This chapter provides an introduction and discussion of global information warfare (IW). As a professional cyber security officer you may not know it as or call it information warfare on a global scale, but we certainly are in a cyber war. Furthermore, if you are to protect the government agency or corporate information, systems, and networks that are your part of the global or national information infrastructure, you better start thinking and acting as if you were in a war because, like it or not, you are.
Keywords
Command and control warfare (C2W); First-generation warfare; Information environment (IE); Information warfare (IW); Locust Swarm; Locusts program; Second-generation warfare; Water pumping stations
War does not determine who is right—only who is left.
Bertrand Russell
This chapter provides an introduction and discussion of global information warfare (IW). As a professional cyber security officer you may not know it as or call it information warfare on a global scale, but we certainly are in a cyber war. Furthermore, if you are to protect the government agency or corporate information, systems, and networks that are your part of the global or national information infrastructure, you better start thinking and acting as if you were in a war because, like it or not, you are.
It begins with a fictional scenario that soon can become all too real—some of it already has occurred. Some aspects of IW attacks have already been tested by government agencies, terrorists, hackers, organized crime members, and the general criminal out to get rich at our expense, through either theft or blackmail, or to deny their adversary the ability to function.
This fictional scenario is presented as part of an introduction to global IW so that the reader can see what devastation can be caused by global IW, global because it can happen from anywhere to anywhere. It is something that the global IW defender must consider when addressing global IW issues.
Let’s look at the possibilities of a worst-case IW attack scenario on the United States.
The Possibilities
At first, some thought it was a massive solar eruption worse than that of 1998, since communications, including microwave and cell phone towers, were made inoperable. Then it was theorized as a software glitch similar to the scare of the 2000 millennium bug years earlier. Then, all too soon, the real reason for the power loss and its domino effect became clear—a global IW attack on a massive scale.
It first started on Christmas Eve in the United States, for they knew only minimal staffing would be in place, many on vacation and out of the communication loop, those being vital to getting systems up and running again. They unleashed it late at night to cause the most havoc; it started in the Northwest, in the Seattle area, moved south to Portland, San Francisco, and Los Angeles, and at the same time moved East. The power went out, first on the western grids, shutting down power station after power station, blackening each neighborhood, each town, each city, from the Pacific Ocean moving slowly eastward like a swarm of locusts to the Atlantic Ocean, into parts of Canada and Mexico that were unfortunate enough to share America’s power grids. They called the attack program “Locust Swarm.”
America’s energy grid slowly went down, and for those who had contingency plans that included generators, they bought them more time, but time was not on their side. Eventually, the gas-powered generators ran out of gas. Gas was not forthcoming as electrical power was out from gas stations to oil refineries and the oil pipes leading to them had no power to move the oil. Gas pumps were closed, panic ensued. The alarm systems in stores, banks, and everywhere else in the country ceased operation.
Local power companies found that some transformers had exploded, taking days to months to find replacements as so many were dead; some estimated it would take as long as six months to replace many of them, electricity being crucial to powering technology, and technology running everything. Whether they used solar cells, windmills, coal, natural gas, or diesel fuel, it didn’t matter as all were controlled and run by computers. Even the monitoring systems were run by technology and when false readings were sent through them, they also helped cause the chaos and the overloads that ensued. Systems monitoring nuclear facilities to dams were affected.
Just before the rolling blackout hit an area, there were a number of Twitter broadcasts—“Power is out, bank alarms are out, store alarms are out, come take your share of the bounty.” When the miscreants of each area where power failed got the message, they joined their friends and soon police and fire fighters were occupied with emergencies. Mobs broke into any place that offered them money, furniture, televisions, and other goods free for the taking, setting fire as they went. They acted with impunity as even CCTV cameras were out.
Fire departments were overwhelmed and fire trucks eventually ran out of gas and could not respond. The same thing applied to police departments, even the National Guard and other military facilities.
Medical equipment in hospitals vital to keeping people alive ceased to operate as generators failed, and thousands of patients across the country died, many on the operating tables.
Instead of aircraft losing communications with the towers, the Locusts that had infected the country did not shut down the control towers as rapidly. No one thought to ask why until it was too late. And it was too late when the Locusts were uploaded to aircraft and wormed their way into the computer systems changing the instrumentation settings on the aircraft without the knowledge of the flight crews, on both commercial and military aircraft.
Aircraft pilots had learned to fly using computers and their instruments. Long gone were the pilots who “flew by the seat of their pants,” programming errors causing planes to crash and thousands to die. Some that were running out of fuel tried landing but relied on false instrument readings and burned up on runways, stopping other aircraft from trying to land. While some made it down safely, others crashed and burned in adjacent fields and taxiways. The skies glowed with the fires of crashed aircraft, bodies strewn everywhere. Some survived for a while but the emergency teams were overwhelmed and many died.
The Locusts program wormed its way into automated home systems. It was the middle of winter and heaters were turned off and air conditioners turned on. Many vulnerable people in the northern region of the nation froze to death. And those in nursing homes and animals in shelters could not be cared for.
Water pumping stations ceased operation, sewer systems failed. So when water was needed the most, bottled water started flying off store shelves until it ran out. People turning on their water faucets found nothing but stinking, brown water coming out, and then not even that.
All modern nations reliant on technology are vulnerable to such attacks. Of course there are those who say it can’t happen. Really?
Introduction to Warfare
Wars have been fought ever since there were human beings around who did not agree with one another. These conflicts continue to this day, with no end in sight. The use of information in warfare is nothing new. Those who had the best information the fastest and were able to correctly act on it the soonest were usually the victors in battles.
Is it any wonder that since we are now in the Information Age we should also have information warfare? Because we now look at almost everything on a global scale, it should also not be surprising that information warfare is viewed on a global scale. Information warfare is today’s much-talked-about type of warfare. A search of the Internet on the topic using Google.com disclosed that in 2002 there were 472,000 hits but in 2014 there were 27,700,000 hits. Information warfare is becoming an integral, digital part of warfare of all types in the modern era.
