When first we practise to deceive."

Sir Walter Scott

Introduction

Let me start by saying that this lecture is an example of the panoramic tutorial genre. I want to introduce you to the concept of information warfare (IW) and its various derivatives, provide you with some working definitions, isolate the construct’s defining elements, illustrate some of the ambiguities, and furnish a brief historical context before moving on to show how the principles of IW are being applied well beyond the traditional battlefield, or battlespace as it has come to be known in the age of virtual warfare, in ways that have the potential to affect the lives of almost everyone in this auditorium, to a greater or lesser extent. My ultimate focus will be the nexus of social, political, ethical, and juridical issues associated with the theory and practice of information warfare broadly conceived and widely enacted. This seems appropriate, given that the Epixtech Lecture Series has as its explicit focus the information society and the grand themes that swirl around that notion. One of the reasons I have chosen IW as my topic is precisely because it was largely overlooked, or unanticipated, in much of the early academic literature on the emerging information society. Even Daniel Bell’s (1973) magisterial The Coming of Post-industrial Society makes no mention of the military or civil implications of information warfare or information terrorism. Moreover, in the extended foreword to the special anniversary edition of his book which appeared in 1999, there is no material discussion of these issues and related developments. Indeed, Bell (p.375) mentions the military only when analyzing the social structure of post-industrial society in terms of estates (i.e, professional groups) and situses (i.e., institutional locations such as government and the armed forces).

Not only is information warfare a credible candidate for grand theme status, but it is also a subject that will have an impact of some kind on almost all the estates and situses identified by Bell. Indeed, information warfare constitutes a powerful lens through which to view the emergence in contemporary society of what he has termed "intellectual technology." Simply put, an intellectual technology entails "the substitution of algorithms (problem-solving rules) for intuitive judgments" (p.29). Translating that to the world of military affairs, we might say that brainpower is being substituted for brawn; mips (millions of computer instructions per second) for muscular might.

Caveat Lector

The residually clandestine nature of my subject, one which has potentially profound national security implications, necessarily requires that I raise a red flag: I am not a Pentagon insider, nor a former denizen of GCHQ (Government Communications Headquarters), Cheltenham; I have no first-hand experience of military affairs, nor privileged knowledge of the penumbral world of the sprawling U.S. intelligence community; nor, for that matter, am I a closet hacker. However, there is a superabundance of material on information warfare available in the public domain for anyone interested in its genesis and geo-strategic significance in the post-Cold War era, including studies from influential bodies like the RAND Corporation (Arquila & Ronfeldt, 1996; Molander & Riddile, 1996). In addition, many reports are made freely available by the various branches of the U.S. armed forces, the Joint Chiefs of Staff, and war colleges (e.g., National Defense University, see: http://www.ndu.edu/). By way of illustration, the complete text of the Joint Doctrine for Information Operations (October 1998) produced by the Joint Chiefs of Staff its IW bible, in effect is Web-accessible, along with numerous other related publications, and is a good starting point (see: http://www.dtic.mil/doctrine/jel/operations.htm).

Although the term ‘information warfare’ has wide currency both within and outside the military and defense communities, it is only one of many neologisms in vogue: functional synonyms include ‘cyber-war,’ ‘digital warfare,’ ‘netwar,’ ‘netcentric warfare,’ ‘softwar,’ and ‘software warfare.’ Related material will be found under the rubrics ‘net-terrorism,’ ‘information terrorism,’ and ‘cyber-crime,’ to name but three of the expanding array of cognates. Much information can be garnered from open sources, notably the Internet and World Wide Web (e.g., http://www.infowar/com; http://www. psycom.net/iwar.1.htm), as well as a growing number of scholarly journals across a range of academic disciplines (e.g., Boulanger, 1998; Center for Strategic and International Studies, 1998; Cronin, 2000; Cronin & Crawford, 1999a, 1999b; McCrohan, 1998; Power, 1998; Studies in Conflict & Terrorism, 1999). From all of this, one can, with due diligence and careful reading, construct an ostensibly credible picture of current thinking on information warfare, cautiously define the threat spectrum (the ‘what?’), identify generic sources of, and motivations for, attack (the ‘who’ and ‘why?’) and modes of defense (the ‘how’?), and speculate plausibly on the wider societal implications. In short, even though I do not know everything I need to know to speak with authority, I hope that I can provide you with a critical deconstruction of "postmodern war" (Gray, 1997), such that you can appreciate more fully the plausibility, plasticity and portability of the construct.

Structure

I have two main objectives: the first is to demonstrate how information warfare and remember that I am using an expansive definition of the term is being progressively ‘domesticated,’ that is to say, manifested in the everyday lives of ordinary citizens (Cronin & Crawford, 1999b). The second is to show how IW ‘democratizes’ warfare by dramatically lowering the cost of entry: in short, the ability to launch a cyber-attack is much less closely linked to a would-be aggressor’s size, mass, strength, or military sophistication than is the case with most forms of conventional warfare. Today, almost anyone can aspire to be an information warrior, if they so choose. Indeed, the lexicon of IW is no longer the prerogative of the military and national security agencies; it has been enthusiastically appropriated and adapted for local use by diverse constituencies, including computer scientists, business leaders, social activists and political theorists. By way of illustration, Boeing, the world’s largest aerospace company, recently declared its intention to position itself as the global leader in the development of a "network centric" warfare infrastructure for high-tech, battle management (Gates, 2001), a far cry from its core business activities.

This talk has four parts. Section 1, The origins of information warfare, provides a brief outline of the so-called Revolution in Military Affairs (RMA) and a sense of how rapid advances in computing and communication technologies have begun to transform long-established assumptions about the prosecution of war and the nature of the digital battlespace. The rhetoric and sanitized imagery increasingly associated with information warfare are critically examined in the light of recent conflicts and related media coverage and reaction.

Section 2, An information warfare typology, offers an overview of the various modalities of information warfare. It both acknowledges the considerable pedigree of certain classic forms of information warfare (e.g., ‘black’ propaganda, psychological operations otherwise known as ‘psyops’) and shows how these conventional methods can be powerfully augmented by the use of high-technology tool-sets and the mass media.

Section three, Asymmetrical conflict, introduces the defining features of information warfare (e.g., low entry cost, stand-off) from both the attacker’s and the target’s perspective. Various types of offensive warfare are outlined, and associated defensive strategies described. I also consider the nature, intensity, and credibility of different threat scenarios, whether opportunistic, tactical, or strategic, in different sectors, or situses (e.g., business, academia). Threat assessment covers motives, means, and opportunity, and also takes account of available sanctions and their likely deterrence value. I describe a variety of defensive actions and policies, both technical and social, including security audits, interdiction measures, asset assurance, and cyber-forensics.

