Dec 31, 1995
We live in an age that is driven by information. Technological breakthroughs . . . are changing the face of war and how we prepare for war.
—William Perry, Secretary of Defense
Information warfare (IW) represents a rapidly evolving and, as yet, imprecisely defined field of growing interest for defense planners and policymakers. The source of both the interest and the imprecision in this field is the so-called information revolution—led by the ongoing rapid evolution of cyberspace, microcomputers, and associated information technologies. The U.S. defense establishment, like U.S. society as a whole, is moving rapidly to take advantage of the new opportunities presented by these changes. At the same time, current and potential U.S. adversaries (and allies) are also looking to exploit the evolving global information infrastructure and associated technologies for military purposes.
The end result and implications of these ongoing changes for international and other forms of conflict are highly uncertain, befitting a subject that is this new and dynamic. Will IW be a new but subordinate facet of warfare in which the United States and its allies readily overcome their own potential cyberspace vulnerabilities and gain and sustain whatever tactical and strategic military advantages that might be available in this arena? Or will the changes in conflict wrought by the ongoing information revolution be so rapid and profound that the net result is a new and grave threat to traditional military operations and U.S. society that fundamentally changes the future character of warfare?
In response to this situation and these uncertainties, in January 1995 the Secretary of Defense formed the IW Executive Board to facilitate "the development and achievement of national information warfare goals." In support of this effort, RAND was asked to provide and exercise an analytic framework for identifying key IW issues, exploring their consequences and highlighting starting points for IW-related policy development—looking to help develop a sustainable national consensus on an overall U.S. IW strategy.
To accomplish this purpose, RAND conducted an exercise-based framing and analysis of what we came to call the "strategic information warfare" problem. Involving senior members of the national security community as well as representatives from national security-related telecommunications and information systems industries, the exercises led participants through a challenging hypothetical IW crisis involving a major regional political-military contingency. The exercise methodology, known by the label "The Day After . . . ," had been previously used for a variety of nuclear proliferation, counterproliferation, and related intelligence studies. The specific scenario chosen for the exercise involved a turn-of-the-century conflict between Iran and the United States and its allies, focused on a threat to Saudi Arabia.
The exercise was conducted six times in evolving versions over the course of five months from January to June 1995. Each iteration allowed for refinement of basic strategic IW concepts and provided further insights about their national security implications. This process provided an opportunity to assess and analyze the perspectives of senior participants from government and industry regarding such matters as the plausibility of strategic IW scenarios such as the one presented, possible evolutions in related threats and vulnerabilities, and the phrasing of key associated strategy and policy issues. It also provided an opportunity to identify emerging schools of thought and, in some cases, a rough consensus on next steps on a number of important strategic IW issues.
In addition, the process yielded a badly needed multidimensional framework for sharpening near-term executive branch focus on the development of strategic IW policy, strategy, and goals—in particular regarding the implications of prospective major regional contingencies on defensive IW strategies, doctrines, vulnerabilities, and capabilities. It also provided a highly useful forum for beginning to coordinate with industry on the future direction of IW-related national security telecommunications strategy.
As can be inferred from the above comments, the methodology employed in this study appears to offer particular advantages for addressing many of the conceptual difficulties inherent in this topic. The subject matter is very new and, in some dimensions, technically complex, especially for individuals typically found in policymaking positions. The challenge of finding techniques for efficiently accelerating the process of basic education on the topic and its implications for national security policy and strategy cannot be underestimated.
This report presents the results of this study. Specifically, the purpose of this report is to
The United States has substantial information-based resources, including complex management systems and infrastructures involving the control of electric power, money flow, air traffic, oil and gas, and other information-dependent items. U.S. allies and potential coalition partners are similarly increasingly dependent on various information infrastructures. Conceptually, if and when potential adversaries attempt to damage these systems using IW techniques, information warfare inevitably takes on a strategic aspect.
Our exercise scenario highlighted from the start a fundamental aspect of strategic information warfare: There is no "front line." Strategic targets in the United States may be just as vulnerable to attack as in-theater command, control, communications, and intelligence (C3I) targets. As a result, the attention of exercise participants quickly broadened beyond a single traditional regional theater of operations to four distinct separate theaters of operation as portrayed in Figure S.1: the battlefield per se; allied "Zones of Interior" (in our scenario, the sovereign territory of Saudi Arabia); the intercontinental zone of communication and deployment; and the U.S. Zone of Interior.