Four Generations of Warfare
Military historians and professionals over the years have discussed the various generations of warfare. Some believe there are four generations of warfare to date:1
• First-generation warfare started with the rise of the nation-state and included a top-down military structure, limited weapons, and armies made up of serfs. It ended in the early nineteenth century about the time of the Napoleonic Wars.
• Second-generation warfare began about 1860 in the United States with its Civil War. This generation of warfare included artillery, machine guns, mass weapons development, and logistics supported by trains. This generation of warfare ended sometime after World War I.
• The beginning of the third generation of warfare is attributed to the Germans in World War II, in which “shock-maneuver” tactics were used.
• In 1989, the U.S. Marine Corps Gazette2 contained an article by several military personnel. The article, entitled “Changing the Face of War: Into the Fourth Generation,” discussed the fourth-generation battlefield, where it is likely that it will include the “whole of the enemy’s society …. The distinction between civilian and military may disappear …. Television news may become a more powerful operational weapon than armored divisions.” If one were to have any doubts about the accuracy of that statement, one just has to remember the U.S. television news showing a dead American military man’s body being dragged through the streets of Mogadishu. The loss of national will can be closely correlated with how quickly the United States departed that country. This, too, is part of the information warfare campaigns being waged on a worldwide scale.
One can argue that information warfare has existed in all generations of warfare and included spying, observation balloons, breaking enemy codes, and many other functions and activities. True, information warfare is as old as humans, but many aspects as to how it is being applied in our information-dependent, information-based world are new.
Introduction to Global Information Warfare
In the early 1990s, several people in the U.S. Department of Defense (DoD) articulated a unique form of warfare termed “Information Warfare.” The Chinese say they were developing IW concepts in the late 1980s. Who is correct? Does it matter? The areas embraced by IW have been developed over the centuries and millennia and have been a normal part of human activities from humankind’s beginning. What is unique about IW is that it is the first instantiation of trying to tie together all the areas that make up the information environment (IE). The IE runs through every part of your country, organization, and personal life. At the present time, there is no cookbook recipe to do the extremely complex task of bringing together all the areas.
What is IW? The general working definition of IW employed in this book is as follows: IW is a coherent and synchronized blending of physical and virtual actions to have countries, organizations, and individuals perform, or not perform, actions so that your goals and objectives are attained and maintained, while simultaneously preventing competitors from doing the same to you. Clearly, this embraces much more than attacking computers with malicious code. The litmus test is this: if information is used to perpetrate an act that was done to influence another to take or not take actions beneficial to the attacker, then it can be considered IW.
The definition is intentionally broad, embracing organizational levels, people, and capabilities. It allows room for governments, cartels, corporations, hacktivists, terrorists, other groups, and individuals to have a part. It is up to each enlightened enterprise to tailor the definition to fit its needs. This should not be a definition of convenience, to “check the box.”
You are asked, and many times forced by government and businesses, to depend on the Internet; the Internet that is home to hackers, crackers, phreakers, hacktivists, script kiddies, Net espionage (network-enabled espionage), and information warriors; the Internet that is home to worms, Trojan horses, software bugs, hardware glitches, distributed denial-of-service (DDoS) attacks, viruses, and various forms of malware. All this, and the Internet is only a portion of the areas that IW addresses. Although the Internet touches many critical infrastructures, and these in turn affect the many IEs with which you interface, most of the IW areas were around before the Internet.
As “competition” is analogous to “enemy” or “adversary,” other business–military analogies can be made with profit, shareholder value, competitive edge, and industry rank to achieve brand recognition, customer loyalty, exertion of power, influence, and market share. A business leader or military leader must train and equip forces; gather intelligence; assemble, deploy, and employ forces at decisive places and times; sustain them; form coalitions with other businesses and nation-states; and be successful. There are many physical and virtual world parallels, as can be seen in the following headline: “Cisco to use SNA as weapon against competition …. Cisco believes its experience in melding SNA and IP internet works can be used as a weapon in the company’s battle with Lucent and Nortel for leadership in converging voice, video, and data over IP networks.”2
Purists will focus on warfare as a state of affairs that must be declared by a government and can be conducted only by a government. But consider guerrilla warfare, economic warfare (one country “forcing” another country to spend itself into bankruptcy, as allegedly the United States did to the Soviet Union), or a company adjusting prices to damage its competition (e.g., taking a long time horizon to use volume and time to adjust prices downward). “Conflict” or “that’s business” does not carry the same sound of ultimate struggle as referring to business as “war.” Clausewitz stated, “War is an extension of politics.” By analogy, because business is the implementation of a country’s laws, economic policy, and values, business is also an extension of politics.
In a free market economy, competition is central to business strategy to win customers and market share. Competition, like war, is a struggle for a winning position. The marketplace can then be referred to analogously as a battlefield with winners and losers. It follows that business is analogous to war. Therefore, using military phraseology in a business context is appropriate. In fact, one just has to remember September 11, 2001, and New York’s World Trade Centers to see that in today’s world, warfare is waged on many levels by various adversaries against various targets. These targets can be nation-states, their governments, groups, businesses, or individuals. The tools will be any that can be applied for attackers to successfully attain their goals.
The counterargument is that some insurance companies’ contracts state that if a loss is due to an act of terrorism or war, they will not pay for damages. In the United States, attacks on computers by default are criminal acts and are thus in the purview of law enforcement. Often, after an investigation determines that the criminal act is a national security issue, the intelligence agencies and other government organizations will take the lead.
There are adversaries, winners, and losers. All the writing on IW focuses on weaknesses, defenses, and losses. Despite the gloomy forecasts by government officials and the media, IW is also about strengths, offenses, and gains. These positive features are within the grasp of any government or business organization with a desire to seize and maintain a competitive advantage—to be a winner on the IW battlefield. Importantly, unlike some of today’s physical wars and those of the past, without a great deal of resources, a small nation, for example, North Korea, has the power to successfully attack global and a nation’s business, as well as governments.