Section four, Pandemic information warfare, reviews the available evidence to assess the extent to which information warfare and information terrorism (e.g., cyber-stalking, criminal fraud, digital defamation) are having or will have an impact on the daily lives of individuals and groups. I shall also consider the various social actors (e.g., hackers, cyber-criminals, advocacy groups, sub-state radicals, ethno-nationalists), their driving motivations, which can range from civic-mindedness to ideological terrorism, and the techniques at their disposal in an age of global internetworking. Finally, I shall offer some observations on the negative externalities and possible longer-term social costs associated with the conduct (and containment) of information warfare and information terrorism in the civil sphere.

In an age of pervasive computing (e.g., global networks), smart weapons systems (e.g., laser-guided missiles) sophisticated reconnaissance platforms (e.g., spy satellites), and real-time surveillance systems (e.g., imagery intelligence), the concept of information- or intelligence-based warfare (IBW) has moved center-stage in the curricula of leading military academies and well beyond (Adams, 1998; DeLanda, 1991; Diamond, 2001; Libicki, 1995; Toffler & Toffler, 1993). It has certainly gripped the imagination of the media and many technology pundits. Unfortunately, armchair viewing of arms-length battles think, for instance, of the broadcast coverage of Gulf War or the recent conflict in Serbia and Kosovo creates a simplistic, if attractively packaged, idea of what information age warfare entails. As U.S. Air Force General Richard Myers, Vice Chairman of the Joint Chiefs of Staff, put it in a Pentagon briefing (Reuters report, January 5, 2000, available at: http://www.inforwar.com):

The progressive elision of mutilated bodies and human suffering from much of the media’s reporting frame is, of course, a traducing of actuality. By focusing on the highly visible paraphernalia of virtual warfare and by subscribing to the "discourse of technowar" (Gray, 1997, p.161) ‘surgical strikes,’ ‘collateral damage,’ ‘soft kills’ one can all too easily fail to appreciate the multivalent and socially ramified nature of the phenomenon. For instance, a software-based attack on a country’s national grid or banking system will have numerous secondary effects which may not garner headlines in the way that a concerted and pyrotechnically-gripping missile attack on a critical military asset will. Disrupted electricity supplies may mean that intensive care units in pediatric wards cease to function, with life-threatening consequences. The silent deaths which result will be less immediately arresting in terms of their media impact, but these indirect victims are still victims: casualties of a new kind of low-intensity, high-technology warfare. Overall, the human suffering associated with strategic (offensive) information warfare of this kind is likely to be less overt than with conventional warfare, and, thus, less difficult to manage politically. At least, that is the assumption. However, absent compelling, documented evidence of a systematic and strategic-level IW offensive, or a credible threat of such, and its concrete consequences, something which skeptics feel is lacking, we are still largely in the realm of speculation, and should therefore resist the temptation to draw fanciful conclusions.

Anchor Definitions

What exactly is information warfare? The Joint Chiefs of Staff define IW as follows (see: http://www.dtic.mil/doctrine/jel/operations.htm):

… actions taken to achieve information superiority by affecting adversary information, information-based processes, information systems, and computer based networks while defending one’s own information, information based-processes, information systems and computer-based networks.

Two points should be stressed: first, the breadth of the target spectrum, which ranges from information content through information processing operations to information technology the full range of assets, from hard to soft and, second, the fact that the definition, as we shall see, can be applied with little or no modification to non-military contexts, business being a case in point. This observation can be made about Alger’s (1996, p.12) crisp working definition:

More succinct still is King (1996), who defines IW as:

Importantly, all three definitions acknowledge both the offensive and defensive nature of information warfare, while also focusing on the implicit goal of achieving systematic superiority or advantage over one’s adversary, which is, of course, the essence of competitive strategy, whether in the business, social, political or personal realm. Clearly, these three definitions can be applied legitimately to contexts other than war: in fact, the lexicon and analytics of information warfare have already established firm footholds in the worlds of commerce, international relations, and advocacy politics. More specifically, the tools and techniques of information warfare are being adapted for non-military purposes (e.g., political activism, civil disobedience), and as a result we are beginning to see an altering of certain established social relations and power dynamics within society at large.

The Revolution in Military Affairs

From the earliest times, information and intelligence have played an important role in the conduct of war (Handel, 1995). Military history contains many examples of how intelligence breakthroughs, such as the well-documented cracking of Germany’s Enigma cipher by British scientists at Bletchley Park during World War II, significantly altered the course of events. Signals interception and propaganda campaigns, two of the earliest forms of electronic and information warfare, respectively, have acquired a fresh significance as a result of recent advances in computing, communication, and surveillance technologies. Increasingly, electronic or signal intelligence can be fed directly into the battle zone, directing weapons systems and digitally-augmented war fighters in real-time (Adams, 1998). This is typically referred to as ‘information-based warfare’(Libicki, 1995), the goal of which is to achieve ‘dominant battlespace knowledge’ (Johnson & Libicki, 1996).

The so-called Revolution in Military Affairs has required military analysts and historians to reconsider some fundamental assumptions about the prosecution of war, the attainment of strategic surprise, and the nature of the digital battlefield (Campen, Dearth & Goodden, 1996; Herman, 1996; Davies, 2001). Herman (1998) has characterized prevailing thinking on the RMA thus:

If an attacker can achieve dominance over an adversary as a result of information superiority, then the need for traditional forms of engagement, with the inevitable loss of life and physical destruction, may be significantly reduced, if not, ultimately, eliminated. The admittedly far-fetched prospect of sanitized, post-human cyber-warfare, conducted in a virtual battlespace, entirely replacing conventional warfare holds understandable appeal for both military and political leaders. Live images via CNN of body bags being returned to U.S. soil measurably weaken (as opinion polls have tellingly shown) the public’s resolve, no matter how strategically or humanitarianly compelling the justification for military intervention overseas. Thanks to the sophistication and relative ease of use of current information and communication technologies (ICTs), the management of imagery and emotions (think of Somalia and the globally-televised ignominy experienced by U.S. ground forces in Mogadishu despite the much greater casualty rate they inflicted on the local warlords) has become a key aspect of contemporary information warfare, sometimes referred to, in its more exotic manifestations, as "neo-cortical" or "epistemological warfare" (Szafranski, 1994), and one that does not call for massive military muscle. Perception-based warfare can be conducted on a much more level playing field than most other aspects of a traditional military campaign, thereby to some extent eroding kinetic force advantage.

An Information Warfare Typology Offense and Defense

Information warfare can be offensive or defensive, though, understandably, the former has attracted the lion’s share of the attention. It may be a stand-alone activity, or a precursor of, or complement to, conventional military operations. Offensive information warfare comes in various guises. At its most pedestrian, IW involves the targeting of physical assets with the goal of destroying or diminishing by bombing, for example, critical elements of the enemy’s command, control, communication, computer and intelligence (C4I) capability. Alternatively, the goal may be to infiltrate imperceptibly an adversary’s information systems in order to corrupt the information content or significantly degrade the system’s performance. The target may be a military computer cluster or, equally, a component of the civil/national information infrastructure.

