A policy to protect the United States against an information warfare (IW) attack should be part of a broader strategy that addresses the total impact of the Information Revolution on U.S. national security. To date, no U.S. policy review has considered how the Information Revolution has affected the country's beliefs about security or proper preparations for dealing with such threats.

• The president should issue an executive order (EO) establishing U.S. policy and explaining U.S. national security objectives vis-ŕ-vis the SIW threat.
  
  
• The EO should go beyond recent directives and should address the threat of a concerted IW attack by a sophisticated, determined opponent.
  
  
• The EO should require a top-down review of existing organizations assigned responsibilities related to IW, information security, security policy, and cybercrime. The review should result in recommendations ensuring that organizations' roles are consistent, do not overlap, and do not leave gaps and specifying how and under what conditions they will interface with each other.
  
  
• The EO should establish U.S. policy and guidance for the use of offensive IW; this policy should address U.S. strategic doctrine and several objectives in the use of offensive IW:
  
  
  • Identify the officials who will have the authority to approve the use of offensive IW under various specified conditions;
  • Draft guidelines for acceptable and prohibited targets under specified conditions;
  • Define roles and responsibilities of the White House, the national security agencies, and the intelligence community under various specified forms of offensive IW;
  • Determine procedures for approval and oversight of the use of offensive IW (including congressional oversight); and
  • Identify high-priority functions for maintaining national defense, rule of law, emergency preparedness, and continuity of government, and ensure that these functions can be sustained in the face of SIW.

Indeed, government and business have different objectives and operating modes and often have good reasons to limit their cooperation. The cultures of government and the U.S. telecommunications and information industries are very different. The private sector will need to assume much of the responsibility for protecting itself. Government can help in specific, but limited, areas:

• Provide information on the nature and extent of the IW threat. The government still has some sources of intelligence about the threat that private companies cannot obtain on their own, but analysts and law enforcement officials may not be able to recognize the evidence of IW aimed at the telecommunications and information systems of the critical infrastructures. Recent policy directives, including the establishment of the National Infrastructure Protection Center under the Federal Bureau of Investigation, aim to improve information sharing, but some legal barriers still need to be overcome and officials in the law enforcement and intelligence communities need to cooperate for these measures to be effective.
  
  
• Raise the visibility of the threat to the leadership of critical infrastructure providers and major, dependent users.
  
  
• Support private sector efforts (for example, the Information Systems Security Board [ISSB] proposed by the National Security Telecommunications Advisory Committee) to improve information security.
  
  
• Review the adequacy and effectiveness of privacy laws, property laws, antitrust laws, and liability issues that are the legal foundation of the private sector's ability to maintain its integrity and protect itself from intrusion.
  
  
• Provide incentives to the private sector so that it takes measures that not only improve its own security against SIW threats but also benefit the country as a whole.

U.S. officials should review the role of IW in U.S. military policy to ensure that U.S. military forces are prepared:

• Assess the overall role of IW in U.S. defense policy. The major-regional-conflict standard on which the U.S. military currently bases its planning is increasingly irrelevant as information systems become the more likely target of attack. Traditional weapons systems and force structure that dominate debates on defense spending may become less relevant as IW capabilities develop.
  
  
• Clarify U.S. policy on deterrence with respect to IW. Policy should articulate the linkage between IW and other forms of power projection.
  
  
• Ensure effective oversight with respect to offensive IW. Because much offensive IW could be covert, U.S. leaders need to ensure that effective oversight procedures exist.
  
  
• Overcome legal obstacles with respect to red-team exercises.

Information warfare threats, which can be generated quickly and from many sources, will require the United States to rethink many of its most entrenched concepts about how intelligence is supposed to work. U.S. officials should develop new intelligence methods necessary to monitor SIW threats:

• Revamp the U.S. intelligence organization and process to adapt to a less hierarchical, less rigidly knowledge-based approach. More effective methods for working cooperatively with the law enforcement community and the industry supporting and building the critical infrastructures platforms and technologies also are needed.
  
  
• Provide indications and warning of possible attack by working more closely with the private sector as a source of expertise and information.
  
  
• Mandate high-priority intelligence collection requirements concerning IW. The intelligence community must re-examine and coordinate its collection methods and requirements.
  
  
• Develop plans for recruiting and outsourcing for the special talent needed to analyze the SIW threat.
  
  
• Designate a national intelligence officer (NIO) whose portfolio is dedicated to offensive and defensive IW.