The post–cold war "over there" focus of the regional component of U.S. national military strategy is therefore rendered incomplete for this kind of scenario and is of declining relevance to the likely future international strategic environment. When responding to information warfare attacks of this character, military strategy can no longer afford to focus on conducting and supporting operations only in the region of concern. An in-depth examination of the implications of IW for the U.S. and allied infrastructures that depend on the unimpeded management of information is also required.
The exercises highlighted seven defining features of strategic information warfare:
Through the course of our exercise-based analysis, we prompted policymakers and other experts from the public and private sectors to explore the character and consequences of these features. The discussion that follows summarizes our synthesis of observations made by the exercise participants on the characteristics and implications of these features for the strategic IW problem. Note that there is a "cascading" effect inherent in these observations—each helps to create the enabling conditions for subsequent ones.
Interconnected networks may be subject to attack and disruption not just by states but also by nonstate actors, including dispersed groups and even individuals. Potential adversaries could also possess a wide range of capabilities. Thus, the threat to U.S. interests could be multiplied substantially and will continue to change as ever more complex systems are developed and the requisite expertise is ever more widely diffused.
Some participants believed that the entry price to many of the IW attack options posited could be raised by denying easy access to networks and control systems through the exploitation of new software encryption techniques. Other participants acknowledged that this might mitigate some threats but emphasized that this approach would not remove other threats to an internetted system by a corrupted insider (systems operator) and/or direct physical attack. It would also increase the difficulty in strategic and tactical intelligence vis-a-vis strategic IW attackers.
Given the wide array of possible opponents, weapons, and strategies, it becomes increasingly difficult to distinguish between foreign and domestic sources of IW threats and actions. You may not know who's under attack by whom, or who's in charge of the attack. This greatly complicates the traditional role distinction between domestic law enforcement, on the one hand, and national security and intelligence entities, on the other. Another consequence of this blurring phenomenon is the disappearance of clear distinctions between different levels of anti-state activity, ranging from crime to warfare. Given this blurring, nation-states opposed to U.S. strategic interests could forgo more traditional types of military or terrorist action and instead exploit individuals or transnational criminal organizations (TCOs) to conduct "strategic criminal operations."
Opportunities for IW agents to manipulate information that is key to public perceptions may increase. For example, political action groups and other nongovernment organizations can utilize the Internet to galvanize political support, as the Zapitistas in Chiapas, Mexico, were able to do. Furthermore, the possibility arises that the very "facts" of an event can be manipulated via multimedia techniques and widely disseminated. Conversely, there may be a decreased capability to build and maintain domestic support for controversial political actions. One implication is that future U.S. administrations may include a robust Internet component as part of any public information campaign.
Among participants, there was no support for any extraordinary maneuver by the government to "seize control" of the media and the Internet in response to a probable IW attack. Rather, there was an acknowledgment that future U.S. administrations might face a daunting task in shaping and sustaining domestic support for any action marked by a high degree of ambiguity and uncertainty in the IW realm.
For a variety of reasons, traditional intelligence-gathering and analysis methods may be of limited use in meeting the strategic IW intelligence challenge. Collection targets are difficult to identify; allocation of intelligence resources is difficult because of the rapidly changing nature of the threat; and vulnerabilities and target sets are not, as yet, well understood. In sum, the United States may have difficulty identifying potential adversaries, their intentions, and their capabilities. One implication of this is that new organizational relationships are needed within the intelligence community and between this community and other entities. A restructuring of roles and missions may also be required.
In our exercises, debate on this problem centered on the need for some interagency structure to allow for coordinated collection and analysis of "foreign" and "domestic" sources versus the desire to preserve the boundary between foreign intelligence and domestic law enforcement.
This feature of warfare presents fundamentally new problems in a cyberspace environment. A basic problem is distinguishing between "attacks" and other events, such as accidents, system failures, or hacking by "thrill-seekers." The main consequence of this feature is that the United States may not know when an attack is under way, who is attacking, or how the attack is being conducted.
As in the debate over what to do about the dilemmas posed by the strategic intelligence challenge, exercise participants split on this topic between those who were prepared to consider a more radical mixing of domestic law enforcement and foreign intelligence institutions and those strongly opposed to any commingling.
