It used to be that the side with the most bullets won the war. In the high-tech age, however, the victory will go to the side best able to exploit information and information systems—here, in the combat direction center on board the carrier America (CV-66).
The last few hundred years have witnessed numerous revolutions in military affairs. More often than not, these revolutions are initiated by a new technology. Someone then finds an innovative way to apply this technology on the battlefield. When the technology and its application are proved successful, military organization is changed to accommodate them. For example, in the early decades of this century, air power developed from a curiosity to a major new war form. Similarly, the development of nuclear propulsion after World War II resulted in entirely new forms of submarine warfare.
We are at the dawn of yet another revolution. The ongoing technology explosion, particularly in data processing and communications, is challenging the way we view combat. During the industrial age, warfare was mechanized and organized along industrial principles; the side that could produce the most bullets won. The rise of the information age, however, means that we must review our theories in terms of a new concept: information warfare.
There is no universally agreed-upon definition of information warfare. An underlying foundation of most definitions is that information warfare is conflict in which information is the resource, the target, and the weapon, all at the same time.
Information has a number of characteristics that differentiate it from other types of resources. The primary one is that information has a virtual, not a physical, existence. You can’t touch it like a bullet or a bomb, nor can you really quantify or qualify it. It is an infinite resource: it can exist in many places at the same time, and the same information can be used by both sides in a conflict. Information is also nonlinear: while volumes of data may have no effect, one tiny piece can change the course of history, and a significant tactical or strategic advantage that took years to develop can evaporate in an instant. Although a lot of attention has been focused recently on high-tech developments, information itself is a separate entity from technological applications.
Because information has a virtual existence, it follows that some information warfare can take place in the virtual arena. Information systems, however, have a physical existence, so some information warfare will take place in the physical realm. This gives antagonists the option of using virtual or physical, lethal or nonlethal, strategies. Nearly everybody—military and civilian—has engaged in some form of information warfare at some point.
To help put this nebulous concept in more concrete terms, we can start with the current Joint Staff definition of information warfare:
Actions taken to achieve information superiority in support of national military strategy by affecting adversary information and information systems while leveraging and protecting our information and information systems.
This definition contains a number of subtle, but key, points:
- It differentiates between—and encompasses—information and information systems. Information itself (the data points, analyses, photographs, and so on) is considered as a separate entity from the medium in which it is presented.
- It includes all kinds of information and information systems. Data in a computer represent a type of information; printed material is another. Information systems often are thought of as computers, but they also may include such things as an operator sitting at the keyboard or a public library with hard-copy publications.
- It includes many different kinds of activities. Screening discs for computer viruses, jamming a radar, encrypting radio transmissions, and bombing a communications relay center: all are intended to protect or attack information or information systems.
- It includes both offensive and defensive procedures. It is important not only to affect the enemy’s information and information systems but also to ensure that our own assets are protected from attacks.
- It is not limited to the military. Although taken in support of the national military strategy, the “actions” are not necessarily conducted by the military, nor aimed at military targets. For example, public support is crucial to the success of any protracted campaign, and the campaign’s supporters and detractors will fight in newspapers and on television to affect that support. Also, other government agencies such as the Departments of Transportation, Energy, and Justice will have vital roles to play in influencing the conduct and outcome of any conflict.
Command-and-control warfare is a term often used interchangeably with information warfare. They are different, however. The Joint Staff definition of command-and- control warfare includes the use of operations security, military deception, psychological operations, electronic warfare, and physical destruction, mutually supported by intelligence. Clearly oriented toward military action, it is not nearly as broad as information warfare. All command- and-control warfare functions, however, are included in information warfare; it is, therefore, a subset of information warfare.
Information warfare applies to all aspects of competition, from economic or political skirmishes to all-out war. Like it or not, our enemies will use nonmilitary information warfare against us. We must be prepared to defend against those attacks and to coordinate friendly actions.
Within information warfare there are a number of different specific activities. First, data must be collected, then processed into some usable form of information. This information must be communicated to the appropriate entities. Offensive information warfare acts may or may not be attempted. Simultaneously, our own information and information systems must be protected from any outside interference.
Information Collection
Over the years, we have developed a remarkable number of highly effective data-collection systems. Some, such as an Aegis radar system, are overt. Others operate more covertly, while still others are not usually considered as collection systems.
