en04.gif (47 bytes) en04.gif (47 bytes)
Information Warfare Tutorial

 


Executive Summary


The Internet was born from a Department of Defense (DoD) requirement for a survivable communications system, as a result cyberspace is now a reality. Individuals are discovering a political and social freedom never before imagined, but new threats are on the horizon. Just as the threat of nuclear war once forced leadership to develop national security policy focused on defending America, so will Information Warfare emerge as a threat requiring our leadership to consider an Information Civil Defense.

A comparison between the Cold War period and today yields an interesting perspective. During the Cold War the United States government leveraged over 90% of all telecommunications research. Today, the United States government contributes to less than 10% of telecommunications research; as a result, our government has much less influence on establishing industrial standards.

Information Warfare is a threat because it levels the international playing field (political, economic, and military), i.e. most nations cannot challenge American policy using traditional force-on-force warfare. Information Warfare is very cost effective and offers a non-attribution capability. Most importantly, the United States is the most vulnerable of all nations to IW. DoD is critically dependent upon the public switched infrastructure though it has no control over and little ability to influence security standards.

International espionage is being redirected from the individual with access to secret information toward network administrators. Nations are determined to acquire America's customer base. Industrial espionage will escalate into industrial sabotage. The Defense Information Security Agency (DISA) has proved that government networks are vulnerable. There are strong indications that an entirely new management philosophy is needed to counter 21st century spies.

Tomorrow's military will continue to stand ready to defend America against the two major regional conflict (MRC) scenario; however, it can be forced to do so with fewer resources. Economizing can be pursued through advanced Command and Control Warfare. Further, America's military will be more able to extend their global reach utilizing an offensive information warfare strategy. Tomorrow's military will prepare the theater of conflict by seizing control of all critical infrastructures utilized by the enemy. Tomorrow's enemy will only be able to communicate, finance, or logistically relocate that which our leadership allows. Our adversary will be blinded by a complete cyberfog.

Currently the Joint Chiefs of Staff have offensive and defensive groups addressing both issues. Mechanisms are currently in place and being honed to ensure that each new strategic weapon is controlled within the required release authority. However, from a defensive perspective, DoD is currently inhibited by limited authority which prohibits involvement in securing the public and corporate sector of America's critical infrastructure.

Government's authority for securing America must be expanded to protect our nation from groups that wish to influence U.S. policy through infrastructure attacks. Our nation's leadership, both political and industrial, must define a process by which government can prosecute such groups which seek to attack from outside the United States. Likewise, our leadership must equip local and federal law enforcement with effective policy focused to counter such attacks from within.

The threat posed to America's infrastructure via IW attacks is by its nature non-partisan. The threat is real and is focused against all of America. As a result, our political leaders will come to closure on this issue quickly once they are provided with adequate assessments of the threat and needs of the individual and industry. Our policy makers can be drawn back to our fore-father's belief that individual's rights are granted by God and secured by government. As a result, they will be challenged to determine the delicate balance between individual and society's rights - this will represent the heart of the debate.

The focus for change must come from Congress, however all branches must contribute. The President must direct the Executive Branch departments and agencies to provide critical information (data) for use by Congress, Industry, and the public in forming the national debate. Likewise, the Supreme Court will, as it has in the past, ensure that legislated policy does not encroach on the rights of Americans. Corporate America can be called upon to provide a realistic view of industry's security needs. This view is currently not possible as most of corporate America is either fearful of disclosing the extent of the threat, or is unaware of the intentions of its adversaries. Finally, Congress must receive a balanced view from its constituents. The people must educate themselves to the issues and voice their opinion.

There is value in looking at our nation's transition during times of great change, e.g., the industrial revolution, the Great Depression, and the nuclear threat (Cold War). During each period free enterprise provided the technical means to a solution. Likewise, during each transition, there was a new assessment of the balance of rights.

Specific Lessons from History

  • Legislative actions have historically supported economic and industrial growth.
  • U.S. Courts have leaned toward the rights of the individual. The right to privacy has and will continue to be at the center of debate.
  • The technical solutions to all of America's needs have come from the industrial sector.
  • Divestitures such as AT&T's could benefit other critical infrastructures such as electric power.

Information Warfare Weapons fall into the following categories: Strategic National, Strategic Theater, Operational, and Tactical. Each category has its own unique capabilities and thus requires different safety mechanisms to prevent inadvertent release. The Commander In Chief (CINC) implements the directions of the President. During the planning process the CINC can be the single person responsible for the overall campaign and will select the weapons to be used, but just as in the case of nuclear weapons, IW weaponry will require a higher level of coordination and authorization for release.

Many nations in competition with the United States, either in the political or economic realm, are actively developing IW capabilities. Such nations hope to use these capabilities to gain an industrial edge by stealing U.S. industrial secrets, and when possible, disrupt our nation's industrial base.

America has typically enjoyed a protected sanctuary provided by the two great oceans it borders. Not until Pearl Harbor and the subsequent nuclear threat did America become aware of its loss of sanctuary. With the fall of the Iron Curtain and the end of the Cold War, Americans have returned to believing a protected sanctuary still exists. Cyberspace has no geographic boundaries. Further, nations are contracting the efforts of cyber-terrorists to maintain non-attribution. America's sanctuary has been lost. Our nation is under a quiet, systematically organized attack by many forces whose goal is to topple America's position as world leader.