What possible application can IW have outside specialized military circles? From a practical viewpoint, how does IW shorten decision cycle times, raise revenue, lower or avoid costs, and improve performance? If IW cannot improve effectiveness or efficiency, or bring about innovation, why do it? IW does do these things and ought to be the approach used rather than the top management fads that come and go, leaving businesses worse off for trying them. The purpose of IW is to gain power and influence over others. Power and influence are at the heart of all such relationships. Because IW requires effort, the effort needs to resolve into some aspect of power, such as profit or economic or military domination on the battlefield or in the marketplace.
Information Warfare Will Hit You in Your Pocketbook
There have been some events that were not expected. Hannibal crossed the Alps. Clay defeated Liston for the heavyweight boxing title. CD Universe did not think crackers would break into its systems. Buy.com did not expect a DDoS attack, nor did Sony, Target, or victims too numerous to mention. It seems new websites are discovered and hacked within minutes of being on the Internet. One honey pot project was attacked within 5min. It will happen: one day your IE defenses are going to be beaten. When they go down, your revenues and profits will go down. The Internet Age has again proven the adage that “time is money.” Suppose a company has US$1billion in electronic and mobile-commerce revenue. That equates to $2,739,726 per day, $114,155 per hour, $1903 per minute, and $32 per second.3 How long can your business afford to be adversely affected by an attack? In other words, what are the risks and consequences you are willing to accept?
In a portent of crippling events to come, since early 2000 there have been thousands of automated computer-based distributed attacks, extortion attempts for tens and hundreds of millions of dollars, and posting on the Internet of millions of supposedly protected credit card details and other private information. Apparently, the laws and court sentences for computer crimes lack deterrent value. Of course, if hardware and software products, communications systems, e-commerce sites, and other information technology (IT) components were designed with security in mind, we would not have this predicament—something that even Bill Gates of Microsoft finally realized.
In many cases, the dollar loss is secondary to the loss of trust. Banks and insurance companies especially feel customers’ wrath. When customers believe their trust has been compromised, they vote with their pocketbooks and take their business elsewhere. That is when revenues and profits decline, which leads to a decline in the stock price, which in the not too distant future will lead to shareholder lawsuits for negligence and other claims.
IW conjures up many images: computers, networks, and telecommunications-savvy experts in the military and intelligence communities, corporate espionage, and pale 14-year-old looking like they could be the next door neighbor’s kids—or yours. Dire prognostications about how an “electronic Pearl Harbor” threatens national security and the daily media coverage of viruses and denial-of-service attacks interchangeably using phrases such as information warfare, cyber warfare, and cyber terrorism may make IW seem distant and surreal.
Some of the attacks, premeditated or unintentional, resulted in billions of dollars in damages. Computer emergency response teams and law enforcement agencies stress protection and defense of information, information infrastructure, and information-based processes to ward off malicious attacks. What do these and many other aspects of operating in the IE have to do with managing a government organization or running a business? For businesses, this may mean new business generation, cost avoidance, profit, customer retention, market leadership, and positive power public perception. For nation-states, this may be economic, political, or military power, influence, or defeat.
The once high-profile events such as the Morris worm and Citibank’s $400,000 loss ($10million was stolen, and all but $400,000 allegedly recovered) should have been sufficient warning shots across the bow that a different approach was needed. However, such attacks of “long ago,” in technology terms, pale in comparison to the number, sophistication, and scale of losses of today’s attacks.
Note: Many of us since the late 1980s and into the 1990s forward have been warning of the potential for IW attacks and what should be done to prepare for them. Of course, as usual when it comes to security, management in businesses and in government agencies ignored our warnings and are now reaping the results. We predict the worse is yet to come.
The much-needed security fixes are years away as defenses continue to lag behind the attackers in sophistication. However, there are pockets of government-sponsored sophisticated attacks; some may even be called “defensive attacks” or preemptive strikes against an adversary. Demand is low because the general public appears to be uninterested in cracker exploits, made indifferent by the almost daily news stories. Said differently, the public has come to expect identify thefts, theft of their credit cards, and such. However, since corporations are held liable in most cases, and credit card corporations absorb the losses of their customers, the general public remains complacent in general but personally outraged only when it is their own identity or financial instruments that have been compromised.
Business Is War
An advertising campaign can be considered a subset of an IW campaign. Here is a perhaps not so hypothetical example. Taking grocery store shelf space, owing to product or packaging redesign, from a competitor is notionally no different from denying use of a radar or a seaport to the enemy. Instead of cereal boxes that stood and poured vertically, what if they stood horizontally and had spouts for pouring (besides, vertical boxes are prone to tipping)? This would result in more shelf space needed for the same amount of cereal boxes. The packaging will carry a message that conveys “new” and “improved.” The boxes will be at eye level—easy for the consumer to spot. In-store advertising will attempt to vector shoppers to the cereal aisle. Newspaper and magazine advertising will attempt to convince customers to try the “new” and “improved” product, and coupons will be used as further enticement. There may even be an in-store demonstration. Because there is limited shelf space and if the cereal company has bargaining power, other cereals have to lose space. Lost space, it is hoped, then translates to lost product sales, which in turn leads to reduced revenue and profits as well as a lower stock price.
In business, the IW target can be the customer, the competition, or another entity. The purpose of the IW campaign is to have the competitor take action that will result in increased profits for your company. In the best of all outcomes, your revenues go up and the competitors’ revenues decline. Even if your sales were constant, just having less space to sell should make competitors’ sales decline, so your industry ranking will improve. What will the competition do? Redesign packaging? Alter ingredients? Lower the product’s price? Counter with coupons? Have a television campaign employing a doctor to extol the health benefits of their cereal? Play hardball with the supermarket chain? A combination? Nothing, taking a wait-and-see approach? This is physical and virtual IW at the corporate level. It embraces the media, perception management, physical operations, intelligence collection, and more.
