Winn Schwartau
The nay-sayers - there are always nay-sayers who have little more to do than criticize
the work and progress of others - think that Information Warfare is little more than
"Information Security with a budget."
I thank the nay-sayers for that sound byte, for it gets laughs every time. Of course,
timing is everything, and I make sure that I use that line only after my audiences get a
real feel for what Information Warfare is all about.
When I first wrote "Information Warfare: Chaos on the Electronic
Superhighway" I had no earthly clue that the subject much less the title of the book
was classified. It came as quite a shock to me that Her Majesty's Government wanted to ban
the book "because so much is considered classified," and that I had become a
piranha in certain DoD circles for I "knew too much and talked too much." I had
not written the book with the intent of annoying the military, nor had I written it with
the intent of building up CitiBank's infosecurity budget.
I wrote it for I had a vision of a new kind of post-Cold War conflict into which I felt
we were heading. But suddenly, after the book's appearance, the phrase "Information
Warfare" was out of the closet and it was spewing forth from tongues everywhere. The
term, as I first envisioned it was being bastardized by those with personal agendas, and
it soon became a catch-all phrase for budget-strapped Washingtonians who needed additional
funding vehicles. (This is not meant to criticize, merely observe.)
So today, Information Warfare has come to mean a number of different things - perhaps a
combination of them all; and what it means really depends upon your particular bias.
I stick with the definition of Information Warfare that I put forth some three years
ago:
"Information Warfare is the offensive and defensive use of information and
information systems in a conflict." It is fundamentally sound. The Pentagon has added
a bit to it; something like "to exploit, corrupt, or destroy an adversary's
information and information systems while protecting one's own," and they may specify
a conflict, but the point ultimately is that the target is immaterial. It could be
personal, Class I, industrial or business, Class II or National, military or terrorist,
Class III, reflecting the three intensities of Information Warfare that can be fought. A
number of other academics have added their bits as well, but the flavor is the same as I
had originally intended.
But along the way, something went askew as the umbrella phrase 'Information Warfare'
started to twist and turn in the political winds of Washington and now we see the debates
over the definition of Information Warfare. Let's see what we have:
- The Pure Information Warrior, like myself, sees Infowar as a war without bombs or
bullets; a conflict of any magnitude, waged anywhere, motivation independent. My book
still holds true.
- The next group to come along believe in "Information In Warfare." This group
includes a lot of the big name Beltway Bandits and government contractors who developed
much of the nation's advanced war fighting capabilities in the last decade. They feel,
that with the advent of better info-tech, we can increase our conventional war fighting
capability by better and better iterative information processing. This brings the
battlefield closer (in the virtual sense) to the generals who make tactical decisions
based upon available information.
- Knowledge Based Warfare is a naiscant smart-extrapolation of the last concept and makes
a distinction between information and the subjective increased value of knowledge. I
personally see little distinction.
The semantic debate offers a wide variety of positions and definitions, each fighting
for supremacy and mind-share, but still, all based upon the fundamental premise of the
vulnerabilities of Information Technology and the ability to design and deploy targetable
IT weapons systems.
So, is this information security repackaged?
I just don't see it that way at all. That phrase alone is somewhat derogatory, implying
that Infosec was valueless, and needed a new cover to sell.
Infosec has traditionally been a corporate term, applied to the protection of corporate
assets. If we accept the findings of the research groups over the last twenty years, the
studies have suggested that between 50-80% of computer crime is committed by insiders -
not outside penetrations.
These figures began to skew in the early 90's when the use of dial-up remote
connections increased, and then dramatically when the Internet was sprung upon Corporate
America. We saw that external attacks against systems were on a steep increase, making
ground on the insider threat. Is remote access control or firewalls infosec repackaged? Of
course not; they are merely technical steps taken to counter new threats. Evolved? Yes.
Repackaged? No.
As the threat changes, so do the necessary defensive postures, and so we can expect an
evolution in terminology.
The term "Information Warfare," though, offers such a compelling broad view
of infosec, that some old-timers may be understandably offended by such a new paradigm
that we offer. It is so all-encompassing, that we find the traditional infosec disciplines
are now relegated to mere subsets of a more general approach. In physics we hail and
salute a more generalized theory; this thought process, though, is new to infosec.
Information Warfare clearly offers a wide spectrum of adversarial conditions due in
large part to the massive global connectivity in which we find ourselves enmeshed. A
decade ago, the hacker was a gnat, connected by a dial-up line, using manual home-brew
tools, and represented a very small number of attacks. Today the hacker is a capable
adversary, with a sophisticated suite of automated GUI tools, who can attack anyone he
chooses, since Cyberspace places us all equi-distant from each other. Is this repackaging?
Of course not. It is a new reality, though.
And now, because governments have joined corporations in developing electronic
presences and using massive civilian connectivity, they are added - automatically - to the
potential 'hit list' by hackers and such. We find that former Cold Warriors and technical
experts engage in tactics once relegated to the rarefied world of Le Carre and Ludlam spy
novels; except that companies and individuals are the targets. Is this infosec repackaged?
Anyone believing so is blind to the realities we have unleashed upon ourselves.
I have read Special Reports on Information Warfare written by people without an earthly
clue about the subject.
Information Warfare is not infosec repackaged. Information Warfare is far bigger than
infosec ever was, or could ever hope to be. Information Warfare is not a cute sound byte
meant to increase specific departmental infosec budgets. Nor was it a master plan by me an
my cohorts to raise paranoia and increase the value of the Internet Index.
Information Warfare, in any of its definitions, is a subject that encompasses
psychological operations, disinformation, jamming and a host of traditionally military
concepts that now must be considered for sensitive corporate security environments.
Ultimately, though, Information Warfare is about the convergence of military and
civilian security issues, and how we deal with them in a rapidly changing world. The
military is finding that the way it conducts business is increasingly like the way the
commerical sector does, and the commercial sector is learning that the militarty has a
great deal to offer when it comes to security and defense.
Information Warfare is merely infosec repackaged?
Please. Don't be so naive.
|