Just as America's military transitioned into the industrial age and adopted the concept of mechanized war, so will it adapt to the concept warfare in the information age. That said, the transition will not be easy. The Army has and will always command the ground aspect of warfare. The information revolution will provide a battlefield (situational) awareness unimaginable today, and precision guided weapons will allow a greater stand-off distance from our adversary. The Navy (and Marine Corps) will continue to control the seas and provide the heavy strategic reach capability America now enjoys. Global sensory networks will ensure the U.S. Navy has the capability to track any form of naval enemy on a global basis. The Air Force and its command of the skies will continue. The ability to precision strike a hostile nation's command and control, air defense, or critical infrastructures can be just a push button away. Precision strike will place munitions on a target in ways now considered impossible.

 

How Did We Get Here?

Module 1

The Lesson

The module learning objectives:

  • To explore the concept of the Information Revolution by looking to the period of the 1950's to present.
  • Present the user with enough information to answer the question, How did we get here? in the context of Information Warfare.
  • To answer the questions: What is Information Warfare? And, why is it an issue?

The Beginning

We can recall images of the ancient courier with a message written on his scalp.

Most of us have seen movies where the medieval king applies the royal seal that verifies the message to be his own.

Looking to the American Civil War, we can recall the use of signal towers on which communicators relayed the commander's message via flags.

As time marches on, leaders need faster and more efficient means to communicate.

Both speed and distance were overcome by the use of electronic communications. Advances were made in the speed by which information could flow, travel far distances, and be encoded.

The pace of communications development during the early 20th century was nearly linear. Advances in one trade motivated advances in another. During WW II all aspects of communication were utilized by both the military and civilian sectors. President Roosevelt, the Great Communicator, used the air waves to rally the American people and government.

Introduction of the Atomic Age, 1945

The spark that started the information flame that is now burning was struck by the atom bomb. This flame is known as the Information Revolution.

The concept of immediate and complete destruction induced leaders to reconsider every aspect of government operations. America responded by preparing both the government and civilian infrastructure for the what-if Scenario. The strike from the blue nuclear threat forced our government into an unprecedented level of inter-agency cooperation. Communications technology played a major role in not only providing indicators and warning of an impending threat, but also made effective command and control possible. As a result, communications research and development became a pivotal technology in securing our nation. Now one could argue that the emerging threat posed by the information revolution calls for our nation's leaders to pull together and consider an Information Civil Defense policy, i.e., Information Assurance.

It is important to realize just how frightened America became during those years. You may recall the term duck and cover?

Images of total destruction generated a national fear that supported the massive build-up of the defense infrastructure.

THE TRUTH: Barring the instantaneous collapse of the Russian government, a contingency I do not foresee under present circumstances, war is inevitable. When the leaders in the Kremlin are convinced that their superiority in nuclear weapons and the means to deliver them are superior to ours by a proportion sufficient to enable Russians to destroy Americans with acceptable damage in retaliation, they will not hesitate to use them. Although the carnage will be horrible, civilization will not be wiped out -- Russian civilization, that is.

2. There can be no defense against atomic weapons; we are doomed to destruction and can only despair....

Kenneth D. Barrett, The Deception of Civil Defense, 1964, Independence Press, Inc.

The Network

After 1945, the communications user base grew by several orders of magnitude. Our nation's leadership needed the capability to know within minutes of an impending Soviet attack.

Each of these national efforts had a voracious appetite for communications bandwidth.

Further, the traditional point-to-point communications concept became obsolete. The network concept was born.

The birth of ARPANET from the original DARPA requirement soon evolved into the INTERNET most of us use today. What started as a government initiative soon became essential to computer-equipped commercial organizations; similar to the current adoption/transition of the Global Positioning System (GPS) by the civilian sector is another example.

In 1960 DoD leveraged more than 90% of the telecommunications research. Today, DoD contributes less 10%. This is an important point to consider as DARPA would not have been able to encourage the American industrial base to adopt the computer-to-computer communication protocol (TCP\IP) without such influence.

For the past ten years, enhanced communications capabilities have been shrinking the world. The futurist, Alvin Toffler refers to a Third Wave, information revolution which started in the mid 1980's and is guiding us toward an information-based society. He claims that Information has power and that an information-based evolution will significantly change our political, economic, industrial, and domestic systems.

The Public Trust (Then and Now)

Our nation has experienced another change since the early days of the Cold War - the erosion of public trust. The American people expected their government to protect them from the Cold War threat. It was understood that security meant secrecy. The WW II jingle loose lips sink ships was still in the minds of most Americans. The Rosenburg trials and convictions publicly confirmed that the Soviet Bear was out and about.

However, events such as Watergate and the Pentagon Papers forced many Americans to question the activities of their leadership. This growing concern motivated Congress to act in the mid 1970's. Reacting to a public call for greater control and openness, Congress dramatically changed the way it processed legislation. Americans could now examine their government's specific actions as role calls and voting activities were open to public record.

It is important to recognize the magnitude of change in public trust over the past six decades. In the early days of the cold war people would not have questioned our government's actions to provide security. The classification of key technologies and export control was accepted. Cryptographical advances were considered national treasures worth protecting.

Today Americans demand tight controls to prevent any abuse of power by government officials. Further, the balance of individual privacy vs. national security has shifted toward the individual. Once a national technology, cryptography is now considered an intellectual novelty for public use and discussion.

As our nation's policy makers develop information age legislation, the degree of public trust will greatly influence their decisions. Policy makers will find it increasingly more difficult to tell the public that legislation is motivated on a classified portrayal of threat. The people will demand an explanation. This will challenge many departments and agencies to develop new methods of operation. Political inertia from behind government's closed doors will resist the transition to new policy, but change is unavoidable. Departments and agencies will learn to adopt a widely accepted academic term, publish or perish.

 

What is Information Warfare?

The term information warfare is misleading and is often shunned by high level policy makers. The concern is that information warfare implies some sinister plot by government to control the information realm often called cyberspace. This is not the case. Unfortunately, changing the term now may derail a movement within government and industry focused on defending America in the new information age.