Tactical systems—such as radar, sonar, and electronic surveillance systems on ships and aircraft—have provided the backbone of data points for frontline naval forces. Increasing integration with Air Force and Army assets is expanding both the breadth and depth of data available for tactical forces. This growth affects all services: a carrier task group is now more aware of ground-based targets, and the Army and Air Force now have access to more information about maritime threats.
National intelligence systems play a pivotal role and can provide a flood of raw data points, some of which now can be issued in near real time. New developments will increase this volume several-fold over the next decade. While some systems provide data on everything they detect within an area of interest, others have focused on improving their selectivity and flexibility to zero in on particular targets.
Open-source information also is becoming much more important. Publications such as Combat Fleets of the World, Jane’s Fighting Ships, and Aviation Week have long been a staple of libraries afloat, but the real potential of unclassified sources is only now being tapped. Cable News Network, for example, gained prominence during the Gulf War and occasionally provided war fighters with live, combat-useful information. Over the last few years, the Internet has played an increasingly vital* role in the economic, political, social, and military worlds.
Our support systems, such as supply and logistics, personnel, and medical records, are not usually thought of as data collection systems. Yet with the increase in automation and communication over the last decade, they are becoming tremendously efficient at capturing vital information. The civilian world is extremely adept at using this sort of tool. For example, your last credit card statement is probably reflected in the records of several independent credit reporting firms. The information in these data bases and the information exchange systems that are growing up around them represent a new type of threat that must be considered in any effective information warfare strategy.
These and other information collection systems, both military and civilian, are providing increasing amounts of data. While these new systems provide us with more information on which to base our decisions, they also provide our opponents with new entryways through which they can access, copy, corrupt, or destroy our data or data about us. In information warfare, as in any activity, new capabilities carry with them new vulnerabilities.
Information Processing
“Finding the right piece of information, analyzing it correctly, and getting it to the right customer in time are turning out to be bigger problems than collecting it in the first place. ”—Alvin and Heidi Toffler, 1990
Combat information centers, flag plots, and similar spaces are usually flooded with data. The overworked operations specialist, intelligence specialist, or cryptologic technician at the front end simply does not have the time or tools to sort through the firehose streams of data from multiple sources. As a result, golden nuggets of information that could make all the difference in a tactical situation often are not discovered until after the fact, if at all.
Fortunately, there are a number of efforts under way to begin to address the problem. On the technical side, for example, the Copernicus architecture has institutionalized the concepts of interoperability and rapid development. The old stovepipe approach finally is being reduced, if not abolished. We are making significant strides toward full interoperability with the other services and with supporting agencies. For the information warriors, this will result in significant improvements in the ways they access, manipulate, and use information.
Most data-processing systems these days rely on advanced and complicated software. Software, however, has a significant and fundamental problem with bugs. A “bug” can range from a coding error, to a feature used in a different way than originally intended, to a deliberately planted bomb. Virtually all programs have them, and the longer, more complex, and more involved an operating system or a program is, the more bugs it will have.
Complicated computer systems, with their attendant bugs and “undocumented features,” have several important effects in information warfare. First, there will always be openings to break into systems, bring down systems, and confuse systems. Second, our own hardware and software will contain errors that affect our data processing results, even without enemy interference. Third, deliberately planted bugs may or may not be detectable. Fourth, it is impossible to completely test the systems we design for errors, and we cannot be 100% sure that our systems will work correctly.
Thorough software development takes a long time to ensure adequate performance and security. Many users believe it takes too long, and that by the time the product is released it has become obsolete. The concept of “rapid prototyping” was introduced to answer this concern. Rapid prototyping essentially moves a relatively untested beta system to the users for early evaluation and testing. This may have significant benefits (Joint Surveillance/Target Attack Radar System [JSTARS] and Tactical Information Broadcast System [TIBS] are examples from the Gulf War), but more often than not the early prototypes result in frustrated users crying out for a system that doesn’t crash, is user-friendly, and can be supported. Untested systems are also unsecured systems: the more prototypes in the field, the more holes in our data defenses.
Communications
One of the advantages of the ongoing technology explosion is that we have an increasing variety of methods to connect people, organizations, and forces. Advances in satellite and radio communications are providing afloat forces with more channels, more throughput, and more security. Networks such as office Local Area Networks (LANs), the Internet, and INTELINK have created a whole new paradigm in connectivity between people and organizations. Cellular systems are proliferating in the civilian world and are being developed for strictly military purposes. More communications tools mean that we can better choose the ones we need for each specific application.