Defensive information warfare is concerned with threat assessment (who has the technical means, motive and opportunity to launch an attack?) and threat containment (how can the risk of attack be minimized, the threat preempted?). Simply put, the objective is to reduce the risk of incursion by outsiders and simultaneously reduce the organization’s vulnerability to ‘corrupted insiders’ fifth columnists within the fold the source of many attacks. Defensive information warfare has both technical and social aspects. Technical dimensions of defensive information warfare include robust firewalls, strong encryption, integrity testing and cyber-forensics (digital detective work following a hack/attack). It can also include hiring ‘ethical hackers’ (often individuals with a military background) or, alternatively, former hackers to act as security consultants, an information age instance of the poacher turned gamekeeper. However, the latter practice is frowned on in some quarters (Murphy, 2001). Social factors include risk assessment, education and training. Finally, it may also include counterintelligence activities designed to prevent routine security lapses and make break-ins by external groups or unauthorized insiders harder to achieve.

The Spectrum of Possibilities

Let me propose a fairly straightforward information warfare typology to help clarify the issue (see Table 1):

Level one IW, a staple of industrial age warfare, seeks to damage or destroy the equipment (tangible assets) associated with command, control and communication functions (e.g., computer systems, data networks) through the use of brute force. This is not, strictly speaking, an instance of ‘softwar’ or ‘software warfare,’ and probably should not be included under the IW rubric.

Level two IW seeks to prevent the selected target from operating effectively by, for instance, launching a denial of service attack. This may range from being merely irritating (defacing the Pentagon’s or CIA’s (Central Intelligence Agency’s) Web site, as has already happened) to mission critical (cutting off computerized intelligence systems supporting troops in the battle theater).

Level three IW, typically, seeks to degrade, or corrupt the content of a target’s information systems using some kind of malicious software, occasionally called ‘malware’. An example would be hacking into the enemy’s logistics support system in order to induce performance degradation, or to destroy the content of the system’s constituent databases, such that the target’s ability to marshal physical assets in the operations theater was seriously impaired.

Level four IW involves infiltrating a target’s information resource base in order to conduct espionage and support intelligence-based warfare, generic practices which have a considerable pedigree in military and diplomatic history. It does not entail destruction or direct conflict between the opposing parties.

Level five IW entails silent penetration of a target’s systems to shape opinions, manage perceptions, or foster deception using digitally-enabled techniques such as superimposition or morphing: are we, in fact, looking at Slobodan Milosovic on TV; are those images of a downed American F16 fighter plane real or digitally mastered? In this instance, the aim is not to render the system inoperative or obliterate the system’s information content, but to play what might be termed ‘mind games,’ the kind of practices implied earlier by the phrases neo-cortical and epistemological warfare. With this kind of ‘softwar,’ the aim is to be silent and invisible, leaving no external trace of the incursion and manipulation.

In the digital battlespace, such actions may contribute appreciably to the ‘fog of war.’

Tables 2 and 3 shows some of the most common approaches for (a) penetrating, and (b) manipulating a target’s information systems, whether military, civil, or personal in character. For a detailed review of both the technical and social aspects of penetration, manipulation and information systems assurance, I would recommend Denning (1999) and Meinel (1998) and for an engaging examination of the biological and immunological metaphors used in discussion of computer viruses Helmreich (2000).

Today, the armed forces of many developed nations depend on complex information and communications systems to function successfully from logistics management through target selection, payload delivery and damage assessment to the conduct of overt and covert psychological operations. On the one hand, this increases their ability to achieve strategic dominance over less technologically-developed opponents while conserving their key physical assets. On the other, their own high levels of information systems-dependence make them vulnerable to militarily weaker opponents who nonetheless have the skills to penetrate and degrade mission-critical ICTs. From the would-be aggressor’s perspective, its own weakly developed information systems infrastructure may constitute a source of comparative advantage. Simply put, power and pregnability co-vary: the more technologically sophisticated a target, the more vulnerable it is to a surgical ‘keystrike’: the less information systems-dependent one’s opponent, the less one can do in terms of launching a cyber-attack, whether preemptive or retaliatory in nature.

This, in turn, poses an interesting challenge when it comes to determining proportionality of response. In theory, a group of determined hackers, whether state-supported or autonomous agents, could wreck havoc on a much mightier foe. This axial observation has given rise to the concept of ‘asymmetric warfare,’ a contemporary version of the David and Goliath story, where imbalances in payloads and starting-ratios (to use the military terminology again) are no longer sufficient to deter would-be attackers. It is this phenomenon which is implied by the phrase ‘the democratization of warfare.’ That, though, is not quite the same as saying that a group of hackers could bring a major power to its knees, even temporarily. Berkowitz (2000a) has speculated on what an information warfare team might look like. He envisages a force of professional network operators, backed up by an intelligence service (to probe and penetrate the target) who coordinate with the conventional military commanders. An ad hoc, or amateur, group of hackers, working in relative isolation, would be unlikely to pass muster.

Attacker’s Advantage

The attractions of information warfare from a would-be attacker’s perspective are not hard to grasp (see Table 4 for an indicative listing of features).

From the military commander’s perspective, a host of critical issues (e.g., physical proximity to the adversary, terrain navigability, logistical support) associated with conventional warfare, over which he may have limited direct control, drop out of the combat calculus. In its extreme realization, postmodern war can be conducted remotely and anonymously via computers and international telecommunications networks. The ubiquity of computer networks and the low cost of entry a personal computer and modem are basically all that is required to engage in amateur cyber-combat make information warfare an extremely appealing and viable option for many disgruntled individuals and groups well beyond the world of the military.

From the perspective of a cyber-attacker, be it a rogue nation or guerrilla group, lack of armed forces and matériel may be partly compensated for by the ability to launch a stealth attack, remotely, at the heart of the target’s information systems. To use a boxing analogy, the weaker opponent is able to punch considerably above his weight. Indeed, the effect may be even greater than the results produced by conventional modes of attack. As Laquer (1996, p.35) matter-of-factly notes: "… why assassinate a politician or indiscriminately kill people when an attack on the electronic switching will produce far more dramatic and lasting results?"

From the would-be aggressor’s perspective, information warfare offers the prospect of swift strike advantage coupled with zero latency (i.e., no warning). In other words, the target/victim has little or no sense of when the next attack will come, from which quarter, what form and intensity it will take, and whether it will be repeated. The ability to strike at variable intervals and with variable cyber-force can induce considerable uncertainty in the target. Psychologically, the aggressor quickly acquires the upper hand, forcing the victim to react, scramble to contain collateral damage, and, in some cases, change established behaviors in an effort to deflect the enemy. Further, there can be very real loss of sanctuary, as the private (logical) space of the victim is penetrated. Unlike in conventional warfare, when the battle may be fought in some remote corner of the globe without any immediate threat to the home population, cyber-warriors are not held at bay by distance or land mass. There is no Maginot Line blocking the advance: they bring the conflict to the desktop, which foregrounds the issue of digital age ‘homeland defense.’ The enemy is no longer offshore or at arms-length, and out of sight is no longer out of mind. The invasion of one’s personal (virtual) space can induce a powerful sense of vulnerability, increasing the attacker’s advantage.

