Dec 31, 1995
National security is becoming progressively more dependent on and identified with assets related to the "information revolution." As part of this revolution, both defense and civilian activities are becoming more heavily dependent on computers and communications, and a variety of key information systems are becoming more densely and extensively interlinked. With the many benefits of the information revolution have also come vulnerabilities. Civilian data encryption and system protection are rudimentary. Talented computer hackers in distant countries may be able to gain access to large portions of the information infrastructure underlying both U.S. economic well-being and defense logistics and communications. Current or potential adversaries may also gain access through foreign suppliers to the software encoded in U.S. transportation and other infrastructure systems. We could thus one day see actions equivalent to strategic attack on targets of national value within the U.S. homeland and on essential national security components and capabilities. In short, there will exist the capability for strategic information warfare.
Recognizing this possibility, in January 1995 the Secretary of Defense established an Information Warfare Executive Board to facilitate "the development and achievement of national information warfare goals." RAND was asked to provide an analytic framework and exercise for identifying defensive information warfare issues, exploring their consequences, and highlighting starting points for policy development. Among those points emanating from the exercise were the following:
The exercise leading to these conclusions was conducted by a RAND team led by Roger Molander and is described in Strategic Information Warfare: A New Face of War. It was run three times with participation by senior members of the national security community and representatives from U.S. government domestic agencies and the telecommunications and information system industries. The exercise confronted participants with a challenging hypothetical political-military crisis in the year 2000. In this crisis, a conventional Iranian military threat and an internal threat to Saudi Arabia are made more acute by critical information and communication system failures in the U.S. homeland and elsewhere. These failures appear to result from both strategic information warfare conducted from outside the United States and from the actions of domestic anti-interventionist groups.
The exercise scenario thus highlighted from the start a fundamental aspect of strategic information warfare: There is no "front line." Though defense planners are used to thinking of information-related attacks in terms of such actions as jamming in-theater military communications, strategic targets in the United States may prove just as vulnerable. So also may targets in allied "zones of interior" and in the systems supporting U.S. force deployment. As a result, the attention of exercise participants quickly broadened to include four distinct theaters of operation, as shown in the figure.
Strategic information warfare challenges conventional approaches to defense as a result of various defining and closely coupled characteristics:
These characteristics were elucidated over the course of the exercise, which was based on a methodology RAND had developed previously for exploring counterproliferation and related intelligence issues. The output of the exercise was a set of initiatives intended to minimize the likelihood of a crisis of the type portrayed or, failing that, minimize its consequences. These recommendations, presented near the beginning of this brief, reflect both the potential gravity of the threat as viewed by the exercise participants and their desire not to overreact to what is now largely a hypothetical problem. It is possible, after all, that the evolving information infrastructure will be equipped with adequate protections as its commercial developers respond to local vulnerabilities and concerns. However, the tendency of the exercise participants was to view information infrastructure vulnerabilities and the potential for strategic information warfare far more seriously the more they learned about the subject and debated its implications.