System interoperability is getting increased attention. Just a few years ago it was difficult, if not impossible, for a joint task force commander on a Navy ship to communicate with his Army troops ashore. Now systems are being developed and fielded to correct that.
One thing that has not changed is that user demand for throughput is always at least twice what is available. New developments such as increased fiber optic installations ashore and new super high frequency (SHF) applications afloat and in the field are providing bigger pipelines to carry our data. Even high frequency (HF) is seeing a resurgence. Frequency-hopping radios, packet-switching systems, and other developments are stuffing more and more bits of data onto the same old airwaves. However, as communications systems provide more capacity, users are trying to cram even more data through them. The bottom line is that communications pipelines are growing, but user demand is growing faster still.
Maintaining the security of our communications systems always has been a high priority. Advances in cryptographic technology are putting more secure and easier-to-use systems into the fleet. Secure telephones such as STU-3s are on more and more desks. Computer security is an especially hot field. The CLIPPER chip provides strong security for computer communications, albeit with a crypto key that would allow authorized parties to read encoded files under certain conditions. Industry worldwide has responded with alternatives, such as Pretty Good Privacy, which are hard even for supercomputers to crack. These developments have a hidden cost, however: basic communications security awareness tends to be lost in the rush for new equipment. If security systems are not used, they cannot provide protection.
Offensive Information Warfare
There are a number of different types of offensive attacks in information warfare. One of the most basic is theft. Data theft is particularly insidious in that a victim often does not know his information was stolen until after the fact, if at all. A common example is credit card fraud, but others include copying databases, listening in on telephone calls, and going through the trash in search of useful information. Theft of services, such as computer time or long-distance telephone calls, is another example. Physical items can be “acquired” for purposes such as reverse-engineering a weapon to discover its weaknesses.
Information corruption is a different type of attack in which an opponent alters or damages your information. Closely related is spoofing, which is a very covert form of corruption. While corruption can be haphazard, intended to cast doubt on the veracity of a large body of information, spoofing is more carefully planned to ensure the victim retains trust in the information even though it is wrong.
Disinformation is yet another kind of attack. This can be done by providing totally false information, by providing carefully selected bits of true information, by spin control, or by other techniques. It does not necessarily require access to the opponent’s information or information systems. The disinformation about the amphibious invasion plans during the Gulf War is a good example of a military application.
Data destruction is an overt form of information warfare. It can be achieved by a variety of means, from wiping out a computer disc to total destruction of a building.
The last major category of information attack is denial or interruption of service. Cutting a telephone line, shutting off power to a particular computer, and jamming a radio frequency are all examples. If information cannot be accessed, used, or communicated, it is worthless. This approach formed the basis of our strategy in the Gulf War.
Protection
An information society faces a huge challenge in protecting its information assets from losses, both deliberate and accidental. All aspects of friendly information acquisition, processing, and communication must be secured. The physical information systems and infrastructure must be protected from damage, outright theft, and misappropriation. Data must be protected from theft, destruction, or alteration. Virus checks and other security measures must be performed on software. Communications must be secure from interference, interception, interruption, or denial. Defensive information warfare, in short, must anticipate all possible ways that our information can be attacked, and then try to put protective measures in place.
Offensive information warfare, by contrast, only has to find one chink in an opponent’s armor.
As our potential adversaries become more sophisticated, we become more and more vulnerable to information attack. We spend billions on high-tech collection, processing, and communication systems, but our budgets for information security often are very small. Security measures don’t contribute much to business profits or to military readiness, but they are the only things standing between our extremely valuable information and our opponents.
In the mid 1980s, a young computer hacker in Germany broke into a number of U.S. government, military, defense, and university computer systems. He was not a computer genius; in fact, he had only a fair working knowledge of UNIX and a plodding, mechanical approach. But by diligently applying known holes in the UNIX system, using default or commonly used passwords, and trying different approaches until something worked, he gained access to a lot of information—which he then sold to the KGB. His story does not paint a very pretty picture of information security.
Unfortunately, the situation has not really improved. The Defense Information Security Agency (DISA) conducts vulnerability studies of military and government computer systems. Their figures are truly alarming: 88% of defense computer systems are easily penetrated. Of the successful penetrations, 96% are not detected. Even worse, 95% of the detected penetrations are not reported or responded to. Even when an intrusion is detected, it is usually impossible to determine who did it. DISA studies indicate that there were possibly 300,000 intrusions into government computer systems in 1994 alone.