Legal and Ethical Issues

In the years to come, there will be much discussion of the legality and ethicality of information warfare, as nations struggle to establish common understandings and agree on international conventions for regulating the conduct of virtual warfare. Consider the following illustration (a cyber-version of the false flag scenario) put forward by Berkowitz (2000b, p.11):

For example, a bogus broadcast in which a "morphed" foreign leader told his troops to surrender would be a crime, but only for the same reason that attacking under a white flag is illegal – both actions abuse the communications channels reserved for invoking a cease-fire.

Issues such as first-strike policy and proportionality of response (two criteria of Just War theory and tradition), which were continuously present during the standoff between the nuclear super-powers during the Cold War era, will resurface. What justifies a preemptive IW offensive? What criteria must be satisfied to launch a strategic IW attack? How much of the observed cyber-damage can be credibly attributed to the attack the classic problem, in military terminology, of establishing weapon’s effect? What is the threshold of evidence needed to warrant defensive IW action? What, for instance, in the U.S. is the role of Congress and public opinion in shaping the nation’s IW posture and policies? Existing multilateral codes and conventions may in some cases require emendation to take account of the special characteristics and ramifications of strategic information warfare. Presently, both the Council of Europe and the G-8 (Group of Eight) countries are actively addressing the need for multilateral cooperation to deal with issues of cyber-crime (U.S. Department of Justice, 2000).

An example of the frustrations which can occur when country A is unable to extradite or prosecute individuals in country B because "dual criminality" (viz., the same laws applying in two countries) does not obtain happened in 1992 when hackers from Switzerland attacked the San Diego Supercomputing Center. In this case the U.S. authorities were unable to pursue their quarry because of lack of common conventions (U.S. Department of Justice, 2000). Related to this aspect of international law (viz., transjurisdictionality) is the issue of suprajurisdictionality, where transactions or perceived transgressions occur in a legal void. As Clarke (1999, p.62) notes:

In similar vein, Martin (2000) speculates that a country without Internet laws against defamation could operate as a "defamation haven" for groups and individuals committed to the notion of free speech.

Jurisdictional authority is not the only issue. There is also the matter of moral warrant. An early illustration of the uncertainty regarding the legality and perceived acceptability of IW was during the Serbian conflict when the Pentagon vacillated on whether or not to engage in offensive information warfare (e.g., Power, 2000, pp.196-200). According to Berkowitz (2000b) U.S. commanders debated at length the legality and morality of attacking the computer systems which controlled Serbia’s public utilities before deciding not to take the IW offensive. He also noted that during the Gulf War  Operation Desert Storm U.S. forces allegedly planted bogus data in Iraq’s air-defense computers by having troops tap into terrestrial phone lines.

Although the idea of information warfare emerged from the somewhat cloistered military and defense communities, it has wide-ranging applicability (Cronin & Crawford, 1999b; Denning, 1999). With the growth of internetworking technologies, the principles and practice of information warfare and information terrorism have percolated to the civil sector. From a would-be aggressor’s perspective and this could be any of the social actors I mentioned earlier commercial targets and various aspects of a nation’s critical infrastructure, energy, transportation, banking, etc., are potentially more attractive and more vulnerable in some cases than military assets. In the U.S. this awareness led to the establishment of a Presidential Commission and, subsequently, of a National Infrastructure Protection Center (NIPC) which, to date, has identified more than 5,000 public and private sites that are critical and vulnerable to attack (Vise, 2001). The Center is housed within the FBI (Federal Bureau of Investigation), an inappropriate location, it is argued by some (e.g., Berkowitz, 2000a) given the Center’s need to act as a command post for monitoring indicators and warnings of IW attacks rather than as an agency which typically reacts to crime.

Given the potential vulnerability of elements of the critical "econotechical infrastructure" (Schwartau, 1996) to strategic disruption by an IW attacker, there is a need to systematically address the issue of infrastructure surety. "Information surety" comprises the issues of safety, security, reliability, integrity and authentication surrounding complex systems (Robinson, Woodward & Varnado, 1998). More specifically, an approach called "consequence-based assessment" has been proposed to help understand and manage the critical elements of potentially vulnerable complex systems. According to Robinson, Woodward and Varnado (1998):

The fears which led former President Clinton to establish the NIPC and gave rise to the now commonplace rhetoric of "an electronic Pearl Harbor" are not universally shared. Smith (1998), for instance, has labeled many of these concerns "computer-age ghost stories" and maintains that many of the frequently cited and recycled tales and statistics on computer incursions are often inaccurate, misrepresented or inflated. According to Smith, the most frequently cited number, the alleged 250,000 attacks on the DoD (Department of Defense) computers in 1995, has been "continually misrepresented as a solid metric of intrusions on U.S. military networks …".

Business IW

A growing number of commercial firms are acutely aware of their vulnerability to both opportunistic and orchestrated computer attacks (Power, 2000). Various kinds of cyber-crime, ranging from financial fraud through industrial espionage to high-profile denial of service (DoS) attacks and digital defamation campaigns, have become commonplace and cost business hundreds of millions, if not billions, of dollars a year (e.g., Power, 1988, 2000). Some perpetrators of cyber-crime and net-terrorism have access to state-of-the-art technology and the smartest brains. Terrorist groups, such as Hamas in the Middle East, Osama bin Laden’s network, and the Aum Shinrikyo cult in Japan, along with organized crime (e.g., the Medellin cartel) use the Internet to support their communication needs, as well as to assist in fund-raising and image management efforts. More concretely, they are known to make extensive use of encryption techniques to protect files, emails and telephone messages (Denning & Baugh, 1999).

Information technology-intensive enterprises are having to commit resources to instituting defensive information strategies to protect their systems and soft assets (databases, web sites, proprietary computer code, proprietary information) from attackers, be they domestic competitors, foreign governments, hobbyist hackers, criminals, disgruntled former employees, ethno-nationalists, revolutionaries, social activists, or counter-cultural groups (e.g., Boni & Kovacich, 2000). With the dramatic growth of electronic commerce, the threat and cost of information-based attacks against organizations and individuals will continue to increase, as the data from the annual survey of cyber-crime conducted jointly by the CSI (Computer Security Institute) and the FBI’s San Francisco branch show (Power, 2000). It is unreasonable, however, to imagine that there is a "security end state," for the simple reason that "we cannot have secure computer systems until we can build correct systems," namely, systems that are free of "buggy software" (Bellovin, 2001, p.131), or to quote a recent report from the UK’s Joint Information Systems Committee (2001) on information security policies in institutions of higher education:

… since neither the systems themselves nor those who operate them can ever be totally reliable, the institution must be able to react promptly and appropriately to any security incident, and to restore its information systems to their normal operational state in an acceptable period of time.