This is no different from one country observing another and bringing to bear economic, diplomatic, and military means. These means may include very advanced open source searches and analyses and covert means involving manipulation of the radio frequency (RF) spectrum. From a business perspective, operations, marketing, public relations, manufacturing, finance, transportation, and other parts of the company must operate in a synchronized and coherent fashion. The competition must be monitored, intelligence collected so the company can be in position to agilely and effectively respond to any countermoves.
IW Broadly Encompasses Many Levels and Functions
IW is not the sole purview of a modern, technology-based, and dependent government; otherwise, only the wealthy countries could practice it. A narrow interpretation of IW flies in the face of reality. Other than a unique set of capabilities that are based on unlimited deep pockets and specialized espionage capabilities, more brainpower and, perhaps, more capabilities reside external to a government. Any organization, and even individuals, can conduct offensive and defensive IW. It is about seizing control of perceptions, physical structures, and virtual assets. Seizing control can be done from both offensive and defensive positions. That puts any organization squarely in control of its destiny. Those that are unenlightened will never perform at or near the top of the pack and may well go out of existence. Those that embrace IW have a much better chance of surviving and reaping the rewards.
The military, intelligence community, and law enforcement generally do not embrace this perspective. Why? They have capabilities that are highly classified. If used by industry, then “all hell would break loose.” Certainly, there are unique offensive and defensive capabilities that can be developed only by the government because of their high risk of failure and the necessary funding. However, there has been an explosion of brainpower with regard to physical and virtual capabilities. The majority of brainpower in genetics, robotics, nanotechnology, microelectromagnetic systems, and hydrogen technologies resides outside the military, intelligence community, and law enforcement. What is to prevent these capabilities from falling into the hands of nation-states, individuals, businesses, and organizations that wish to perpetrate some form of hostile behavior? Absolutely nothing.
What IW Is … and Is Not
Information warfare is not about a one-time silver bullet for a quick fix and looking good on a quarterly financial report. IW is not restricted to using computers to attack other computers. It is not confined to the cyber realm. “Virtual” means electronic, RF, and photonic manipulation. Organizations need to use the capabilities within the virtual and physical domains in a manner that optimizes what they wish to do. The best approach for IW, as it should be with a business or government organization, is to conduct physical and virtual operations in a synchronized and coherent fashion. Easier said than done. Goddard’s experiments contributed to manned space flight—four decades later. As virtual capabilities become more practical for the government, military, and business, the greater their importance becomes in operations. Fifteen years ago, laptops, mobile phones, and personal digital assistants—remember them?—were bulky, seldom more capable than their traditional counterparts, and much more expensive. For some people, the time-saving and cost-reducing capabilities of the gadgets borders on technological cocaine, and these people almost cannot function without their gadgets. Some business and government organizations have bought into technology so much so that their operations can truly be termed “network-centric business.” What better way to counter this than with IW? Not many years from now, IW will be mainstream, and those who do not participate will fail.
Much hype surrounds hacker exploits and computer-based viruses. Most hacker, cracker, and phreaker exploits and viruses qualify as falling within IW, albeit at the low end of the spectrum, because there is an attempt to influence, either directly or indirectly, others to take an action. Approaches range from altruistic (“I found a hole in the software. Develop a patch for it.”) to anger (“I will make them miserable for firing me.”) to social awareness (“Stop drug research on animals.”) to criminal (“Here is how to defeat the fraud control and computer security systems of fill-in-the-blank corporation as all are vulnerable, more or less.”). Almost all of the events and attacks fall into the realm of theft, extortion, fraud, and related criminal behavior. Measures must be employed to protect and defend corporate and government systems because individual losses have already been in the tens and hundreds of millions of dollars.
Even if you have taken all the appropriate measures to protect and secure your physical and virtual assets, much falls outside your span of control: protected and secured power, finance, communications, transportation, water, and continuity of government infrastructures; security-rich and bug-free commercial off-the-shelf (COTS) software; and the creativity of crackers and phreakers to find new vulnerabilities in technology to exploit. Also, you probably cannot control your business partners’, customers’, financial stakeholders’, and suppliers’ IEs that are connected to yours. If you are an Internet-based company, then electronic and mobile-commerce accounts for the majority of your revenue. Any disruption and your customers will go to your competitors. If you are a traditional bricks-and-mortar company expanding into the Internet to enhance your customers’ ability to do business with you, business interruptions and disclosure of customer data will taint your reputation and credibility. Business interruption can be costly on many levels.4
When properly employed, IW is an agile capability that can be tailored to any situation. It can bring a multitude of functions to bear. It can be implemented in both the physical and the virtual worlds. Central to IW is how it is used to influence decision-makers. Magazines, radio, television, newspapers, leaflets, e-mail, webpages, social media, and other forms of media can all be used as a vehicle to deliver IW.
IW should not be restricted to a small cadre. Certainly only a few people should know about the sensitive details that will make or break the execution of the IW plan. All parts of an enterprise, not just an organization, need to be linked for the most effective implementation of IW. Any organization has a finite portion of resources. Partnerships, alliances, consortia, and other relationships can serve to expand an organization’s capabilities.
Proper use of information is central to profitable business and successful military operations. IW is used to provide your organization a competitive advantage while limiting the competition’s capability to reduce your advantage and increase their own. Effective IW is not possible without control of your information environment.
An IE is an interrelated set of information, information infrastructure, and information-based processes. Data include the measurements used as a basis for reasoning, discussion, or calculation. Data are raw input. Information applies to facts told, read, or communicated that may be unorganized and even unrelated. Information is the meaning assigned to data. Knowledge is an organized body of information. It is the comprehension and understanding consequent to having acquired and organized a body of facts. Information as used here means data, information, and knowledge. No doubt horrific to purists, there is no one good word in the English language that embraces all three concepts together. All three processes exist within any organization. At any given time, one of the processes will be of greater value than the others. Your competition wants your information, so do not believe that “gentlemen don’t read other gentlemen’s mail.”