Many U.S. allies and coalition partners will be vulnerable to IW attacks on their core information infrastructures. For example, the dependence on cellular phones in developing countries could well render telephone communications in those nations highly susceptible to disruption. Other sectors in the early stages of exploiting the information revolution (e.g., energy and financial) may also present vulnerabilities that an adversary might attack to undermine coalition participation. Such attacks might also serve to sever "weak links" in the execution of coalition plans. Conversely, tentative coalition partners who urgently need military assistance may want assurances that a U.S. deployment plan to their region is not vulnerable to IW disruption.
There was general agreement among participants that as the United States develops and refines defensive systems and concepts of operations or techniques in this area, it should consider sharing them with key allies, but no specific policies were proffered in the discussions.
Information warfare has no front line. Potential battlefields are anywhere networked systems allow access. Current trends suggest that the U.S. economy will increasingly rely on complex, interconnected network control systems for such necessities as oil and gas pipelines, electric grids, etc. The vulnerability of these systems is currently poorly understood. In addition, the means of deterrence and retaliation are uncertain and may rely on traditional military instruments in addition to IW threats. In sum, the U.S. homeland may no longer provide a sanctuary from outside attack.
There was a broad consensus among exercise participants that no dramatic measures such as shutting down an infrastructure would be effective as a defensive measure (and some skepticism as to whether such action would, in fact, be possible during a crisis). There appeared, however, a broad consensus in favor of exploring the concept of a "minimum essential information infrastructure" based on a series of federally sponsored incentives to ensure that the owners and operators had procedures to detect IW-type attacks and reconstitution measures that minimized the impact of any one network disruption—see the discussion below.
Over the course of the exercise series, careful attention was given to the possible solidifying of a bottom line on the gravity of the cyberspace-based strategic IW threat. Many existing information systems do appear to be vulnerable to some level of disruption or misuse. At the same time, developments in cyberspace are so dynamic that existing vulnerabilities may well be ameliorated as part of the natural building of immunities to threats that accompany any such rapidly evolving entity. However, our dependence on cyberspace and information systems generally is also growing rapidly—raising unsettling questions as to whether the "immune system" process can "keep up" and thus prevent serious strategic vulnerabilities from emerging and being exploited.
We looked for, but did not find, any strong statistical consensus on just where people think we are now on the threat spectrum portrayed in Figure S.2, or where we might be heading. We did observe, however, that over the course of the exercise, the general perspective on the magnitude of the strategic IW problem almost invariably appeared to move downward along the graph of Figure S.2. This experience mirrored that of the authors—the more time spent on this subject, the more one saw tough problems lacking concrete solutions and, in some cases, lacking even good ideas about where to start.
The features and likely consequences of strategic information warfare point to a basic conclusion: Key national military strategy assumptions are obsolescent and inadequate for confronting the threat posed by strategic IW. Five major recommendations emerged from the exercises as starting points for addressing this shortcoming:
Participants widely agreed that an immediate and badly needed first step is the assignment of a focal point for federal government leadership in support of a coordinated U.S. response to the strategic IW threat. This focal point should be located in the Executive Office of the President, since only at this level can the necessary interagency coordination of the large number of government organizations involved in such matters—and the necessary interactions with the Congress—be effectively carried out. This office should also have the responsibility for close coordination with industry, since the nation's information infrastructure is being developed almost exclusively by the commercial sector. Once established, this high-level leadership should immediately take responsibility for initiating and managing a comprehensive review of national-level strategic information warfare issues.
The federal government leadership entity cited above should, as a first step, conduct an immediate risk assessment to determine, to the degree possible, the extent of the vulnerability of key elements of current U.S. national security and national military strategy to strategic information warfare. Strategic target sets, IW effects, and parallel vulnerability and threat assessments should be among the components of this review. In an environment of dynamic change in both cyberspace threats and vulnerabilities, there is no sound basis for presidential decisionmaking on strategic IW matters without such a risk assessment.
In this context there is always the hope or the belief—we saw both in the exercises—that the kind of aggressive response suggested in this report can be delayed while cyberspace gets a chance to evolve robust defenses on its own. This is, in fact, a possibility—that the healing and annealing of an immune system that is under constant assault, as cyberspace is and assuredly will continue to be (if only, in Willy Sutton's words, because that's where the money is), will create the robust national information infrastructure that everyone hopes to use. But it may not, and we are certainly not there now.