Business is often construed as a contest between adversaries with various assets, motivations, and goals. The figurative battlefield may be the domestic or international marketplace, and the postmodern enemy can come in many guises. From the perspective of a foreign government, mainline competitor, or anarchist group, a particular company (or industry sector) may constitute a legitimate target, and the preferred means of attack may range from network-based industrial espionage (e.g., theft of trade secrets, a disturbingly commonplace practice (Fialka, 1997)) to any one of a number of cyber-incursions designed to damage or degrade the target’s information systems (e.g., a denial of service attack of the kind which in February 2000 put Yahoo!, eBay, Amazon.com and a number of other high-profile e-commerce enterprises temporarily out of action (Levy & Stone, 2000)). In such cases, even if the attack is not deemed to have been critically damaging, as in the high-profile, possibly opportunistic, October 2000 penetration of Microsoft’s internal systems, it may raise serious concerns with market analysts, shareholders, and security-conscious consumers (Schneier, 2000). Paul Saffo (2000), however, has sought to put DoS attacks in their proper context: "Technically speaking, these steps are one step up from spray paints on the highway overpass."

Even if most companies would not countenance engaging in offensive information warfare, they, realistically, have to acknowledge that they themselves may be the target of an attack by others who are not bound by commonly accepted ethical or legal norms (The Industry Standard, 2000). The generic threats (see Table 4) are to: (a) the existence of the information assets (the goal is destruction or denial-of-service); (b) the integrity of the assets (the goal is to compromise the trustworthiness of the data/ information/ images/belief system), and (c) the confidentiality of the assets (the goal is to spy and/or steal).

Defensive information warfare is, thus, less an option than a strategic necessity for companies. One approach is to concentrate on risk analysis, and systematically address asset protection, threat estimation, vulnerability assessment, potential effects and feasible safeguards. (Power, 2000, pp.280-283). This, of course, could prove be an unending task, resulting in paralysis through analysis. An alternative approach is to focus on due care and best practice by (a) adopting proven procedures, and (b) benchmarking one’s practices against recognized leaders in the same or similar industry sector (Parker, 1998). In the UK context, this might mean evaluating existing standards, such as BS7799, Information Security Management, though questions have recently been raised concerning its suitability for academic institutions, or other settings where the management style favors a collegiate culture (Johnson, 2001). More concretely, for example, it means tracking and assessing the utility of software tools, such as those for preventing distributed denial of service attacks (Yasin, 2000).

Identifying security threats and risks does not mean simply building stronger firewalls or enhancing existing encryption procedures. Nor does it equate with the legally dubious practice (Yasin, 1998) of installing software which launches counterattacks/‘hackbacks’: in the vernacular, should one’s policy be ‘an eye for an eye,’ or a commitment to ‘turning the other cheek’? It also requires investing resources in the creation of more effective organizational intelligence and counterintelligence capability (Cronin & Crawford, 1999a). In the U.S. there is federal-level recognition of the threat posed to the national interest by economic warfare, reflected in the amount of federal resources allocated to economic intelligence work. To take a concrete illustration, the National Counterintelligence Center (see: http:// www.nacic.gov/) provides private sector firms with guidance and advice on how to cope with foreign intelligence threats to their business operations. The seriousness with which the economic espionage threat is viewed by federal government is reflected in the creation by the FBI of the Awareness of National Security Issues and Response Program (ANSIR). One of services provided by ANSIR is an email alert to US corporations wishing to receive information on threats to critical technologies and current espionage techniques (National Counterintelligence Center, 2001).

The notional enemy need not be a competitor firm or a foreign government, friendly or otherwise, seeking to engineer a techno-economic advantage, but an individual working either as an isolate or as a member of a more or less loose alliance. On occasion, the attacker may take the form of a disgruntled consumer who launches a ‘suck site’ (e.g., XYZInc.sucks.com) to bring public relations pressure to bear on its business policies or practices (Crush, 2000). ‘Suck sites’ (or revenge Web sites as they are sometimes called) may be classed as a relatively benign example of IW, in the same category as mischievous defacings of corporate (and other) Web sites. Such attacks may annoy and inconvenience, but they are unlikely to seriously damage or derail the chosen target. Nonetheless, the same David and Goliat principle that we observed in the military context applies in consumer markets (Cronin, 2000).

The Internet provides the ‘little man’ with a megaphone, and, on occasion, giant firms may have no choice but to sit up and take notice, a case in point being the ‘flamingFords.com’ Web site which triggered a recall of more than eight million vehicles by Ford in the U.S. at a cost of $200M (Ebbinghouse, 2001). The ease with which a corporate smear campaign can be orchestrated is such that ‘big business’ will have to be much more attentive than heretofore to cyber-smearing campaigns which stoke consumer fears about one’s product, whether they are launched by a competitor or a disgruntled individual (Fumento, 1999). Additionally, the voice of marginal constituencies and the demands of "share-holder activists" (Schapiro, 2001, p.110) who have discovered how the Web can be used to bring pressure to bear on corporate executives whose companies are perceived to be under-performing, or whose business practices are deemed to be socially irresponsible.

The rise of the networked society has resulted in an intensification of digital debate on a vast array of socio-political issues. Just as with the disgruntled, historically voiceless consumer, computer-mediated communication (CMC) allows activists of all varieties (from irenic ecologists to belligerent neo-nazis) to amplify their message and marshal support electronically achieving what military strategists term the ‘force multiplier effect’ and what social psychologists refer to as group polarization (Sunstein, 2001; Ray & Marsh, 2001). There is a broad spectrum of activity (Denning, 1999) ranging from net-based activism (benign) through hacktivism (malign but not mission-critical) to cyber-terrorism (illegal and a potential threat to national security), all of which seem set to increase. To this trinity might be added computerized civil disobedience, which sits, depending on one’s political perspective, somewhere between activism and hacktivism.

In a recent paper, Goodrum and Manion (2000) argue that electronic civil disobedience of the kind practiced by ethically-motivated groups such as the Electronic Disturbance Theater (EDT), whose members use their real names and prefer the disruption of Internet traffic using flooding tactics to the altering of Web sites or the crashing of servers, should not be equated with information warfare or net terrorism (for a profile of the organization and its raison d’etre see: http://www.thing.net/~rdom/ecd/EDTECD.html). In fact, EDT members describe their approach to "HTML activism" as "performance art" (Schwartau, 1999). Not everyone sees it thus. In 1998, the EDT launched FloodNet, its denial of service program, against a Pentagon Web site. Once the assault began it had been pre-announced by the EDT the Pentagon responded with a DoS counter-attack which caused FloodNet to freeze. This incident, as with the military cases discussed earlier, raised questions as to the legality and appropriateness of the federal government’s response (Schwartau, 1999).