Our nation is becoming a network of networks (system of systems). For the past twenty years operations once performed by humans are now handled by computers; consider the modernization of the auto assembly line. Our nation's power grids, natural gas pipe lines, and transportation systems are all managed by computer networks. Both Federal Express and United Parcel Service critically depend upon their computer networks to get the package there on-time, as do our nation's railways and shipping industries. Consider what havoc a hacker could create in those data bases. Looking deeper into our nation's dependence on computer networks we find that our nation's industry designs and manufactures its products on Computer Aided Design/Computer Aided Manufacturing (CAD/CAM) systems. For example, the Boeing Commercial Airplane Company completely designed and manufactured the new 777 airliner in virtual space, i.e. a paperless design. Further, the 777 is the first commercial airliner to use Fly-By-Wire technology - when the pilot moves the control yoke he has no direct connection to the flight surfaces. He is simply sending signals to a computer that in turn sends commands to powered actuators. Sensors on the various flight control surfaces send periodic data to the computer as to their configuration. What would a computer virus do to one of these systems?

Until recently the aforementioned networks were protected by isolation, i.e. they were not connected to outside data networks. However, as we enter the information revolution these networks will become part of the networks-of-networks. The connection of these networks make their operation better as the systems are able to communicate. However, the same interconnection introduces the possibility that an unauthorized intruder may enter and corrupt the system.

Note: during the early days of the Cold War, DoD maintained dedicated, redundant, and survivable communications. Today, 95% of DoD communications ride on the public switch network. America has witnessed hackers who easily penetrated and manipulated the public switch network. Can our nation's communications net withstand a coordinated attack from a hostile nation state? Should DoD be concerned for the security of the public switched network?

America's economic, political, and industrial infrastructure are now open to attack via the net; this is the essence of Information Warfare (IW). IW offers hostile entities the capability to exploit, disrupt, and/or destroy our nation's ability to operate.

Why are hostile forces looking to information warfare?

  1. No other nation, political group, or crime cartel has the ability to challenge the U.S. in a traditional force-on-force engagement. Consider the early days of our Revolutionary War and the way British troops were trained to fight. They lined up in columns and marched head-on into battle. Our patriots challenged this conventional method of warfare and took cover. America's adversaries, like our revolutionary ancestors, are now posturing for a new form of warfare fought within the information sphere. This new type of warfare can make it possible for them to exert their will on America.
  2. War fighters have always considered an adversary's political, economic, and industrial infrastructure as strategic targets. The information revolution now offers them the ability to strike America by non-lethal means, many times, without attribution. The ability to exploit, disrupt, and or destroy our nation's infrastructure by attacking its computer based operation, makes information warfare a very cost effective weapon to our adversaries.

Summary

The challenges facing America's future are not unlike those of the early 1950's. The difference is that the nuclear threat is replaced by a new threat. IW effects may weigh heavily on the future of our nation. Over the next decade our nation will have to adopt some type of Information Policy, that establishes a means of coordinating the defense of America's infrastructure. Likewise, DoD and the Intelligence Community need to develop methods of providing critical technology and information to the public and commercial sectors.

Here are the important points of this module:

  • Then: DoD leveraged the majority of research. Now: Commercial demands drive development.
  • ARPANET's utility has evolved into a basic requirement.
  • The public trust of government has been severely degraded.
  • Information Warfare = a new way for hostile forces to exert their influence on America's economic, political, and industrial infrastructure.
  • Why IW? America has virtually eliminated other nation state's ability to project classic force-on-force, i.e., our nation's military capabilities so dominate those of other nations, few can challenge America militarily; therefore, most nations of the world have effectively lost their element of military power when dealing with America policy.
  • During the Cold War DoD maintained separate, dedicated, hardened communications. Today, 95% of DoD communications ride on the public switched network.

The Threat

Module 2

The Lesson


The module learning objectives:

  • Identify the IW threats to DoD's information infrastructure and, in a broader sense, America's data networks.
  • Address some of the sociological implications of an IW attack.

You must consider the various perspectives of IW threats:

Perspective Concern
Corporate Security, reliability
FBI Criminal activity
Treasury\banking Security,non-reputability
DoD Defense
Intelligence Espionage - Input unavailable for beta version

 

What is DoD's concern?

After all, internal Continental United States (CONUS) policy is not it's concern...

Or is it?

There is a shared responsibility between managing DoD and commercial networks.

 

Why is DoD concerned?

DoD uses closed systems, router and firewall protection, and encryption in order to secure critical networks and message traffic; however, these secured transmissions ride on the public switched network, which has been proven to be vulnerable to IW attacks.

The enemy is turf blind. It does not worry about what is DoD or Public.

Information Warfare does not equal Computer Warfare.

Computer Warfare (CyberWar) is a subset of Information Warfare.

Many aspects of IW can be waged without the use of the computer. Take, for example, Somalia.

 

Summary

Hopefully the case studies have illustrated that there are a variety of IW threats possible.

Here are the important points to this module:

  • IW is not restricted to the technical world. Remember Somalia?
  • In the past, links were the primary targets to exploit, while links and nodes were targets for denial and destruction. This is classic C2W.
  • In the this new world, nodes and information are the primary targets for hackers and foreign intel.
  • Now you have two new concerns: radical groups and commercial off the shelf software (COTS).

DoD Roles and Missions

Module 3

The Lesson

The module learning objective:

  • To consider the question of who does what, who should be doing what, and what policy is in place that provides specific authority for both defensive and offensive IW.

 

Why is DoD involved in Information Warfare?

Consider the two perspectives:

  1. The offensive perspective. DoD must maintain the leading edge in warfighting capability.
  2. The defensive perspective. DoD must defend America (a shared role).