The appropriate role for government in responding to the strategic IW threat needs to be addressed, recognizing that this role—certain to be part leadership and part partnership with the domestic sector—will unquestionably evolve. In addition to being the performer of certain basic preparedness functions—such as organizing, equipping, training, and sustaining military forces—the government may play a more productive and efficient role as facilitator and maintainer of some information systems and infrastructure, and through policy mechanisms such as tax breaks to encourage reducing vulnerability and improving recovery and reconstitution capability.
An important factor is the traditional change in the government's role as one moves from national defense through public safety toward things that represent the public good. Clearly, the government's perceived role in this area will have to be balanced against public perceptions of the loss of civil liberties and the commercial sector's concern about unwarranted limits on its practices and markets.
Once an initial risk assessment has been completed, U.S. national security strategy needs to address preparedness for the threat as identified. As portrayed in Figure S.3, preparedness will cross several traditional boundaries from "military" to "civilian," from "foreign" to "domestic," and from "national" to "local."
One promising means for instituting this kind of preparedness could involve the concept of a "minimum essential information infrastructure" (MEII), which was introduced as a possible strategic defensive IW initiative in the exercise and is portrayed notionally in Figure S.3. The MEII is conceived as that minimum mixture of U.S. information systems, procedures, laws, and tax incentives necessary to ensure the nation's continued functioning even in the face of a sophisticated strategic IW attack. One facet of such an MEII might be a set of rules and regulations sponsored by the federal government to encourage the owners and operators of the various national infrastructures to take measures to reduce their infrastructure's vulnerability and/or to ensure rapid reconstitution in the face of IW-type attacks. The analog for this concept is the strategic nuclear Minimum Essential Emergency Communications Network (MEECN). Participants in the exercise found the MEII construct conceptually very attractive even though there was some uncertainty as to how it might be achieved. An assessment of the feasibility of an MEII (or like concepts) should be undertaken at an early date.
The current national military strategy emphasizes maintaining U.S. capability to project power into theaters of operation in key regions of Europe and Asia. Because of the four emerging theaters of operation in cyberspace for such contingencies (see Figure S.1), strategic IW profoundly reduces the significance of distance with respect to the deployment and use of weapons. Therefore, battlefield C3I vulnerabilities may become less significant than vulnerabilities in the national infrastructure. Planning assumptions fundamental to current national military strategy are obsolescent. Consideration of these IW features should be accounted for in U.S. national military strategy.
Against this difficult projection and assessment situation, there is the ever-present risk that the United States could find itself in a crisis in the near term, facing the possibility of, or indications of, a strategic IW attack. When the president asks whether the United States is under IW attack—and, if so, by whom—and whether the U.S. military plan and strategy is vulnerable, a foot-shuffling "we don't know" will not be an acceptable answer.
Finally, however, it must be acknowledged that strategic IW is a very new concept that is presenting a wholly new set of problems. These problems may well yield to solution—but not without the intelligent and informed expenditure of energy, leadership, money, and other scarce resources that this study seeks to catalyze.
What is "Strategic Information Warfare?"
The Changing Face of War
Defining Features of Strategic Information Warfare
Issues of Strategic Information Warfare
Summary of Group Deliberations for Step Three
"Strategic Information Warfare illuminates a challenging and often obscure method for examining policy options. Any student of government or industrial decision making would be well advised to buy this book. Grade: 92%"
- Technology and Society
"Information warfare remains a nebulous subject, but his monograph offers one of the most interesting and revealing ways of thinking about it, at least in an unclassified venue. A short but comprehensive discussion of the central issues in information warfare, particularly defense against attacks on the myriad information systems that keep American society running, is followed by an ingenious 'day after' exercise that illustrates and amplifies these problems. In three parts--'the day of' an information attack, 'the day after', and finally 'the day before'—participants can work their way through the decisionmaking problems of information warfare. The exercise, which has been tested with many government and private groups, is a brilliant device for exploring a problem bound to become more salient."
- Foreign Affairs
"An excellent overview of the subject. Highly recommended for a variety of subject areas, particularly political science and computer science."
- Academic Library Book Review
"The great value of such exercises lies in raising the consciousness of decision-makers about problems likely to emerge, but which have not yet received their devoted attention."
- Comparative Strategy
"This book terrified me... because the authors are right. Strategic information warfare is possible and probable. I applaud that this research was done. I am thrilled that this is an unclassified, easily obtained book rather than something that remains within the closed networks of the military-industrial vaults."
- Computing Reviews