Strategic War ... in Cyberspace

National security is becoming progressively more dependent on and identified with assets related to the "information revolution." As part of this revolution, both defense and civilian activities are becoming more heavily dependent on computers and communications, and a variety of key information systems are becoming more densely and extensively interlinked. With the many benefits of the information revolution have also come vulnerabilities. Civilian data encryption and system protection are rudimentary. Talented computer hackers in distant countries may be able to gain access to large portions of the information infrastructure underlying both U.S. economic well-being and defense logistics and communications. Current or potential adversaries may also gain access through foreign suppliers to the software encoded in U.S. transportation and other infrastructure systems. We could thus one day see actions equivalent to strategic attack on targets of national value within the U.S. homeland and on essential national security components and capabilities. In short, there will exist the capability for strategic information warfare.

Recognizing this possibility, in January 1995 the Secretary of Defense established an Information Warfare Executive Board to facilitate "the development and achievement of national information warfare goals." RAND was asked to provide an analytic framework and exercise for identifying defensive information warfare issues, exploring their consequences, and highlighting starting points for policy development. Among those points emanating from the exercise were the following:

• Establish within the Executive Office of the President a focal point for federal leadership in support of a coordinated response to the information warfare threat.
• Assess the vulnerability of key elements of current U.S. national security and national military strategy to strategic information warfare.
• Explore the feasibility of developing a minimum essential information infrastructure, permitting effective overseas force deployments and keeping the nation functioning even in the face of a sophisticated information warfare attack.

The exercise leading to these conclusions was conducted by a RAND team led by Roger Molander and is described in Strategic Information Warfare: A New Face of War. It was run three times with participation by senior members of the national security community and representatives from U.S. government domestic agencies and the telecommunications and information system industries. The exercise confronted participants with a challenging hypothetical political-military crisis in the year 2000. In this crisis, a conventional Iranian military threat and an internal threat to Saudi Arabia are made more acute by critical information and communication system failures in the U.S. homeland and elsewhere. These failures appear to result from both strategic information warfare conducted from outside the United States and from the actions of domestic anti-interventionist groups.

The exercise scenario thus highlighted from the start a fundamental aspect of strategic information warfare: There is no "front line." Though defense planners are used to thinking of information-related attacks in terms of such actions as jamming in-theater military communications, strategic targets in the United States may prove just as vulnerable. So also may targets in allied "zones of interior" and in the systems supporting U.S. force deployment. As a result, the attention of exercise participants quickly broadened to include four distinct theaters of operation, as shown in the figure.

Strategic information warfare challenges conventional approaches to defense as a result of various defining and closely coupled characteristics:

• Low entry cost. In contrast to the strategic nuclear environment of the cold war, a strategic information attack on the United States might be made without access to large financial resources or state sponsorship. The "weapons" could be software "logic bombs" or computer worms and viruses, the "delivery systems," cellular telephones and the Internet.
• Blurred traditional boundaries. In cyberspace, the boundaries between nations and private-sector organizations are porous, rendering distinctions between war and crime, and between public and private interests, less meaningful. International activist organizations may function largely over the Internet and provide (perhaps unintentional) cover for information warriors within their ranks.
• Expanded role for perception management. New information-based techniques may substantially increase the power of deception and image manipulation activities. Disinformation may make it difficult for the U.S. government to build political support for actions needed to ensure national security.
• Lack of strategic intelligence. Vulnerabilities to strategic information warfare are poorly understood. The identities of potential adversaries may be unknown, and classical intelligence collection and analysis methods may not apply. New methods of analysis and interorganizational relations may have to be developed.
• Difficulty of tactical warning and attack assessment. There will be formidable problems in distinguishing between strategic information warfare attacks and other kinds of activities and events, such as espionage, accidents, system failures, and hacker pranks. An inability to make such distinctions could lead to very cautious military responses to regional challenges such as those hypothesized in the exercise.
• Difficulty of building and sustaining coalitions. Coalition responses could be at risk to the weakest information links binding the alliance. An inability to protect partners from information warfare attacks could jeopardize the United States' ability to form and sustain coalitions.
• Vulnerability of the U.S. homeland. The U.S. economy and society rely increasingly on a high-performance networked information infrastructure for everything from air travel and electric-power provision to management of citizens' financial accounts. A new set of lucrative strategic targets thus presents itself to potential information warriors.

These characteristics were elucidated over the course of the exercise, which was based on a methodology RAND had developed previously for exploring counterproliferation and related intelligence issues. The output of the exercise was a set of initiatives intended to minimize the likelihood of a crisis of the type portrayed or, failing that, minimize its consequences. These recommendations, presented near the beginning of this brief, reflect both the potential gravity of the threat as viewed by the exercise participants and their desire not to overreact to what is now largely a hypothetical problem. It is possible, after all, that the evolving information infrastructure will be equipped with adequate protections as its commercial developers respond to local vulnerabilities and concerns. However, the tendency of the exercise participants was to view information infrastructure vulnerabilities and the potential for strategic information warfare far more seriously the more they learned about the subject and debated its implications.