Information Terrorism

With the advent of the Web, social and political activists have an unprecedented logical space in which to proselytize and build a distributed support base (Brophy, Craven & Fisher, 1998). Politically- and ideologically-motivated groups (from the Zapatistas in Chiapas, Mexico, to militant pro-life groups in the U.S.) now have at their disposal the means of waging digital propaganda campaigns or, more extreme, engaging in electronic jihad. This does not mean, however, that every revolutionary group will switch from bombs and bullets, the current staples of political terrorism, to information terrorism overnight. As Rathwell et al. (1997) note in their analysis of the Irish Republican Army (IRA), the sociological profile of most IRA leaders and activists is not conducive to the use of IW/netwar tactics, nor does its tight cellular structure make it likely that it would admit freelance hackers and crackers into its ranks. Organizational structure and culture are thus important determinants of strategy.

Nonetheless, the early trend is clear. In January 1999, the Indonesian government was blamed for a systematic attack on computers that brought down the East Timor virtual country domain. According to the target, Connect-Ireland, which hosted the East Timor site, there were 18 simultaneous attacks on the company’s server by robots trying to breach the company’s defenses. In Indonesia, Web sites have been attacked by campaigners protesting the treatment of that country’s ethnic Chinese population. The Arab-Israeli conflict has also moved into the virtual realm, with documented attacks and counter-attacks on one another’s Web sites (Machlis, 2000). These are but a few examples of a practice which in a matter of a few years has become commonplace, though, to maintain a sense of proportion, these activities are perhaps best viewed as the military equivalent of saber-rattling or, at worst, a minor skirmish.

Online Social Movements

The use of the Web by social movement organizations and advocacy groups need not necessarily result in undesirable or threatening outcomes. For instance, Amnesty International’s FAST (Fast Action Stops Torture) network targets high-level officials of regimes which sponsor torture of political prisoners and other dissidents (Ellis, 2000). More generally, there is evidence that digital communication technologies are accelerating the emergence of a third, or social sector, alongside the established public and private sectors (Arquila & Ronfeldt, 1996). In theory, cyber-lobbying and electronic activism are just as capable of producing beneficial results as having a corrosive and dissipative effect on society. In broad terms, computer-mediated communication affords collectivities both instrumental and symbolic benefits: it can enhance the ease, effectiveness and persistence of communication and also contribute to a sense of group identity or solidarity (Diani, 2000, pp.386-388).

That is not to say that CMC does not have drawbacks. There may be problems of building and sustaining trust where there is, to appropriate the title of a paper by Calhoun (1998), "community without propinquity." There is credible evidence that social networks function most effectively when critical interactions "are backed by real social linkages in specifically localized communities" (Diani, 2000, p.398). However, given that the Web allows for the promulgation of multiple viewpoints, there is an attendant risk that the social glue which holds some nation states together may weaken, resulting in a plethora of competing micro agendas and causing dominant value systems to fissure. This is not only a well-documented concern for totalitarian regimes (e.g., Myanmar) but also a cause of concern for liberal democracies where there is increasing evidence of society splintering into special interest groups and "mutually ignorant information spheres" (Fallows, 2001, p.33), the thesis of Sunstein’s (2001, p.49) recently published book, republic.com:

New technologies, emphatically including the Internet, are dramatically increasing people’s ability to hear echoes of their own voices, and to wall themselves off from others. An important result is the existence of cybercascades processes of information exchange in which a certain fact or point of view becomes widespread simply because so many people seem to believe it.

Conceptually, information warfare and information terrorism need not be restricted to group or political contexts, a fact that is relatively little acknowledged in much of the relevant literature. Ordinary citizens are vulnerable to various kinds of overt and covert attack by cyber-terrorists acting alone or in concert, whether the motivation is ostensibly playful or demonstrably criminal (Kirsner, 1998; Foote, 1999). Hacker sub-culture may dismiss electronic break-ins and cyber-impersonation as punkishly acceptable behaviors, but the victims usually view matters differently, as do law enforcement agencies. The sense of violation and loss of sanctuary can have long-lasting psychological effects, as victims of cyber-staking will readily affirm. A 1999 report on cyber-stalking from the office of the U.S. Attorney General (see: http://www.usdoj.gov/criminal/cybercrime/cyberstalking.htm) estimates that there may be ten if not hundreds of thousands of victims annually of cyber-stalking, of whom the majority are females. The report specifically acknowledges that "the Internet is rapidly becoming another weapon used by batterers against their victims." It cites an earlier study conducted by the National Institute for Justice at the University of Cincinnati which found that, during a seven-month period in 1997, 25% of these who said that had been stalked mentioned email as one of the means employed by the stalker. It also quotes the pioneering Internet victims’ assistance organization, Cyberangels (see: http://www.cyberangels.org/), which estimates that there are approximately 63,000 Internet stalkers and 474,000 victims worldwide. In some cities, Los Angeles being an example, there are now specialized police units dedicated to the investigation, analysis and prosecution of cyber-stalking cases.

Digital Defamation

Digital media afford one’s enemies a rich and powerful set of tools (e.g., mirror sites, email alerts) with which to engage in psychological warfare, whether at the local or global level. Cyber-smearing or digital defamation campaigns have the potential to reach large audiences with great speed, in the process creating considerable frustration (e.g., work disruption) and inconvenience for the victim (e.g., the need to undertake damage limitation). The reconstitution of trust and salvaging of reputations, whether corporate or personal, in the wake of digital defamation campaigns will pose major challenges for targeted individuals and groups, in addition to which there may be long-lasting psychological after-effects to handle.

As with military or business resources, an individual’s information assets and online identity are potentially damageable by a determined hacker which is not to say that anything other than a minority of individuals will ever be targeted in systematic fashion by information warriors or net-terrorists. Think, however, of a university researcher who maintains a large personal Web page containing his curriculum vitae, biographical information, working papers, survey data sets, as well as personal details. A competent hacker with a grievance against this individual has a number of options to pursue: he could systematically corrupt the researcher’s data, launch a smear campaign by posting uncorroborated, though superficially plausible criticism of the individual work on a range of listservs, or by e-mailing members of the relevant academic community with misinformation about the researcher. In fact, actions of this kind (and related abuses) are increasingly common.

A recent high profile case involved the posting on a Web site at the City College of San Francisco of anonymous, personally offensive, and allegedly defamatory critiques of university professors’ teaching abilities (Snyder, 2000). A number of such sites (e.g., teacherreview.com) exist and are a cause of concern for many academic staff. In another high-profile case, a former doctor at Emory University School of Medicine won a $650,000 judgment for professional libel based on an anonymous Internet message that accused him of receiving kickbacks from a urology company.

Identity Theft

The ease with which a ‘black’ PR campaign can be mounted via the Internet or Web creates appreciable asymmetries in favor of the attacker. The target is thrown on the defensive and may be left in a state of uncertainty as to the attacker’s identity, motives, location, goals, and whether the attack is being mounted by an individual or an alliance. Further, the hacker might choose to assume the target’s online persona, appropriate his personal cyber-identity, a disturbingly common occurrence in the U.S.. Recently, to take a local example, the social security numbers the foundation stone of one’s personal identity in the U.S. of 3,100 postgraduate students on my home campus were appropriated by a hacker (subsequently traced back to the University of Uppsala in Sweden) and subsequently posted on several overseas computers. The inconvenience suffered by the students was not trivial, and the entailments, notably problems relating to one’s credit rating, can persist for years. Mass victimization crime (especially financial crime) and ontological terrorism are thus novel and disconcertingly powerful options for criminals, cyber-activists and information warriors of all stripes.