The DoD is critically dependent on information technology.

In the past:

DoD maintained a dedicated hardened communications capability.

Today:

Current technology offers better commercial communications services than past DoD systems. This coupled with declining budgets, has driven DoD to the commercial sector for communications needs.

Result:

Currently, 95% of DoD communications ride on the public switched networks.

Concern:

DoD has no authority to provide guidance on securing the public net.

 

So, What is DoD's role?

  1. Develop new weaponry that will operate in the new information infrastructure.
  2. Coordinate DoD policy with national policy needs. This can be done through executive committees, congressional support, and commercial interface.
  3. Ensure efficient use and system interoperability (ASDC3I).
  4. DoD procurement - solving future challenges in acquisition and technology (e.g, commercial, off-the-shelf purchases (COTS)).

Here are some DoD agencies who have an important role in IW:

Defense Advanced Research Projects Agency (DARPA) - previously known as ARPA, has traditionally coordinated leading edge technology development, and is now focusing on information security technology.
Defense Information Systems Agency (DISA) - DISA takes the lead in securing DoD unclassified, but sensitive networks.
National Security Agency (NSA) - has the responsibility for securing the nation's classified data networks as well as managing the nation's cryptographic (code-breaking) activities.

 

The Joint Chief of Staff

Within DoD, the IW division of effort resides with the Joint Chief of Staff.

J3 is responsible for offensive IW. It coordinates development and approval for release of all IW weaponry. Whereas, J6K is responsible for defensive IW. Further, the J6K acts as the Information Assurance policy coordinator and, focuses DoD's IW education in conjunction with the J7 and ASDC3I.

The split nature of the JCS will likely precipitate a change toward unification of both offensive and defensive IW. Since historically, the military's primary role is warfighting, it would be reasonable to assume that the J3 and J6 will merge their IW mission under the J3 umbrella. Look for similar merging of offensive and defensive missions throughout DoD organizations and agencies.

How does DoD ensure that public systems on which the military depends are secure?

The question of who will coordinate the processes of securing America's information infrastructure is still unanswered, but it is unlikely that DoD will assume this role.

Information Warfare may be likened to waging Infrastructure Warfare. Whoever is responsible for managing the infrastructure will probably assume some key responsibilities in securing America.

 

So, what is the DoD role at the national strategic level?

To lead from behind.

and

  1. Provide sound advice on the exact nature of the threat.
  2. Provide information (knowledge) gained by past experiences (i.e., what works and what does not).
  3. Provide technical expertise when requested.
  4. Form partnerships with state and local governments as well as with the commercial sector.

 

DoD's most important role

As a result of Watergate, Vietnam, and other associated events, public trust in the government has steadily eroded over the past six decades. This erosion has also affected the DoD's image. Many Americans believe that DoD is not in line with main stream culture, e.g., policies on gay's in the military and sexual harassment (Tail Hook). It is a common belief that the Pentagon is looking for a new global threat now that the Cold War is over; that the Information War is the new global threat used to acquire additional DoD funding. Reinforcing these views is the recurring question what is big brother up to? Given that situation, it is clear that the public will demand strong evidence before accepting an expansion of DoD's role into cyberspace.

This cannot be understated: DoD must take steps to re-establish the public trust and provide clear evidence that the IW threat is real. The first steps are:

  • Openness
  • Education

Public trust is critical. Americans should not have ask What is my government up to?

Summary

This module contained two simple, yet important messages. DoD must accomplish these two tasks to accomplish its IW mission:

  • DoD is dependent on the civil infrastructure. DoD must share responsibility with the civil sector for defense of the national information infrastructure.
  • Government department and agencies will have to develop a strategy for leading from behind.


Information Assurance

Module 4

The Lesson

 

The module learning objective:

  • To define the concept of National Information Assurance and identify related national policy issues.

Before we continue with this module, let's review the previous 3 modules:

Module 1 Review

Then: Money was available through DoD sponsored research. Now: Commercial demands drive development.

The birth of ARPANET evolved into a basic requirement.

Then: Public trust of government was high. Now: Public trust of government is low.

 

Module 2 Review

IW is more than technical, i.e. Somalia.

In the past, network links were the primary targets for exploitation, and links and nodes were targets for denial and destruction. Classic C2W.

In this new world, nodes and information are the primary targets for hackers and foreign intelligence.

There are now two new concerns: radical groups and commercial, off-the-shelf software (COTS).

 

Module 3 Review

DoD is now dependent on the civilian infrastructure.

DoD must share the responsibility with the civilian sector for defense of the national information infrastructure.

The President, Congress, Supreme Court and the commercial sector will divide the baby.

Government departments and agencies will have to develop a strategy for leading from behind.

 

In this module we will address these major points on Information Assurance:

  1. Who, what, when and why (roles perspective).
  2. DoD's role (past attempts).
  3. Risk management (nodes, links, and information).
  4. Defense strategies: red team approach vs active defense.
  5. Management challenges.

From the National Security Strategy, February 1995:

The threat of intrusions to our military and commercial information systems poses a significant risk to national security and must be addressed.

That, by now, should be obvious. The real concern is:

Are we under attack right now? And if so, from whom?

Redefining and maintaining security is a national concern. DoD and the Intel community must design a method that will provide critical threat and technical knowledge. They must also cooperate with the private sector.

 

Who Are The Real Players?

Some of the real players who will influence the political process and build the solutions:

  • Sun Micro Systems
  • Microsoft
  • Motorola
  • Intel
  • IBM
  • Apple
  • And many others...

With DoD leading from behind!

