For anyone who thrives on challenges, defending against information warfare is a great line of work. There are five key challenges we face. The first challenge involves the development of a better understanding of the nature and characteristics of the threat among society and its institutions. Success requires that everyone be on board. Therefore, it is important that we continue to work to increase awareness of this problem and to develop a better understanding of both the nature of the threat and our vulnerabilities.
The second challenge is to develop a strategy for deterring digital information attacks. The first line of defense is deterrence. Not enough effort is being devoted to developing and gaming possible strategies. In February 1996, ACTIS sponsored a workshop on this subject. This workshop was a highly successful endeavor, giving those who attended a better idea where the latest thinking is on this subject, stimulating more thinking about the subject, and bringing some key issues into sharper focus. (The proceedings of this workshop, "IW and Deterrence," have been published and are available from ACTIS.)
The third and fourth challenges involve developing means of providing warning for attacks and ways of successfully defending against attacks that do occur. Improving our ability to see an attack coming, or providing indications and warning (I&W) of attacks in a timely fashion, is perhaps the most single difficult challenge we face. Developing an I&W capability involves not only the traditional strategic and tactical warning capabilities, but also the ability to know that an attack has begun and to ascertain the likely scope of such an attack. Given that currently, in many cases, an attack in progress is not even recognized, this will be a tall order. This is not only a technical challenge, but it is, as mentioned earlier, an organizational challenge. This is because of the information necessary to provide warning of an imminent action or an attack in its early stages would most likely need to come primarily from private sector organizations whose "peace time" reporting structures may not either require reporting of all relevant incident data or require it in near real time. Thus an attack of strategic significance may be well underway before we realize it and are able to move to a "war time" footing, which would bring with it the increased reporting requirements and coordination necessary to assess the situation and respond accordingly.
As a result of my participation in a series of "day after" games developed by RAND for ASD(C3I), I have concluded that we will not be able to respond to such attacks in a timely and effective manner unless there is 1) more awareness and understanding of the nature of strategic IW capabilities and our own vulnerabilities among not only key officials in public and private organizations but also among Congress, the Media and the Public; 2) more understanding of the offense arsenal at our disposal, particularly the direct, indirect, and collateral damage they might cause; 3) a pre-agreed systematic system of alerts similar to the DEFCON system, each level of which carries with it known, understood, and practiced processes and actions; and 4) a "battle damage" assessment process suitable for IW.
The construction of a DEFCON-type system for IW-D will require the investment of a considerable amount of intellectual capital as well as a considerable amount of coordination among a wide variety of Government departments and agencies, the Congress, industrial associations, and private organizations. Given the nature of the problem, time will be of the essence should problems with our information infrastructure begin to appear. Well thought-out options that address both the need for increased collection and analyses and the need to take measures to prevent or control damage are essential to countering this threat. Given the trifurcated threat topology and the very different nature of each of the three threat regions, implementing the proposed "defense-in-depth" strategy will be a considerable undertaking.
The fifth challenge is to develop appropriate and effective responses to such attacks. Responses to attacks include identification, interdiction, apprehension, and punishment (possibly including retaliation).