Information Warfare and Deterrence
Information Warfare (IW) and Deterrence was the focus of the
sixth workshop in a series sponsored by the Directorate of Advanced
Concepts, Technologies, and Information Strategies (ACTIS), of
the National Defense University. The topic arose from both (1)
issues that surfaced in earlier workshops on subjects as diverse
as Coalition Command and Control (C2), Technologies and Operations
Other Than War (OOTW), and Command Arrangements for Peace Operations;
and (2) interests expressed by ACTIS sponsors in the Joint Staff
(J-6) and the Office of the Secretary of Defense, Assistant Secretary
of Defense for Command, Control, Communications, and Intelligence
The Workshop focused on three principal issues:
- What, in today's world, do the terms "Deterrence"
and "Information Warfare" mean, and how are they related?
- How might IW attacks on the United States be deterred, if
at all? This issue was broken, for practical analysis, into
"cyber-attacks" and "media warfare" attacks.
- Can the United States use IW to deter attacks on itself, its
allies, or its interests?
As with past ACTIS workshops, this one brought together senior
analysts and technical experts, as well as active military leaders
and action officers with operational responsibility in the affected
areas, for a non-attribution discussion working toward consensus
or clear articulation of alternatives and their consequences.
This workshop was conducted at the Secret level, which inhibited
discussion of some topics largely by preventing discussion of
particular systems and examples. However, the participants were
able to engage in a rich give-and-take and achieved a high degree
Key Concepts and Implications
On one level, deterrence and information warfare are well matched.
Both belong to the world of robust ideas with broad implications.
Both are highly relevant to the post-Cold War era in which conflict
has been transformed from bipolar global structures to multi-sided,
local and regional contests in which the military element is a
crucial part of, but not the driving force for, competition and
conflict. On the other hand, the two topics can be seen as orders
of magnitude apart. IW is a huge domain, ranging from media wars
to electronic combat and from economic competition to strategic
conflict waged against civilian populations. Deterrence, while
it has proven robust (i.e., applies across a range of situations),
actually is a narrow concept that works only under a set of quite
restrictive assumptions. Not surprisingly, therefore, the workshop
participants found the relationship between the two concepts to
be spotty -- highly relevant on some topics, marginally so on
others, and not at all relevant in many areas.
Deterrence in the Information Age
The concept of deterrence is well understood. The workshop readily
reached consensus on a basic definition of deterrence as "prevention
or discouragement, by fear or doubt, from acting." Clearly,
this definition implies an actor and a target. Moreover, the group
also agreed on a simple set of conditions necessary for successful
deterrence. These were seen as:
- A threat to something of value that exceeds the perceived
gain of non-compliance.
- A clear statement of the behavior to be avoided or performed.
- Clear and unambiguous communication of the threat and the
desired or proscribed behavior to the target.
- Credible threat, meaning that the target believes the actor
has the will and capability to execute the threat.
- Situational constraints that make it impossible for the target
to avoid punishment.
- Controllability of the threat and its implications by the
On the other hand, workshop participants were well aware that
"deterrence theory" was largely a product of the Cold
War era. This suggests that those whose experience is from that
era may bring extraneous concepts or baggage to the topic. Hence,
they readily agreed that deterrence applications outside the nuclear
war arena must be thought through carefully and should be exposed
to domain experts from the appropriate arenas before they are
The Domain of Information and Information Warfare
The read-ahead package for the workshop included a paper that
stressed the size and complexity of the information warfare domain
(see Appendix B). As illustrated in
the paper, three relatively independent dimensions are required
to capture and describe the information warfare arena: the degree
of conflict/cooperation, substantive focus (political, military,
social, economic, etc.), and the nature of the actors involved
(individuals, private organizations, nation states, international
organizations, the general public, media, etc.).
The workshop participants generally accepted the broad nature
of the information warfare domain and the central role of information
systems and processes in the world today. However, they inferred
several very important implications from this broad characterization
of the relevant domain.
- First, the term "information warfare" is used to
mean many things, but is often focused on the military domain
or the cyber-war domain dominated by computers. This narrow
definition is inconsistent with the broad policy questions relevant
to competition and conflict using information media.
- Because information warfare is really a broad and diverse
arena, analysis of it must be focused on selected elements,
which must be clearly defined in each application. Overall,
the field is so broad that virtually no meaningful generalizations
can be drawn about it.
