismatched.
That is, several technology cycles occur within one DoD procurement
cycle. This can result in DoD developing yesterday's solutions
for tomorrow's problems.
DoD's next priority should be a comprehensive vulnerability analysis,
first of DoD systems and later expanded to the national infrastructure
upon which they depend. At present, vulnerability is usually assessed
for only a particular system or subsystem. Future vulnerability
analyses should expand the studies to examine interrelated systems,
and systems of systems. In due course, the analyses should be
expanded to include all U.S. systems. We should implement defensive
and deterrent actions as soon as vulnerabilities are uncovered.
Beyond DoD, there is a need for a national level, strategic debate
to formulate a coherent IW policy and a determination of DoD's
boundaries and responsibilities. Neither DoD nor the Federal Government
can do this alone; all relevant public and private sectors should
be included. But until there is policy about IW defense and deterrence,
DoD still has the responsibility to protect its strategic, operational
and tactical systems. The strategic systems appear reasonably
well protected and redundant through hardening, elaborate security
procedures, and multiple backups. Operational and tactical systems
appear far less protected and need additional emphasis.
Core Conclusion About Deterring Information Warfare Attacks
on the United States
While recognizing that the variety of potential attackers, attack
contexts, and arenas where information warfare attacks can occur
is vast and too complex for simple solutions, the workshop participants
were confident that the U.S. already has basic policies in place
that serve as effective deterrents in many circumstances. In
essence, information warfare attacks on the United States are
deterred by the same policy that deters other types of attack.
Acting under its rights as a sovereign state, the U.S. stands
ready to respond to any attack on its interests with all appropriate
means, including law enforcement as well as military capacity.
As discussed in the workshop:
- Individual hackers and white collar criminals are liable when
they break the law and can be prosecuted within a legal system
that takes into account both their motives and the degree of
harm that they cause.
- International criminal enterprises, such as drug cartels,
terrorist groups, or interest groups willing to engage in illegal
information attacks or manipulation, are liable under the legal
system and also pursued under international law and treaties
that govern their behavior and specify both the jurisdictions
and processes for determining their punishment if caught.
- Nation states are restricted by the rights of others and liable
for a range of political, economic, diplomatic, or military
sanctions if they undertake information operations that harm
U.S. interests. As in other arenas, the U.S. reserves the right
to undertake actions it perceives to be both appropriate and
There was also consensus that information attacks may well pose
some unusual challenges that may make them more difficult to deter.
For example, information warfare attackers will likely seek to
be anonymous, thereby making it impossible for the U.S. to punish
them. Cyber-attackers, in particular, have a variety of mechanisms
by which they can hide their identity. Since certainty of punishment
is a prerequisite for deterrence, anonymity is an effective counter-strategy.
Moreover, information attacks can be hidden or made to look like
natural events. In media war, this may be a half-truth fed to
an aggressive reporter. In cyber-war it can be a destructive attack
made to look like a system error or design flaw. Disguised attacks
are also effective countermeasures for deterrence, regardless
of the capability and will of the actor. Hence, while significant,
overall U.S. capability and will do not guarantee deterrence of
Finally, the workshop recognized that considerable legal work
needs to be completed in this arena. First, U.S. law (both state
and federal) needs to be clear about the definition of crimes
in the information arena. Second, international agreements and
treaties are needed to ensure that information criminals can be
prosecuted effectively. Cases in which lack of appropriate law
limited or prevented prosecution were easy for participants to
recall. The Departments of Justice and State are generally aware
of these needs and interagency working groups have been making
some progress on them, but this area will require continued effort
for some time to come.
Table of Contents | Chapter