 

Accreditation Shortfalls

Past DoD attempts in securing the information infrastructure mainly involved an accreditation process. This, unfortunately, did not work well because of these shortfalls:

  • Inconsistent accreditation decisions were made independently for interdependent systems. This resulted in non-uniform protections across common DoD infrastructure. Also, the weaknesses in one community undermined the security of others.
  • Security assessments are costly, time-consuming processes.
  • Security was not adequately addressed during the development and maintenance of the systems, which resulted in ineffective or inefficient security.
  • Inefficient integration across DoD efforts resulted in duplication and approaches that did not meet common DoD needs.

Accreditation Consequences

The shortfalls of a DoD accreditation system led to the following consequences:

  • Erratic protection for DoD information systems.
  • Cost of protection too high.
  • No means to cope with new technology.
  • Once accredited, a false sense of security exists, that is until the next detected attack.

 

Defensive IW Implementation

Any proposed defensive IW implementation must encompass all of these areas:

  • Doctrine
  • Policy
  • Organizational Infrastructure
  • Assessments
  • Technology
  • Education & Training

 

Active Defense

If accreditation does not work, what about an active defense? This implementation also has shortfalls. Most importantly, an active defense would violate U.S. criminal code on computer crime, e.g., 18 USC 1030 (a)(5)(A).

Consider also the following scenario: What if the hacker is using his/her parent's business computer or is using an assigned computer at the Washington Post, Sony, or the Pentagon?

Using an active defense would damage not only the hacker's files, but also the files of the legitimate computer owner/user. What if a computer being used by a hacker, doctor's son, belonged to your doctor and the files destroyed by an active defense were your patient history files?

Other considerations:

  • Both good guys and hackers use the Internet.
  • Hackers use sniffers.
  • Hackers loop & weave.
  • Hot pursuit and active defense may not be options.

 

If Active Defense is not an Option...

There are recommended strategies to deal with hackers who enter your network. Once intrusion is detected, you have several options:

Sometimes the best offense is a good defense...

 

IW Defensive Strategy

What works?

  1. Manage your security - set policy for what is allowed, and what behavior is prohibited.
  2. Banners that announce monitoring to be read by everyone logging onto your system.
  3. Red Teaming - Controlled "hacking" by security professionals who your organization has contracted for the identification of security risk.
  4. Risk management - plan for the attack.


The Political Quagmire

Module 5

The Lesson

 

The module learning objectives:

  • To discuss opposing viewpoints (individual rights Vs law enforcement).
  • To present specific recommendations.

 

Information Policy - The Political Quagmire

Do we need a national information policy?

If so, what forces will influence the process?

Can we look to history for clues?

A Historical Review

Was national policy challenged by the Industrial Revolution? If so, what did we learn? Did the Cold War challenge national policy? What unique challenges does the Information Revolution pose?

It is reasonable to suggest that our society is becoming more dependent on information systems. In an effort to better understand policy challenges of the emerging Information Age, it may be useful to consider our nation's reaction as it transitioned into the industrial age. Such an analysis may yield similar policy concerns, i.e. state Vs individual rights.

Policy Challenges of the Industrial Revolution: The Lochner Period

Looking to the U.S. Supreme Court and the period of 1905-1937 (Lochner Period), we see that our nation was challenged by the industrial revolution in much the same way as the Information Revolution does today. In 1905 the Supreme Court considered the case of Lochner Vs New York, where the court struck down a New York law that prohibited the number of hours a week bakers could be contracted to work. This profound legal finding shifted the balance of rights toward free enterprise; thus, the term the Lochner Period. The essence and impact of this period cannot be understated.

 

Policy Challenges of the Industrial Revolution: Before the Lochner Period

Before the Lochner Period (circa 1897) our nation subscribed to a policy of laissez-faire economics. In 1897, laissez-faire became the operative policy as a result of the Allgeyer Vs Louisiana decision. Laissez-faire was basically the principle of protecting business from unreasonable regulation, i.e. to advance the Industrial Revolution. The important point is, America has and will continue to promote free enterprise. Free enterprise developed our nation's industrial strength and positioned our country for its role as a world leader. Therefore, it should come as no surprise that industry will continue to leverage considerable influence in any national debate.

 

The Period 1934-1996

Looking to the period between 1934-1996 and telecommunications legislation, we see that economics drove the political agenda. The national communication system (AT&T) was built upon the power infrastructure provided by the Rural Electrification Act. However, as technology and competition developed our nation witnessed the break-up of AT&T. AT&T's break-up was driven by industry as the market nature of our economy prevailed. The most recent and potentially dramatic change came with the Telecommunications Act of 1996, where competition is virtually open to all, and for the first time the operative word is information, and not television, telephone, or anything else.

 

Cold War Policy Challenges

The threat of complete and total destruction challenged all sectors of our civil and government infrastructure. For the first time in history a nation could completely, without notice, destroy another nation. In time, solutions were developed to protect against this danger. Most of these solutions relied upon inter-working relationships between not only nations, but between governments and their civilian sectors. The Information Revolution poses a new threat against our political, economic, and industrial infrastructure. Once we worried about national secrets; now we must be concerned with industrial secrets. Hostile forces will use the information infrastructure to extract trade secrets critical to an industry's competitive edge.