Conclusions

Information warfare has become an integral component of 21^st century military strategy and, in some countries, notably the U.S., accounts for a fast-growing portion of the defense budget. The rhetoric of the RMA ("an all-source technological telescope, providing geo-positional displays of current situations, including movement from radar sources, and television from special surveillance devices") is seductive, as Herman (1998, p.62) notes. It is also a topic of considerable interest to the major powers. A few years ago, Russia raised the issue of IW and rules of war with the United Nations. The People’s Republic of China (PRC) is also keenly interested in the subject. Since the PRC’s defense expenditure is less than a fifth that of the U.S., the attraction of asymmetrical warfare is not hard to grasp from the perspective of the Chinese top brass. Other counties, too, are seriously assessing the strategic import of IW strategies and possibilities, and the trend seems likely to grow.

The lexicon of IW, both offensive and defensive, is now well-established and routinely used in the different branches of the armed services. However, there is limited evidence to date that any national government or sub-state group has systematically engaged in strategic, offensive information warfare against targets such as the U.S., though specific instances of tactical or opportunistic IW can be cited. At present, the military theory of information warfare considerably outpaces the practical battlefield applications, in so small measure because of the difficulties associated with determining: (a) the political acceptability and legality of both first-strike and strike-back actions; (b) proportionality of response; (c) acceptable and prohibited targets; (d) the achievability of deterrence; (e) the threshold of proof to establish that an attack/incursion has taken place, and (f) the risk and likely scale of collateral damage associated with an IW strike/counter-strike. These issues are intensified when the aggressor is not an identifiable nation state, but an anonymous group of non-state actors, and when the attacks are orchestrated or distributed across a number of sovereign nations with each having different laws relating to the use of the Internet.

The key principles and techniques of information warfare have been fashioned in military academies, defense departments and think-tanks. However, the underlying assumptions and concepts can be applied readily in non-military contexts and in ways that extend beyond the pale of national security. In this talk, I have tried to show how information warfare generously defined, I concede is an issue of potentially critical importance in a variety of settings beyond the pale of national security. It can be argued, of course, that malicious hacking is better compared with vandalism, that cyber-stalking is better labeled as sexual harassment, and that electronic civil disobedience is just another form of civil disobedience, but this would be to overlook the dramatic shifts in power relations, whether at the group or individual level, attributable to the (often illegal) use made of information and communication technologies in these and other contexts.

Whether it is a classic military campaign, a civil disobedience campaign, or a focused defamation campaign, similar strategic advantages can be achieved in terms of (a) impairing the performance of one’s adversary’s information systems, (b) degrading or destroying the target’s information resources, or (c) creating epistemological uncertainty within the target. The panoply of tools available to hacktivists and net-warriors, whether ethically or otherwise motivated, provides them with capabilities previously unimagined and typically inaccessible to the ‘little man.’ The defining features of IW, notably force asymmetricality (see Table 4), apply whether the theater of operations is a conventional battlefield, an ideologically-propelled terrorist campaign, a criminally- or politically-motivated campaign to destroy the reputation of a company or product, or a stealth campaign to harass a female colleague online.

Acknowledgment

I am grateful to Michael Herman for comments on an earlier draft of this paper.

References

Adams, J. (1998). The Next World War: Computers are the Weapons and the Front Line is Everywhere. New York: Simon & Schuster.

Alger, J.I. (1996). Introduction to information warfare: In: Schwartau, W. (ed.), Information Warfare. Cyberterrorism: Protecting your Personal Security in the Information Age. New York: Thunder’s Mouth Press. 2nd. ed., 1996, 8-14.

Arquila, J. & Ronfeldt, D. (1996). The Advent of Netwar. Santa Monica, CA: RAND.

Bell, D. (1973). The Coming of Post-industrial Society: A Venture in Social Forecasting. New York: Basic Books. Special Anniversary Edition with Foreword, 1999.

Bellovin, S.M. (2001). Computer security¾ an end state? Communications of the ACM, 44(3), 131-132.

Berkowitz, B. (2000a). Information warfare: time to prepare. Issues in Science & Technology Online, Winter.

Berkowitz, B.D. (2000b). War logs on. Foreign Affairs, 79(3), 8-12.

Boni, W. & Kovacich, G.L. (2000). Netspionage: The Global Threat to Information. Boston, MA: Butterworth Heinemann.

Boulanger, A. (1998). Catapults and grappling hooks: the tools and techniques of information warfare. IBM Systems Journal, 37(1), 106-114.

Brophy, P., Craven, J. & Fisher, S. (1999). Extremism and the Internet. London: The British Library. British Library Research & Innovation Report 145.

Calhoun, C. (1998). Community without propinquity revisited: communication technology and the transformation of the urban public sphere. Sociological Inquiry, 68, 373-397.

Campen, A.D., Dearth, D.H. & Goodden, R.T. (eds.) (19096). Cyberwar: Security, Strategy and Conflict in the Information Age. Fairfax, VA: AFCEA International Press.

Center for Strategic and International Studies (1998). Cybercrime ... Cyberterrorism ... Cyberwarfare: Averting an Electronic Waterloo. Washington, DC: CSIS.

Clarke, R. (1999). Internet privacy concerns confirm the case for intervention. Communications of the ACM, 42(2), 60-67.

Cronin, B. (2000). Strategic intelligence and networked business. Journal of Information Science, 26(4), 131-136.

Cronin, B. & Crawford, H. (1999). Raising the intelligence stakes: corporate information warfare and strategic surprise. Competitive Intelligence Review, 10(3), 58-66.

Cronin, B. & Crawford, H. (1999). Information warfare: its application in military and civilian contexts. The Information Society, 15(4), 257-263.

Crush, P. (2000). Out to get you. Management Today, November, 94-95, 97.

Davies, P.H.J. (2001). Intelligence, information technology and information warfare. In Cronin, B. (Ed.). Annual Review of Information Science & Technology, 36. Medford, NJ: Information Today Inc./ASIST (in press).

De Landa, M. (1991). War in the Age of Intelligent Machines. New York: Swerve Press.

Denning, D.E. (1999). Information Warfare and Security. Reading, MA: Addison-Wesley.

Denning, D.E. & Baugh, W.E. (1999). Hiding crimes in cyberspace. Information, Communication & Society, 2(3), 251-276.

Diamond, J.M. (2001). Re-examining problems and prospects in U.S. imagery intelligence. International Journal of Intelligence and CounterIntelligence, 14(1), 1-24.

Diani, M. (2000). Social movement networks virtual and real. Information, Communication & Society, 3(3), 386-401.