This does not mean that the game is over and we have lost. Security measures exist that can improve our chances of maintaining control of our information and computer systems. The commercial information security industry is continually inventing or updating tools such as firewalls and data encryption algorithms. All the services have data security policies and procedures that, if followed, will reduce a system’s chances of being penetrated. The key is to have a sharp, aggressive system administrator, an effective training program for everyone with access to the system, and command support. These three items will do more to protect an organization’s data and computer systems than any expensive technical installation.
Information Warfare Issues and Impact
Information warfare is extremely broad in scope. It can be waged against entire nations or cultures or it can be used to attack specific government, military, or business organizations. It also can be used on a micro scale against single computers or specific individuals.
On a large scale, information warfare attacks can be made against the very foundation of a nation. Bringing down the New York Stock Exchange, even for a short while, would have worldwide ramifications. Wall Street is not the only lucrative target: municipal power grids, telephone exchanges, and the FAA’s air traffic control computers are other examples.
Specific organizational entities can be targets of informational blitzkriegs. Recently the National Rifle Association launched a propaganda campaign against the Bureau of Alcohol, Tobacco, and Firearms. This particular battle was fought largely in the media, but information wars can rage in business meetings, in diplomatic overtures, or in stealthy computer hackings, far from the public’s eye.
Finally, specific entities, such as computers, data files, or even individuals can be targets. A hacker can gain entry to a computer and copy, alter, or delete files as he chooses. An individual’s credit history can be altered or personal details (true or not) leaked to the press. One wrong word to the Defense Investigative Service and an individual’s security clearance can be pulled for months or forever.
Information warfare is not clean, antiseptic, or impersonal. It is a struggle over accurate data points, personal knowledge, and even societal values and beliefs. If these are destroyed, or even attacked, there will be effects for all involved. As in other forms of warfare, everything is at stake, and anything can be damaged.
Military Impact
Within the military, information warfare raises some new and disturbing questions. What, for example, is an “informational act of war?” How do we know we’ve been attacked in such a manner that a military response is necessary? What is information battle damage and how do you assess it? Who is the commander-in-chief for cyberspace? These and other issues are being hotly debated, and there are no definitive answers to any of them yet.
At this stage, our national posture on information warfare is like a big jigsaw puzzle. There are thousands of small, interrelated pieces, many of which have been put together, but we do not have the overall picture (a national information warfare policy) to guide our efforts. As a result, the services are charging forward with their own best guesses as to how it should be done.
Currently, the three most important issues are doctrine, organization, and training. Because military doctrine flows from national policy, we probably won’t have a firm doctrine for some time. However, we have created rough mockups from which to work. All services and the Joint Staff have drafted their own specific information warfare guidelines. Existing programs are being consolidated and expanded incrementally, with an emphasis on improving our own collection and use of information, as well as influencing or degrading an opponent’s information. We will need to expand our workings with other governmental agencies in the near term. As our understanding of information warfare improves, doctrine will be revised.
An effective organization is probably more important than technology in creating and implementing sound information warfare actions. In the information age, the dominant organizational model is the network. Traditional military hierarchies and the network forms have very different strengths and vulnerabilities. Reports of the death of hierarchies are premature, but the military must consider ways to respond and adapt to this organizational challenge.
The third issue is training. Most current generation info warriors are self-taught. New courses are coming on line now (e.g., such as at the National Defense University), but there must be training for all ranks—from senior officers to junior enlisted technicians. The services have all created their own organizations that are charged with planning and developing information warfare doctrine, capabilities, and training. Exercises such as Kernel Blitz ’95 are testing information warfare techniques and theories and this trend should continue.
Conclusion
Information warfare encompasses things from well-established warfare specialties to Buck Rogers-like technologies. At its core, however, it’s not really about technology at all. Rather, it is a different approach to conflict that uses information as resources, weapons, and targets. This approach is now making heavy demands on the services. To make the most of information warfare, an entirely different way of thinking, planning, and operating is needed. Only by considering information as a separate realm, and by encompassing all its different aspects, can we grow in our capabilities.
In the industrial age, the most powerful industrial nations attained supremacy. Those who couldn’t—or didn’t— adjust either died out or became backwater countries. The same will be true in the information age. If we do not become the preeminent information power, then all our carriers and all our submarines and all our aircraft will be of no consequence. Information warfare is our future.
Commander Rohde is a cryptologist at the Naval Security Group Activity at Fort Meade, Maryland.