Information moves across information infrastructures in support of information-based processes. The information infrastructure is the media within which we display, store, process, and transmit information. Examples are people, computers, fiber-optic cable, lasers, telephones, and satellites. Examples of information-based processes are the established ways to obtain and exchange information. This includes people to people (e.g., telephone conversations and office meetings), electronic commerce/electronic data interchange, data mining, batch processing, and surfing the web. Attacking (i.e., denying, altering, or destroying) one or more IE components can result in the loss of tens of millions of dollars in profit or in degraded national security and can be more effective than physical destruction. Degrade or destroy any one of the components and, like a three-legged stool, the IE will eventually collapse.5
Being Prepared-Bad Things Will Happen
Bad things happen, such as floods, hurricanes, and earthquakes; power surges and sags; and fires. Disgruntled employees can steal, manipulate, or destroy information. Crackers work their way through the electronic sieve of protection mechanisms (e.g., firewalls and intrusion detection devices) into information assets.
Sound disaster recovery, business continuity, and contingency operating plans are essential. For every minute information systems are not up and fully running, revenues, profits, and shareholder value are being lost. The last thing a general counsel needs is a lawsuit from unhappy shareholders who are suing for millions because the corporation did not follow best practices to protect information. One problem is that COTS hardware and software are very difficult to protect. Another concern is that firewalls, intrusion detection devices, and passwords are not enough. The state-of-the-art in information assurance is against script kiddies and moderately skilled hackers. What about the competition, drug cartels, and hostile nation-states that are significantly better funded? There is no firewall or intrusion detection device on the market that cannot be penetrated or bypassed. Password dictionaries can cover almost any entire language, and there are very specific dictionaries (e.g., sports, Star Trek, or historic dates and events).
The Possible Breakdowns in an Information Environment
IEs exist internal and external to an organization. An IE is tailorable so it can support many actors. An IE can consist of a corporation, its customers, and the government. Another IE can be a military, its allies and coalition partners, and the government. Whatever comprises a specific IE, the important fact remains: if its elements are not protected and secured, the consequences can range from irritants to catastrophes.
An organization has employees. These employees deliver products, services, and processes to the organization and its customers. To keep the organization running, suppliers deliver products, services, and processes. Financial stakeholders—venture capitalists, banks, stockholders, and others—provide capital. The public has a positive, neutral, or negative view of the organization. Strategic teaming partners provide physical, financial, cerebral, and other capabilities. Every entity with which the organization is linked has its own IE. IEs are connected to, and are interdependent on, other IEs.
Going beyond Three Blind Men Describing an Elephant: Information Warfare Terms of Reference
IW cuts across national borders, educational background, and cultural views. To ensure a consistent understanding during this discussion, working definitions of IW and many supporting terms are offered. This does not preclude national interpretations and certainly does not attempt to rationalize, harmonize, and normalize definitions. Common terms of reference (TOR) permit a shared understanding, as well as a point of departure for applying the TOR within specific organizations.
George Santayana said, “Those who ignore the lessons of history are condemned to repeat them.”
Here is an example of how parochialism caused a disaster.
In August and October of 1943, the Allies launched air raids against Schweinfurt with disastrous consequences—for the Allies. In the August raid, of 600 planes, 60 were lost along with 600 crewmen. Why? There was no long-range fighter escort. Why? In the 1920s and 1930s, resources were allocated for strategic bombardment over pursuit. Why? General Emilio Douhet and others postulated that air power alone could win wars by striking the enemy’s strategic centers. Lesson learned: The decisions made in the 1920s and 1930s led to the wrong tactical employment a decade later. We must not make the same mistake with IW. If we do, national security, economic viability, and corporate capabilities will be lost.
It seems that there are as many definitions of IW and related topics as there are people. It is reminiscent of three blind men describing an elephant by touching the animal’s various parts. One blind man said, “An elephant is a reptile and is thin and long,” as he was touching the tail. Touching the tusks, another blind man said, “An elephant is like a big fish with its smooth and pointed body.” The third blind man said, “An elephant resembles a large leaf with a hole in the middle” because he was touching the ears. None of them could extrapolate their interpretations to a real elephant. Similarly, what one sees is not necessarily what one gets. “Ques-que c’est?” will be mispronounced if one does not have a basic understanding of French diction. So, too, is it with terms used to describe various practices in the information realm.
Although the names are initially obtuse to those who do not work in those areas, these information practices have been a normal evolution in communications and computers and also the dark-side move/countermove/counter-countermove “cool war.” There are many other variations. Little wonder the terms are understood by few people and erroneously used interchangeably. Few understand the difference between a hacker, a cracker, and a phreaker, much less a white-hat hacker.
In some cases, more terminology only detracts. “Cyber” is too limiting. It is as if, rather than pushing through difficult points to achieve philosophical insights and technical understanding, people create terms to differentiate themselves without knowing what they are doing.
Information and knowledge are now in vogue. We are in the Information Age and rapidly transitioning into the Knowledge Age. Acquiring the right data, deriving good information, and applying it to make sound decisions to positively affect the bottom line are essential. Search engines have made finding information on the Internet very simple. Witness, during the past at least 40years, the explosion of terminology related to the protection of information and using information for national security purposes. The most important point is to understand the meaning of these terms and what the different functions can—and cannot—do to make an informed decision whether to commit resources (i.e., people, money, and time).