Ebbinghouse, C. (2001). You have been misinformed¾ Now what?: Attacking dangerous data. Searcher, April, 20, 22, 24, 26-30.

Ellis, C. (2001). Anti-torture.net. Wired, 9(2), 80.

Fallows, J. (2001). Information zones. The Industry Standard, April 9, 32-33.

Fialka, J.J. (1997). War by Other Means: Economic Espionage in America. New York: Norton.

Foote, D. (1999). You could get raped: the inside story of one young woman’s terrifying ordeal at the hands of a cyberstalker. Newsweek, February 8, 64-65.

Fumento, M. (1999). Tampon terrorism. Forbes, May 17, 170, 172.

Gates, D. (2001). Boeing’s big move. The Industry Standard, April 2, 40-41, 43,45,47.

Goodrum, A. & Manion, M. (2000). The ethics of hacktivism. Journal of Information Ethics, 9(2), 51-59.

Gray, C.H. (1997). Postmodern War: The New Politics of Conflict. New York: Guildford Press.

Haffner, K. & Markoff, J. (1995). Cyberpunk: Outlaws and Hackers on the Computer Frontier. New York: Touchstone Books.

Handel, M.I. (1995). Intelligence and the problem of strategic surprise. In: Dearth, D.H. & Goodden, R.T. (eds.). Strategic Intelligence: Theory and Application. 2nd. ed. Washington, DC: US Army War College/ Defense Intelligence Agency, 213-261.

Helmreich, S. (2000). Flexible infections: computer viruses, human bodies, nation-states, evolutionary capitalism. Science, Technology, & Human Values, 25(4), 472-491.

Herman, M. (1996). Intelligence Power in Peace and War. Cambridge: Cambridge University Press, 1996.

Herman, M. (1998). Where hath our intelligence been? The Revolution in Military Affairs. RUSI Journal, 143(6), 62-68.

The Industry Standard (2001). See the December 11^th issue for an extended assessment of information security issues.

Johnson, C. (2001). Report rejects security model. The Times Higher Education Supplement, March 16.

Johnson, S.E. & Libicki, M.C. (1996). Dominant Battlespace Knowledge. Washington, DC: National Defense University.

Joint Information Systems Committee (2001). Developing an Information Security Policy.

   Available at: http://www.nacic.gov/reports/fy00.htm

King, K. (1996). Quoted in: R.D. Thrasher (compiler), Information Warfare Delphi: Raw Results. Available at: http:/all.net/books/iw/delphi/top.html

Kirsner, S. (1998). Murder by Internet. Wired, 6(12), 210-216, 266-271.

Laqueur, W. (1996). Postmodern terrorism. Foreign Affairs, 75(5), 24-36.

Levy, S. & Stone, B. (2000). Hunting the hackers. Newsweek, February 21, 38-44.

Libicki, M.C. (1995). What is Information Warfare? Washington, DC: National Defense University, Institute for National Strategic Studies.

McCrohan, K.F. (1998). Competitive intelligence: preparing for the information war. Long Range Planning, 31(4), 586-593.

Machlis, A. (2000). Hacking in the Holy land. The Industry Standard, November 20, 124-125.

Martin, B. (2000). Defamation havens. First Monday, 5(3). Available at: http://firstmonday.org/issues/issue5_3/martin/

Meinel, C.P. (1998). How hackers break in … and how they are caught. Scientific American, October, 98-105.

Molander, R.C., Riddile, A.S. & Wilson, P.A. (1996). Strategic Information Warfare: a New Face of War. Santa Monica, CA: RAND.

Murphy, B. (2001). Hackers lack skill and can’t be trusted. Internet Week, March 26, 31.

National Counterintelligence Center (2001). Annual Report to Congress on Foreign Economic Collection and Industrial Espionage 2000. Available at: http://www.nacic.gov/reports/fy00.htm

Parker, D. (1998). Fighting Computer Crime: A New Framework for Protecting Information. New York, NY: Wiley.

Power, R. (1988). Current and Future Danger: a CSI Primer on Computer Crime and Information Warfare. San Francisco, CA: Computer Security Institute.

Power, R. (2000). Tangled Web: Tales of Digital Crime from the Shadows of Cyberspace. Indianapolis, IN: Que.

Rathmell, A., Overill, R., Valeri, L, & Gearson, J. (1997). The IW threat from sub-state groups: an interdisciplinary approach. Paper presented at the Third International Symposium, on Command and Control Research and Technology. Institute for National Strategic Studies-National Defense University, 17-20 June.

Ray, B. & Marsh, G.E. II (2001). Recruitment by extremist groups on the Internet. First Monday, 6(2).

   Available at: http://firstmonday.org/issues/issue6_2/ray/index.html

Robinson, C.P., Woodward, J.B., & Varnado, S.G. (1998). Critical infrastructure: interlinked and vulnerable. Issues in Science and Technology Online, Fall.  Available at: http://www.nap.edu/issues/15.1/robins.htm

Saffo, P. (2000). Quoted in Newsweek, December 25-January 1, 101.

Schapiro, M. (2001). All over the board! The Industry Standard – Grok, February-March, 110-115.

Schneier, B. (2000). Hackers 3, Microsft 0. The Industry Standard, November 27-December 4, 106.

Schwartau, W. (1996). Information Warfare. Cyberterrorism: Protecting your Personal Security in the Electronic Age. New York: Thunder’s Mouth Press. 2nd. ed., 27-42.

Schwartau, W. (1999). Inside the Electronic Disturbance Theater’s battle with the Pentagon. Network World, January, 11.

   Available at: http://features.idg.net/crd_edt_64560.html

Snyder, M. (2000). Teaching evaluation or cyberstalking? Academe, July-August, 71.

Stoll, C. (1989). The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage. New York, NY: Doubleday.

Studies in Conflict & Terrorism. (1999). Special issue: Netwar across the spectrum of conflict. 22(3).

Sunstein, C. (2001). Republic.com. Princeton, NJ: Princeton University Press.

Szafranski, R. (1994). Neo-cortical warfare: the acme of skill? Military Review, November, 41-55.

Szafranski, R. (1996). An information warfare SIIOP. In: Schwartau, W. Information Warfare. Cyberterrorism: Protecting your Personal Security in the Electronic Age. New York: Thunder’s Mouth Press. 2nd. ed., 115-125.

Toffler, A. & Toffler, H. (1993). War and Anti-war: Survival at the Dawn of the 21st Century. New York: Little Brown.

U.S. Department of Justice (2000). The Electronic Frontier: The Challenge of Unlawful Conduct Involving the Use of the Internet. A Report of the President’s Working Group on Unlawful Conduct on the Internet. Available at: http://www.usdoj.gov/criminal/cybercrime/unlawful.htm

Vise, D.A. (2001). FBI warns infrastructure vulnerable to cyber-attacks. The Washington Post, March 20.

Yasin, R. (1998). The enterprise strikes back. Internet Week, December 7, 1, 78.