 

The Issue of Privacy

Privacy is one of the most interesting of individual rights. The term itself does not appear within the Constitution or the Bill of Rights and is often referred to as an implied right The balance of an individual's right to privacy has shifted with time as our courts have interpreted our founding father's intention. Today many argue that the right to privacy need not be specifically addressed by the Constitution as it is one of the most basic of rights granted by the creator of which this government was formed to protect. Nonetheless, our policy makers will be driven to accelerate the privacy debate as Americans come to realize the overwhelming capabilities of modern computer systems to gather and analyze personal data and reveal personal information many of whom do not want disclosed. What ever your personal or business perspective, this aspect of the public debate will be key to future policies. It is imperative that all viewpoints be considered and an equitable policy emerge; otherwise, our nation will experience a protracted period of legislation vs. court review which will only serve to the benefit of our nation's adversaries. Consider issues of privacy in Cyberspace using the following rule of thumb:

Currently two test exist to determine if privacy has been violated:

1. Does the individual or company expect the information to be private, (subjective expectation of privacy)?

2. Is society will to grant that expectation?

 

The Threat of Perception Management

Third world nations are developing a tactic referred to as the Aideed Model. This model is named after the Somalian War Lord whose unique strategy of turning a nation's information infrastructure against itself through active perception management led to the defeat of the world's best equipped military. The Aideed Model is particularly attractive as the budget for executing such an operation is typically smaller than that of an intercity street gang. This, among other recent examples, prove that factions hostile to the interests of the United States do not need to engage in traditional military force-on-force in order to exert their will upon a superpower.

 

Historical Conclusion

From a policy perspective, our nation is undergoing a change not unlike the Industrial Revolution, with many of the same issues reemerging for debate. This does offer a good perspective for policy makers as a benchmark. However, unlike our transition into the industrial age, the current transition challenges our policy makers much like the Cold War period in that solutions rely on cooperative efforts between government and the civilian sector. Further complicating information policy is the possibility that our form of democracy may be challenged as never before. That said, history suggests there are two great dilemmas. As in the past, two themes help to identify critical policy issues: equality for all and the power of government Vs the individual. Now, as in the past, the solution lies in a delicate balance between the people, government, and industry.

 

What Did We Learn From the Industrial Revolution?

The major points from our brief historical review are:

  • Historically, national policy has supported industrial growth through free enterprise.
  • Privacy has and continues to be a major issue.
  • Just as in the past, national policy makers are faced with two great dilemmas:
    • Ensuring equal rights.
    • Separation of individual vs. national government rights.

 

What Did We Learn During the Cold War?

  1. Information Warfare threatens many of our national infrastructures (political, economic, and industrial), in much the same way nuclear weapons did during the Cold War. Nuclear weapons threatened loss of service through mass destruction whereas IW threatens through the net attack.
  2. In both cases, the solution depends on a government, industry, and civilian joint effort. Our nation's (information/infrastructure) civil defense relies on cooperation.

 

What is Unique About the Information Revolution?

  1. The impact of a connected America (an immediate human viewpoint sensor) on the national policy process.
  2. The ability of an adversary to manage the American perspective.
  3. Unlike nuclear or conventional weapons, it is often impossible to detect an Information Warfare attack until it is too late. Further, the adversary can hide within Cyberspace.
  4. Government has much less influence as compared to its influence during the Industrial Revolution and Cold War period. As a result, government must lead from behind by providing sound, accurate advice to the public and industry.

 

The Various Perspectives of Information Warfare

These are the various perspectives of IW:

  • Intelligence - this data unavailable in the beta version.

SummaryThe focus for change must come from Congress. The issues associated with defending America in the age of information can only be equitably debated through this branch of government. This is not to suggest that the President and the Judicial branch will not play a major role; they will. Congress will have to take the lead in forging new policy as our nation enters the 21st century.

Role of the President: direct the Executive branch departments and agencies to provide critical information (data) for use by Congress, Industry , and the public in forming the national debate. The Executive branch must provide a clear representation of the Threat that IW poses to our nation's infrastructure. Further, the President must ensure that any technical skills and associated knowledge resident in the U.S. Government is available to industry and Congress for their use in formulating national information policy.

Role of the Supreme Court: The Supreme Court will, as it has in the past, ensure that legislated policy does not encroach on the rights of Americans. Just as the Supreme Court played a major role in interpreting legislation as America entered the Industrial Revolution, it will do so for the Information Revolution. However, history has shown that such interpretations are molded over time as society's needs and perspectives change. For example, the balance between economic rights and the needs of business.

Role of industry: Corporate America will be called upon to provide a realistic view of industry's security needs. This view is currently not possible as most of corporate America is either fearful of disclosing the extent of the threat, or is unaware of the intentions of its adversaries. To remedy this, the President must commit America's intelligence community to directly providing relevant indications and warnings to industry. Congress must engineer a policy where industry is required to report the number and nature of IW attacks against its infrastructures. Such disclosures by industry must be protected to guard against the erosion of public confidence.

Role of the individual: The Internet is growing exponentially. Within it there are many references to the sanctuary of cyberspace. There have been declarations of cyber independence and calls for a hands-off by governments. People of the world are experiencing for the first time what Americans have taken for granted: Freedom of Speech. The ability to publicly voice one's opinion is bringing a passion to the Internet that is indescribable. Non-Americans are naturally hesitant to embrace any government association with the Internet. However it must be remembered that it was America, specifically the U.S. Department of Defense, that made the Internet possible. According to the Declaration of Independence, America's government is formed by its people to protect the rights granted by the Creator. This brings us to one of the most fundamental arguments of society (State):when do the rights of the many outweigh the rights of the few? This issue has been argued since the dawn of logical thought. Our policy makers (President and Congress) must receive a balanced view from their constituents. Often our nation has applied the oil only to the squeaky wheel. The Congress must initiate public community debates to help bring the message to Washington. When called individuals must educate themselves to the issues and voice their opinion.

Lessons from the Past

Look to our nation's transition during times of great change, e.g., the industrial revolution, the Great Depression, and the nuclear threat (Cold War). During each period the concept of free enterprise provided the technical means to a solution. Likewise, each transition required a new assessment of the balance of rights. Looking more recently to the second half of the 20th century, it can again be illustrated that free enterprise enabled America to become the global leader in technology.

