Defensive Information Warfare

Digital War

Each age has seen war transformed by modern technologies and concepts. The Information Age promises to be no different. Some have called the Gulf War the first "Information War" - others have called it the last "Industrial Age" war. The power of information was clearly demonstrated in the context of traditional conflict. Information was leveraged to significantly improve the effectiveness of all aspects of warfare from logistics to command, control, communications, and computers, intelligence, surveillance, and reconnaissance (C4ISR).

The effectiveness of the U.S. and its allies in the Gulf War has surely deterred potential adversaries from taking on our forces in the rather symmetrical manner that Iraq attempted and has stimulated thinking about other strategies for countering conventional forces. Digital war, enabled by advances in technology and its widespread adoption as well as the globalization of economics and commerce, is surely a strategy that potential adversaries are thinking about to achieve some of the objectives that have previously been sought by means of traditional warfare.

Digital war, a subset of what we call information war, involves non-physical attacks on information, information processes, and information infrastructure that compromise, alter, damage, disrupt, or destroy information and/or delay, confuse, deceive, and disrupt information processing and decision making.

Digital war intrinsically possesses in ultimate form some of the same characteristics that traditional military planners are striving for, including low-cost precision, standoff, and stealth. Digital war threatens the ability of a nation state's military to interpose itself between its population and "enemies of the state," thereby causing a loss of sanctuary. The importance of sanctuary can be inferred by our willingness to spend significant resources on air, sea, and missile defenses to provide our citizens with a workable sanctuary with respect to territorial intrusions.

Another characteristic of information attacks stems from the loss of sanctuary. Attacks of this sort, particularly when they consist of more than an isolated incident, create a perception of vulnerability, loss of control, and loss of confidence in the ability of the state to provide protection. Thus, the impact can far exceed the actual damage that has occurred. This non-linear relationship between actual damage and societal damage makes the problem of digital war a particularly challenging one because it creates a mismatch between rational defense responses and their effectiveness.

How does one respond to a serious set of information attacks? Responding with traditional military forces may be politically unacceptable or in fact, may be ineffectual. Currently there is no consensus, even among those in the defense establishment who think about these issues, regarding how to deal with such an attack.

Given the potential effectiveness of digital war, particularly as an instrument of power for niche competitors and non-state actors, we need, as a society, to take this Information Age form of war very seriously. If we do not, and if we rely solely on traditional weapons and concepts of war, we may be building our own 21st Century Maginot line that can be flanked with the speed of light.

Inadvertent Robustness

There are some who have suggested that we are not as vulnerable to information attacks as has been claimed because the collection of our legacy systems provides a certain amount of inherent robustness and resiliency. They point to the overlaps and duplications in these systems and argue that it would be very hard for anyone to completely disrupt a given set of services. They point to the lack of interoperability among legacy systems and the firewalls that are thereby created and argue that it would be impossible for attackers to get very far by penetrating the weakest systems and using them as launching pads for attacks on other systems. They argue that our current legacy systems and their interrelationships are difficult (even for us) to understand, so it must follow that potential adversaries will also be confused.

Clearly there is some truth in each of these arguments. But this unruly collection of legacy systems also carries with it significant disadvantages. As far as security considerations are concerned, five points need to be made. First, this issue is not whether or not an attack could totally destroy or disrupt a particular system or type of service, but whether or not there could be sufficient damage to trigger the perception of a failure and result in panic behavior that could in turn create a significant national problem. Second, the redundancies in the systems are only partial and unplanned. Hence, they are neither complete nor reliable. Third, our legacy systems, many having been designed and built with little or no attention to security, are difficult to protect and secure. Fourth, as the need for interconnectivity and interoperability increases, more and more systems are being lashed together with "work-arounds." These patches, in many cases, compromise security. Lastly, the lack of security that these systems provide is dampening the demand for services that could make operations more effective and efficient in many areas. Our current collection of legacy systems has other disadvantages as well. For example, the lack of interoperability wastes resources and impairs operations. Thus, it should be clear that the disadvantages of our current collection of legacy systems are not a blessing in disguise but rather the source of problems that need to be addressed so that we can take full advantage of the opportunities that information technologies can provide.

Next Chapter | Table of Contents |