Many countries have developed definitions. IW, information assurance, information operations, information superiority, information dominance, and other constructs popular in the U.S. military are part of the revolution in military affairs and in security affairs. Government organizations and businesses have developed additional terms, and some do not agree with the national version. So there can be a point of departure for this discussion, definitions accepted by many are put forth. In some cases, working definitions will be used. The following definitions are from the U.S. DoD Dictionary of Military and Associated Terms:6
Command and control warfare (C2W): The integrated use of operations security, military deception, psychological operations, electronic warfare, and physical destruction, mutually supported by intelligence, to deny information to, influence, degrade, or destroy adversary command and control capabilities, while protecting friendly command and control capabilities against such actions. C2W is an application of information warfare in military operations and is a subset of information warfare. C2W applies across the range of military operations and all levels of conflict. C2W is both offensive and defensive.
Defense in depth: The siting of mutually supporting defense positions designed to absorb and progressively weaken attack, to prevent initial observations of the whole position by the enemy, and to allow the commander to maneuver the reserve.
Information: Facts, data, or instructions in any medium or form. The meaning that a human assigns to data by means of the known conventions used in their representation. Here are some “oldies but goodies” terms that are still valid today as they describe the IW-related environment:
• Information assurance: Information operations that protect and defend information and information systems by ensuring their availability, integrity, authenticity, confidentiality, and nonrepudiation. This includes providing for restoration of information systems by incorporating protection, detection, and reaction capabilities.
• Information-based processes: Processes that collect, analyze, and disseminate information using any medium or form. These processes may be stand-alone processes or subprocesses that, taken together, comprise a larger system or systems of processes.
• Information environment: The aggregate of individuals, organizations, or systems that collect, process, or disseminate information; also included is the information itself.
• Information security: The protection of information and information systems against unauthorized access or modification of information, whether in storage, processing, or transit, and against denial-of-service to authorized users. Information security includes those measures necessary to detect, document, and counter such threats. Information security is composed of computer security and communications security. Also called INFOSEC or cyber security.
An older definition focused on only physical protections: locks, alarms, safes, marking of documents, and similar physical world capabilities.
• Information system: The entire infrastructure, organization, personnel, and components that collect, process, store, transmit, process, display, disseminate, and act on information.
• Information warfare: Information operations conducted during time of crisis or conflict to achieve or promote specific objectives over a specific adversary or adversaries.
We can expand on this because of the definition of IW. What is IW? It is more than computer network attack and defense. That almost everyone agrees on. But what else is encompassed by IW? Heated debates go on today about what IW should embrace and accomplish. IW is an umbrella concept embracing many disciplines. IW is most effective when performed in a synchronized and coherent fashion. That is why knowledge management (KM) complements it so well. All components of an organization, as well as across the enterprise, need to be included in an IW action plan.
The good news is that IW embraces the marketing, public relations, counterintelligence, and other functions you now perform. IW is not these functions renamed. They continue to be run by the subject matter experts. IW is the coherent application and synchronized approach of these functions. What is needed are experts who, by analogy, are conductors of the orchestra. They know where the expertise resides within the organization, understand what the functions can and cannot do, and bring them to bear for optimum performance. At present, only the military in a few countries comes close to understanding the relationships and functions of linking the physical domain with the virtual realm and has begun policy development and allocation of resources. For the most part the equivalent does not exist in industry—yet.
The purpose of IW is to control or influence a decision-maker’s actions. An area of control can be directly manipulated, whereas an area of influence can be only indirectly manipulated. Control and influence are the essence of power. From a business perspective, sector and industry-leading market share and profit are the results of proper IW execution.
What would make a decision-maker act or not act? Perhaps false or misleading information, an analysis of open source information, documents mysteriously acquired, or intelligence from an employee hired away from the competition. IW at the corporate level manifests itself in marketing, public relations, legal, research and development, manufacturing, and other functions. With the introduction of commercial high-resolution satellite photography, some companies have altered their delivery and shipment schedules, to include using empty rail cars and semitrailers to mask inventory, production capability, and customer quantities. IW is a full spectrum of capabilities. Ingredients are carefully selected and tailored to each case.
IW can be conducted without using physical destruction. Both military psychological operations and commercial advertising depend heavily on psychology and sociology, the study of individual and group behavior. The implications of this insight are enormous. Businesses engage in IW all the time, or is it that only the effective ones do?
IW enables direct and indirect attacks from anywhere in the world in a matter of seconds. Physical proximity to a target is not necessary. How is this possible? Because we have made conscious and unconscious decisions to have speed and connectivity without complementary security. In Sun Tzu’s and Genghis Khan’s eras, physical, personnel, and operational security were all that was needed for protection. Today we have fiber optics, satellites, smartphones and tablet computers, infrared and laser communications, interactive cable television, and a host of other technology marvels that allow us in a few seconds to reach anywhere. Now, in seconds, our information can be intercepted, modified, manipulated, and stolen.
No simple sentence or paragraph effectively describes IW. There are broad and narrow interpretations within national and international government, business, and academic communities, and some even totally reject the notion of IW. The overall view of IW must be expansive. Information is everywhere. We find information, for example, in mass media such as radio, television, and newspapers, at World Wide Web sites, in communications systems, and in computer networks and systems. Any and all may be subjected to attack via offensive IW. It follows that all these areas must be defended with defensive IW.
Offensive IW can make a government, society, nation, or business bend to the will of the attacker. Attacks can be very large, devastating, and noticed, such as economic or social disruption or breakdown and denial of critical infrastructure (e.g., power, transportation, communications, and finance) capabilities. They can also be small, low key, and unassuming, such as a request for publications and telephone calls (as the basis for social engineering). Businesses do not have the deep pockets of a government, but that does not restrict them from engaging in IW.
A business wants to deny the competition orders, customers, and information about its research and development. Industrial espionage has its share of illegal activities: theft, monitoring communications, and denying use of servers to conduct electronic commerce. Governments engage in psychological operations (with the subsets of mis/disinformation and propaganda using leaflets, television, and radio broadcasts). Businesses must identify when disinformation is being used to lure customers away and have the means to counter it. Of course, that is starting from a position of weakness. What is a proactive, defensive IW approach to counter the attack? Inoculate the customers, suppliers, business partners, and others in the IE.