Specific Lessons from History
  1. Legislative actions have historically supported economic and industrial growth.
  2. The mean trend of U.S. Courts has been to lean toward the rights of the individual. The right to privacy has and will continue to be at the center of such debates.
  3. The technical solutions to all of America's needs have come from the industrial sector. History has shown that with the encouraging government policy the pace of development can be greatly accelerated, e.g., America's race for the moon in the 1960's.
  4. Look to the benefits of AT&T's divestiture. What other aspects of America's critical infrastructure could benefit from similar considerations, i.e., electric power distribution?
  5. Consider the recent cases involving free speech; for example the Philadelphia Court striking down legislation on indecency. What can be learned from this? Was Congress reactive or proactive? Were legislators responding to impulse demands of a minority? Congress must carefully consider the implications of oiling the squeaky wheel, as this may lead to action without thoughtful representation.

 

IW Weapons

Module 6

The Lesson

Notice: Due to the sensitive nature of this section, the weapons presented are ones proposed by open source (non-government) authors. The examples offered should only be considered as concepts to stimulate your thoughts on "what-if' possibilities.

THIS PRESENTATION NEITHER CONFIRMS NOR DENIES THE EXISTENCE OF SUCH WEAPONS!

The module learning objectives:

  • Explain and define the types of weapons that can be used to conduct Information Warfare.
  • To understand that each IW weapons could be used as a strategic national, theater strategic, operational, or tactical weapon.

IW weapons include the following:

 

Malicious software Chipping
Back doors Electromagnetic pulse weapons
Destructive microbes Van Eck radiation
Cryptology Spoofing/Authentication
Video morphing Psychological operations
Attacks on the banking system Disruption of air traffic control
Denial of service Stand-off and close-in sensors
Decision support


Malicious Software

Viruses, worms, and Clipper encryption chip could possibly have built in a secret back door so that they can easily decode messages encrypted with the chip.

 

Electromagnetic Pulse

Electromagnetic pulse weapons could be used to knock out enemy electronics equipment. Suitcase sized devices have been developed to do just that.

 

Destructive Microbes

Researchers are also working on developing microbes which eat electronics components so that, in the event of conflict, these microbes could be introduced into an adversary's electronics equipment to cause failure.

 

Van Eck Radiation

Van Eck radiation is the radiation which all electronic devices emit. Specialized receivers can pick up this radiation and tap a wealth of information. Fortunately, there are various safeguards against this type of attack.

 

Cryptology

Cryptology is a weapon of information warfare designed to encrypt and crack secure communications respectively. Despite significant advances in cryptography, cryptanalysis will continue to be an important weapon aided by equally significant advances in computing power.

 

Spoofing

Spoofing is an attempt to send a falsified message to someone. For example, I could dial up a university phone registration system pretending to be someone I have a grudge against, and drop their classes. Since these systems are automated, all I need to know in most cases is a person's Social Security number and birthdate.

 

Video Morphing

Video morphing is a weapon that could be used in a manner similar to that in the movie Forrest Gump to make an enemy leader appear to say things he or she didn't in fact say, undermining credibility.

 

Psychological Operations

Psychological operations (PSYOP) using all available information means to form a desired public perception. PSYOP benefits from the ability to conduct market research and analysis of regional data. As a result, customized messages and be generated for each targeted sector of society. PSYOP was very successfully in the U.S. re-instatement of Haiti's president.

 

Attacks on the banking system, Disruption of air traffic control, Denial of service

Various possible operations with obvious effects include knocking out telephone switches, crashing stock markets, attacking electronic routers for rail system, attacking bank accounts, disrupting air traffic control, and denying service with, for instance, a ping attack. Note: the "ping attack" gets its name from old age sonar techniques. Within a network, a computer can send systematic queries to all addresses and analyze the associated return time, very similar to sonar. Net groups with similar times of return and be associated into a hierarchical structure.

 

Stand-off and close-in sensors

For military applications, the use of stand-off and close-in sensors to gather data could be considered an information warfare weapon.

 

Decision support

As in any decision process the more information available the higher the probability of arriving at a useful solution. Likewise, computer decision support is also a key weapon in information warfare and especially in defensive information warfare. Decision support can be used to detect attacks, identify the type of attack, generate defensive options, evaluate options, and perform damage assessments. In a similar manner, an adversaries decision support system can be delayed, or disrupted with erroneous data.

 

Summary

Information Warfare Weapons fall into three categories: Strategic National, Strategic Theater, Operational, and Tactical. Each category has its own unique capabilities and thus requires different safety mechanisms to prevent inadvertent release. Consider nuclear weapons. They too can be employed to support a tactical, theater and/or strategic objective. However, nuclear weapons must ultimately be released for use by the President and usually by recommendation of the National Security Council. IW weaponry is very similar, but there are exceptions.

The Commander In Chief (CINC) will always implement the directions of the President. IW weaponry supporting non-military elements of power or that fall into the category of national strategic will all require NSC approval. However, operational control of IW weapons which support classic C2W has been delegated to the CINC for implementation. Likewise, traditional theater level Electronic Warfare (EW) or PSYOP that is enhanced by IW capabilities fall under CINC authority as well.

National Strategic IW weapons, will be released by the president upon recommendation of the NSC. For example, a computer virus that would cripple a nation's monetary system or may seize control of international satellites must be controlled by either the President (SECDEF if authority has been delegated). Justification: a response in-kind would have a direct impact on the American homeland, i.e. the loss of sanctuary.