- Isolation, except in rare instances, of military, national,
public, and private information systems is all but impossible
today. Even very important military traffic is likely to be
carried on national infrastructure systems. Public and private
sectors are heavily interdependent, and this linkage will continue
- A whole raft of information systems make potential targets
-- banking systems, control systems for railway operations,
air control systems, control systems for pipelines, media systems,
and others. Only a fraction of these are primarily military
or under the direct protection of the Department of Defense
- As has been stressed by ADM Owens as Vice Chairman of the
Joint Chiefs of Staff, the civilian sector is no longer a sanctuary
that can be protected by interposing military forces between
adversaries and their targets. Traditional military forces can
be flanked at the speed of light by information age attacks
on the general population or key economic systems.
- More profoundly, there is no consensus on the appropriate
boundary between the military and Department of Defense roles
and missions, those of the law enforcement and intelligence
systems, and those of the commercial sector.
Workshop participants were aware of a variety of policy initiatives
to create interagency working groups and coordinating mechanisms
as well as public-private dialogues and mechanisms for both exchanging
information and developing plans for dealing with information
age threats that cut across communities. Considerable progress
has been made in generating better awareness of the threat and
some effort has been made toward cooperation. However, the general
consensus was that these helpful activities were only now developing
momentum and were far from successful completion.
Information Warfare and Deterrence
At the abstract level, the interface between these two concepts
is dependent on setting the context clearly. First, deterrence
is always from an actor toward a target. The very nature of the
actor and target, as well as the degree of asymmetry between them,
Moreover, the nature of the relationship between the parties
is important to the analysis. Hence, specification of the context
(type of relationship, nature of the actors, substantive domain)
is essential before any conclusion is possible about the potential
or actual effectiveness of deterrence.
The most important insight arising from looking at the two concepts,
however, is the fact that they are only relevant to one another
in highly selective contexts. The analogy that emerged was that
of a steamroller and a wrench. Both are tools and, depending on
the situation, appropriate wrenches may be useful for, or even
crucial to, the operation of the steamroller. However, most of
the things the steamroller does are irrelevant to the wrench and
most of the things the wrench can be used for do not involve a
steamroller. In many cases, therefore, the workshop found itself
venturing away from a pure consideration of the two concepts and
into meaningful discussions in areas related to one or more of
the central topics.
How Might IW Attacks on the United States Be Deterred?
Workshop participants divided discussion of this topic into two
very different topics: deterring attacks directed through computers
and their connectivity (cyber-war attacks) and those directed
at the general public through public media such as television,
radio, and print. Indeed, one of the most profound dimensions
of disagreement among workshop participants was the degree to
which the Department of Defense ought to consider media attacks
at all. However, because media messages can influence, and arguably
have (Beirut bombing, Mogadishu television pictures, etc.) influenced,
both the tasking of military assets and mission accomplishment,
both types were examined.
Considerable discussion was required for the group to agree on
the wide range of types of computer attacks that must be considered.
Initially, some felt the discussion should focus only on protection
of internal DoD systems, while others wanted to include broad
strategic or operational attacks on the banking system or other
commercial or quasi-governmental arenas. The workshop was aware,
however, of an ACTIS analysis of Defensive Information Warfare
(Appendix D) that differentiates attacks by their targets and
- Day-to-day or routine attacks with limited or diffuse
impact on U.S. interests. These include ônormalö
hacking for fun and profit, typical white collar crime, and
other attacks with discrete impact.
- Potentially strategic (catastrophic) attacks.
These are limited attacks with unpredictable consequences that
could, under some circumstances or in some combinations, have
catastrophic implications for U.S. interests. For example, an
attack on a single bank, even if the losses are large (millions),
is no threat to the U.S. banking system. However, an orchestrated
and publicized series of successful attacks on individual banks
could undermine confidence in the banking system and create
a much more serious problem, even though the specific attacks
were each quite limited.
- Strategic (catastrophic) attacks are those
which, if successful, will in themselves do great harm to the
United States. Destruction of the systems that control systems
in key industries and leave them so they cannot be repaired
promptly would fall in this category.
In addition, workshop participants stressed that not all information
warfare attacks on computer systems need take the form of computer
intrusion. Physical destruction of crucial telephone switching
stations or other national information infrastructure assets would,
themselves, be very damaging.
One significant finding was that the workshop participants consistently
found themselves assuming that a visible set of defenses was the
beginning point for deterring attacks on important computer systems.
In essence, the argument was that information attacks are instrumental
acts and will not occur if the attacking party perceives little
opportunity for success.
At the same time, the workshop also noted that "success"
has very different meaning for different types of actors and that
some individuals, particularly those with ôtypicalö
hacker attitudes, would be likely to perceive a more robust defensive
posture as a challenge, not as discouragement. This, of course,
is a lesson in the need for specific contexts when discussing
deterrence and IW. What works in some circumstances may be very
wrong in others.