Defensive IW is the ability to protect and defend the IE. Defense does not imply reactive.
Measures can be taken to forewarn of attacks and to preposition physical and virtual forces. Examples of virtual forces are software and brainpower. The acme of skill is to present a posture to prevent a competitor from attacking and to achieve victory without having to attack. Perception management is as important as demonstrable physical and virtual capabilities.
• Information operations (IO): As stated above, for the purposes of this book, IW is not restricted to war, so IO as described below is included in IW. Actions taken to affect adversary information and information systems while defending one’s own information and information systems.
• Defensive IO: The integration and coordination of policies and procedures, operations, personnel, and technology to protect and defend information and information systems. Defensive information operations are conducted through information assurance, physical security, operations security, counterdeception, counterpsychological operations, counterintelligence, electronic warfare, and special information operations. Defensive information operations ensure timely, accurate, and relevant information access while denying adversaries the opportunity to exploit friendly information and information systems for their own purposes.
• Offensive IO: The integrated use of assigned and supporting capabilities and activities, mutually supported by intelligence, to affect adversary decision-makers to achieve or promote specific objectives. These capabilities and activities include, but are not limited to, operations security, military deception, psychological operations, electronic warfare, physical attack or destruction, and special information operations and could also include computer network attack.
• Information superiority: The degree of dominance in the information domain that permits the conduct of operations without effective opposition. Information superiority is the relative state of influence and control of the IE between two or more actors. Some argue the opposite of “superiority” is “inferiority.” This is not the case. All actors have equal access to open source information. Restricted, sensitive, and classified information can be acquired through overt or covert operations. Having the data, information, and knowledge is not the key to attaining and maintaining information superiority. What is done with the information and the speed at which it is done is the gold nugget. Information sharing, automation, cross-platform information sharing, and automating processes (such as air traffic control, sales–manufacturing/production–inventory–transportation, and military intelligence–platform maneuver–weapons selection and release–battle damage assessment) are essential to have execution cycles faster than those of the competition.
• Operations security: A process of identifying critical information and subsequently analyzing friendly actions attendant on military operations and other activities to: (1) identify those actions that can be observed by adversary intelligence systems; (2) determine indicators that hostile intelligence systems might obtain what could be interpreted or pieced together to derive critical information in time to be useful to adversaries; and (3) select and execute measures that eliminate or reduce to an acceptable level the vulnerabilities of friendly actions to adversary exploitation. Also called OPSEC.
• Vulnerability: In information operations, a weakness in information system security design, procedures, implementation, or internal controls that could be exploited to gain unauthorized access to information or information systems.
In addition to the above definitions, the U.S. National Security Telecommunications and Information Systems Security Committee (NSTISSC) 4009, National Information Systems Security (INFOSEC) Glossary 14 offers the following:
• Attack: Type of incident involving the intentional act of attempting to bypass one or more security controls.
• Confidentiality: Assurance that information is not disclosed to unauthorized persons, processes, or devices.
• Critical infrastructure: Those physical and cyber-based systems essential to the minimum operations of the economy and government.
• Integrity: Quality of an information system (IS) reflecting the logical correctness and reliability of the operating system; the logical completeness of the hardware and software implementing the protection mechanisms; and the consistency of data structures and occurrence of the stored data. Note that, in a formal security mode, integrity is interpreted more narrowly to mean protection of unauthorized modification or destruction of information.
• Nonrepudiation: Assurance that the sender of the data is provided with proof of delivery and the recipient is provided with proof of the sender’s identity so that neither can later deny having processed the data.
• OPSEC: Process denying information to potential adversaries about capabilities or intentions by identifying, controlling, and protecting unclassified generic activities.
• Probe: Type of incident involving an attempt to gather information about an IS for the apparent purpose of circumventing its security controls.
• Risk: Possibility that a particular threat will adversely impact an IS by exploiting a particular vulnerability.
• Risk management: Process of identifying and applying countermeasures commensurate with the value of the assets protected based on a risk assessment.
Neither NSTISSC 4009 nor the U.S. DoD Dictionary of Military and Associated Terms defines consequence and consequence management. Risks are the intersection of threats and vulnerabilities. Residual risks are those that remain after mitigating actions. To plan effectively, decision-makers need to know the consequences of various courses of actions. The residual risks influence the outcomes. The outcomes are best represented via consequence management cascading effects. Third- and fourth-order effects, or further, need to be well estimated for the best course of action to be chosen.
Information Warfare Is a Powerful Approach for Attaining and Maintaining a Competitive Advantage
The purpose of a business is to create value for its shareholders, and the purpose of a government is to provide for the common good. From a business viewpoint, being effective and efficient in current markets and opening new lines of business are key to sustained revenue generation and profits. From a national security perspective, we should expect the military, intelligence community, and law enforcement to develop and use capabilities to maintain sovereignty, create and sustain peace and economic prosperity, and ensure public safety from criminals and monopolies. These entities cannot survive by insulating themselves. They must embrace, within their value system, whatever it takes to go beyond surviving to “thrive.”
How to Use IW to Achieve Goals and Objectives
Complexity interwoven across government, industry, and society presents a daunting challenge for IW. It is in the best interest of any government, business, and other organization to take prudent action to defend against information warfare attacks and to be able to launch them.
The advanced hacker breaks into online shopping exchanges, manipulates orders, steals merchandise, plunders credit card numbers—the modern-day pirate, highway robber, and Wild West outlaw. Those who would be part of the online shopping population come to expect this malicious behavior but are not dissuaded from shopping online.
Espionage, disinformation, physical destruction (normally permitted by law only for the military and law enforcement), and other actions are a means to an end. IW is a higher-level, cerebral activity. The target can be a population (the national will or a specific political, religious, or ethnic group), a despot, a general, or anyone in an organization. How, then, should IW be applied to industry? After all, is war not a declaration of Congress, Parliament, or other government entity? If a business is destroyed by an act of war or terrorism, it will not be remunerated by insurance. Is this a misnomer? By no means!