Regardless of whether good defenses necessarily deter attacks,
there was consensus that the set of defenses now in place is inadequate
for discouraging any but the least well prepared intruder. Not
only are systems poorly protected, very few intrusions are detected
(reportedly about 5%) and few of those (another 5%) are actually
reported, even within the Department of Defense. If these figures
are correct, the likelihood of knowing about an attack is .0025
(one-quarter of one percent) and the risk of being caught must
be, by definition, even lower. Improved indications and warning
(I&W), as well as improved reporting of detected attacks,
are essential elements of improved defensive systems. In this
context, the workshop also concluded that assessing the ability
of DoD or others to deter attacks will require a sound understanding
of the pattern of attacks being experienced. Better data collection
as well as I&W was also a priority.
Finally, a variety of defensive measures were identified for
computer systems. These are not unique to the deterrence arena,
but rather reflect the workshop participants' assumption that
some attacks will be deterred by effective defenses. The technical
representatives in the workshop also stressed that for the foreseeable
future the advantage in the cyber-war arena will lie with the
offense. Hence, building defenses does not guarantee success.
Creating redundancy as well as the capacity to contain, recover
from, and reconstitute in spite of successful attacks are essential
elements of a successful deterrence strategy. Vice Admiral Cebrowski,
the JCS J-6, argued, in his luncheon presentation to the workshop,
that decoupling information attacks from their purpose is an effective
The workshop explored the potential for media attacks to deter
effective military action in a Middle Eastern context. The scenario
involved a campaign aimed initially at public attitudes in friendly
and other regional countries whose cooperation is essential for
major U.S. operations in and around the Persian Gulf, and later
at public attitudes in the United States. The thrust of the argument
was that prudent, even essential, military actions could well
be called into question through media attacks with primarily political
messages. Several conclusions emerged from these discussions.
- First, because of its democratic traditions and freedom of
speech considerations, the U.S. is almost certainly going to
be placed in a reactive mode if a media war campaign is launched.
- Second, foreign powers will find it difficult to intimidate
U.S. leaders or to put forward obviously false information toward
the U.S. public without effective U.S. media responses, but
may be able to communicate quite inaccurate images to selected
foreign publics who are predisposed to believe them.
- Third, the infrastructure to deliver television images into
distant regions may not be readily available within DoD, particularly
in a non-warfare situation where the sovereignty of foreign
states must be respected.
- Fourth, wargames and seminars are needed involving not only
DoD, but across the range of civilian agencies and industry
representatives necessary for effective television imagery and
counter-imagery in media wars.
Media warfare can put enormous time pressure on U.S. and allied
decision making, particularly when the adversary is an authoritarian
state with little or no necessity for either internal or international
Core Conclusion About Deterring Information Warfare Attacks
on the United States
While recognizing that the variety of potential attackers, attack
contexts, and arenas where information warfare attacks may take
place is vast and too complex for simple solutions, the workshop
participants were confident that the United States already has
basic policies in place that serve as effective deterrents in
many circumstances. In essence, some information warfare attacks
on the United States are deterred by the same policy that deters
other types of attack. Acting under its rights as a sovereign
state, the U.S. stands ready to respond to any attack on its interests
with all appropriate means, including law enforcement as well
as military capacity.
Finally, the workshop recognized that considerable legal work
needs to be completed in this arena. First, U.S. law (both state
and federal) needs to be clear about the definition of crimes
in the information arena. Second, international agreements and
treaties are needed to ensure that foreign attackers can be prosecuted
effectively and that acts of war are clearly identifiable.
Using Information Warfare to Deter Foreign Governments
In large measure because the discussion on defending against
information operations was so rich, but also to a certain extent
because of the relatively low level of classification for the
meeting, this topic was addressed more quickly and in less detail
than the others.
Some limits on U.S. offensive activities were noted. First, media
manipulation that involves government personnel providing false
information is neither politically wise nor consistent with U.S.
policy and law. Second, information attacks are attacks and therefore
subject to international law.
Those limits having been noted, the workshop participants also
recognized that the technical capacity to render an adversary
"ignorant," poor, uncertain of the capability to control
its own forces, unable to communicate with its population, or
uncertain of the quality of its basic information, could have
a profound effect on its willingness to undertake a military adventure
and thus equate to a powerful deterrent.
Moreover, while barely unveiling the true potential of highly
leveraged information and superior battlefield awareness, Desert
Storm has provided the world with a demonstration of the
potential advantage of information dominance. Finally, the workshop
concluded that research and development into tools and techniques
that can impact potential adversaries' knowledge of the battlefield,
control of their own forces, resources necessary to support armed
conflict and deliver services to their populations, or leverage
uncertainty about their own information, should go forward.
A series of more focused roundtables (smaller working groups
with selected expertise) is planned to follow up on significant
issues left unresolved or where more sensitive issues need to
Table of Contents | Chapter