Because business is war, the principles of war normally associated with the military ought to be applied. These are not rigid, and their application is tailored to each use. Objective, offensive, mass, economy of force, unity of leadership, maneuver, security, surprise, and simplicity are generally recognized principles that will benefit any organization. Applying the principles to coherent and synchronized IW will produce a positive return on investment (ROI).
In the IT world, determining ROI is considered the Holy Grail. The problem for quantitative metrics for IW is that orders of magnitude are more difficult because of the many disciplines, many organizational levels, and sheer scope involved. Some prefer it that way because it allows them to hide behind classified information and black magic. If IW is to be successful, metrics are necessary. Existing traditional measures are a good start (e.g., how many probes did our intrusion detection system pick up?), but are not sufficiently expansive and precise. What is the value of a database? What is the value of that database after it has been successfully data mined? Because quantitative metrics need to be developed, qualitative ones will need to be used.
IW is an embracing approach, customizable to produce positive results in any organization and tailorable to meet the demands of the marketplace. By balancing tried and true capabilities with leading-edge technologies and concepts, IW remains a fresh and useful approach for achieving goals and objectives on the way to attaining and maintaining a competitive advantage.
Coherent Knowledge-Based Operations
IW for IW’s sake is senseless. IW must help countries achieve their national security objectives and help businesses attain their goals. When IW is combined with KM and how business is done, the combination provides a powerful capability. Applying IW with KM results in information superiority. When KM is applied to how business is done, situational awareness will result. Combining IW with how business is done delivers tactics, techniques, and procedures to attain a competitive advantage. The intersection of IW with KM and how business is done is coherent knowledge-based operations (CKOs). CKO enables a country or a business to attain and maintain a competitive advantage through the synchronization and coherent application of all of its capabilities in the extended IE.
Organizations dabble in many pop management fads. Well-intentioned or not, these often are stovepipe solutions that divert finite resources—people, money, and time—from the organization’s central interests and objectives. CKO brings together what appear to be several disparate components. Coherent means an orderly or logical relation of parts that affords comprehension or recognition. The parts are network-centric business (NCB) (how business is done), KM, and IW. When used in concert, their sum is far more powerful than the individual components, creating a powerful means of attaining and maintaining a competitive advantage. CKO can be used to execute and to survive IW attacks.
Network-Centric Business
We are told that we are in the Information Age, ride the information highway, and are part of the knowledge-based economy. We conduct electronic commerce, have electronic data interchange between computers, allow employees to telecommute and have remote access, and spend millions of dollars on websites to attract customers to buy products and services. Computers and robots are in the manufacturing plants, personnel and medical records are automated, and many of us participate in automated deposits and bill payments. If the computers stopped, not enough trained and skilled people could take over the functions in a manual system, and many businesses and government functions would quickly come to a halt. Computers, databases, and networks are as vital to a business as the circulatory and nervous systems are to your body. Computers and networks have become as ubiquitous as toasters, and network-centric appliances are in the works. The current generation of smartphones are the forerunners of tools with tremendous capability, limited only by human creativity. If you do not quickly gain control of your IE, doing so in the future will be exponentially more difficult—and expensive. The main advantage of controlling your IE is that your bottom line will improve.
There is no faster, more effective, or more efficient means to beat the competition than to use NCB. NCB allows an organization to take maximum advantage of its business processes: taking and placing orders, using the supply chain, conducting just-in-time production, and using distribution channels to field products and services. NCB leverages not only all the resources within an organization, but also its customers and business partners. They are all part of the solution set that drives the bottom line. The resources within the organization—people, money, and time—are finite, but can be effectively and efficiently allocated to provide optimal support to customers and to maximize the bottom line.5
Knowledge Management
KM integrates technologies, processes, and cultural changes to provide a means for well-informed, rapid decision-making via collaborative information and knowledge sharing by varied and dispersed organizations and individuals. KM tenets include support for organizational processes, tailored content delivery, information sharing and reuse, capturing tacit knowledge as part of the work process, situational awareness of information and knowledge assets, and valuation. KM enables an organization to be more agile, flexible, and proactive. The approach is ideal for integrating, for example, intelligence (e.g., economic and open source) and security (e.g., physical, personnel, and operations), sales and production, and research and development with business development.5
Summary
Information warfare is an embracing concept that brings to bear all the resources of a nation-state or business organization in a coherent and synchronized manner to control the information environment and to attain and maintain a competitive advantage and gain power and influence. Judicious use of IW, when coupled with KM and NCB, leads to reduced or avoided costs, increased revenues, more satisfied customers, and larger profits and national security. Governments and businesses can use IW offensively and defensively in the physical and virtual domains. Counters to IW do not have to be in kind; they can be no, low, or high technology, and they can be asymmetric. Not conducting IW will result in a reduced market presence and lower national security. Although the name may change over the years, IW will evolve from its nascent stage and become mainstream in 20years. We projected that in 2002. We are in fact there already.
IW occurs when, in the physical and virtual domains, you attack your competition or they attack you. IW is about synchronized and coherent relationships and capabilities. As previously discussed, central to IW are those physical and virtual capabilities to control the IE.
CKO couples IW in a useful approach with KM and how the organization does business. Not only is the corporation’s IE engaged, the resources of its enterprise are brought to bear to use all its capabilities in a coherent and synchronized manner to seize as great a competitive advantage as possible. In this fashion, a country can call on its allies and coalition partners, and a business can call on its suppliers and business partners so as much knowledge and as many capabilities as possible can be brought to bear.
Note
The information presented this chapter was liberally quoted from the author’s coauthored book with Dr. Andy Jones entitled Global Information Warfare, second edition, and used with the kind permission of CRC Press, who published the book.