So who pulls the trigger? In general the command to launch an IW attack will at least be reviewed by the National Security Council, possibly the President (weapon dependent), and ordered by the CINC. One must remember that some strategic weapons will only be released on authority of the President. Note: during the planning process the CINC will be the single person responsible for the overall campaign and will decide his or her preferred weapons of choice, but just as in the case of nuclear weapons, IW weaponry will require a higher lever of coordination and authorization for release.

 

Loss of Sanctuary

Module 7

The Lesson

 

The module learning objectives:

  • Understand the concept of an Information (electronic) Pearl Harbor.
  • Understand loss of sanctuary.

 

Historical Review

What was Pearl Harbor? A strike at the heart of America.

Why Pearl Harbor? Japan wanted to eliminate the US's ability to project power in the Pacific.

How do countries today project power?

  • Politically
  • Economically
  • Military option removed

 

Another Consideration

Why are Third World nations so desperately seeking weapons of mass destruction (WMD)?

Many nations do not have the resources to maintain a powerful military force. WMDs, such as nuclear, biological, or chemical weapons present an economically viable alternative for security.

What was wrong with Japan's WWII strategy and recent efforts by Third World nations? Pearl Harbor ensured a response from the United States. Japan wanted to erase the U.S. Pacific military threat. They, of course, did not accomplish that. Iran, Iraq, Libya, and others want to reduce the effectiveness of American military influence, but they know doing so explicitly and deliberately would result in war.

 

An Effective Information (electronic) Pearl Harbor

An Effective Information (electronic) Pearl Harbor So what would an effective Information Pearl Harbor look like? Today, our critical infrastructures consist of the transportation, power, and industrial networks. These all could be likely targets.

The U.S. may find it difficult to use military force in response to an Information Pearl Harbor-type attack. It is difficult for the U.S. to retaliate using military action when the country did not suffer loss of life and cannot even determine who to target.

 

Weapons Choice From a Non-US Perspective

 

Force Deployed Relative Expense Anticipated Response
Military deployment Very high In kind. US would dominate.
Nuclear High Possible in-kind. US would win.
Chemical/biological Medium Definite military response. US would win.
IW infrastructure attack Low US can't ID attacker. Can't retaliate.

 

Information Pearl Harbor Summary

  1. Many developing nations are seeking to level the field with respect to the basic elements of power.
  2. Most nations have started advancing their economic and political development, and thus are seeking to increase their international status.
  3. No nation on earth can afford to challenge the U.S. militarily. IW can level the field.
  4. The political, economic, and military reaction to an IW Pearl Harbor is an acceptable risk to an attacking nation.
  5. Therefore, it is reasonable to assume that the next Pearl Harbor will be against a critical aspect of America's infrastructure. Further, it is reasonable to suggest that this attack will be launched via cyberspace.

 

The Military Perspective

Module 8

The Lesson

 

The module learning objective:

  • To examine Information Warfare from the military perspective.

 

The Military Perspective - War Fighting in the Information Age

Carl von Clausewitz reasoned that commitment to war merges from the confluence of three characteristics or tendencies: the people, the military, and the government. He suggested that when these three components unify around a common purpose to be achieved by force of arms, an interactive trinity emerges that produces the national will to fight.

This suggests the following formulation:

National Will = Will of the People + Will of the Military + Will of the Government

This proposition has been supported in the emerging information age. For examples look at Somalia and Haiti. Information had the power to break the will of the people.

 

The Military - Planning For Future Conflict

Our military must assume that future conflicts will be viewed real-time in the homes of every American. War must be quick, decisive, and limit civilian casualties to few or none.

Furthermore, because of our system, the military and political leadership cannot lie or deny access to the American press.

Does the Information Age offer any positive advances to the military?   Yes.

These include: immediate battlefield awareness, precision weapons, and most importantly, new non-lethal weaponry. However, we must understand America's potential adversaries may have the same capabilities. Therefore, many believe future conflicts will be waged on the information plane.

 

Why Will the Military Choose Information Warfare?

Consider infrastructure as a target; power plants, communications facilities, factories, petroleum pipelines, transportation systems (air, sea, rail). All are either currently or will soon be operated and managed by computers. Computers that receive critical sensing and requirement changes via the net. Therefore, by attacking or taking control of the net an adversary controls the infrastructure.

A nation's air force may take out an air defense system using a computer virus in lieu of an iron bomb. It's cheaper, quieter, and safer. And it is psychologically more effective!

 

Infrastructure

A nation's infrastructure can be exploited, disrupted, or destroyed by infiltrating the computer networks that control such. Many ask will an army still be required to occupy a nation to impose its will? In total war, most likely; however, in the emerging age of economic warfare occupation can be achieved by precipitation a condition conducive to a leveraged buy-out, i.e., foreign corporations with the assistance of their government will simply procure critical portions of an enemy's infrastructure. As a result, ultimate control can be achieved through the corporate board room.

Remember, the trinity concept offered by Clausewitz: a nation's will is a combination of the people's, military's, and government's will. The people will as always desire a non-military solution to challenges of national interest. The information age offers many non-military options for exerting national will.

IW offers a new peace time application of warfare. A new type of infrastructure attack focused against a nation's political, economic, and social infrastructure.

 

Economic Warfare - Taking Away a Nation's Ability to Produce and Trade for Needed Commodities

An old quote:

The greatest happiness is to vanquish your enemies, to chase them before you rob them of their wealth, to see those dear to them bathed in tears, to clasp to your bosom their wives and daughters. Genghis Khan

Today, translated by America's competitors:

The greatest happiness is to crush your American competitor, to chase them before you, to rob them of their market share, to clasp to your income statement their former sales revenues, and to hear the lamentations of their stockholders. Asian Strategy

 

The Military Perspectives of Information Warfare

You can examine each service's perspective on IW:

Recommendations

Module 9

The Lesson

 

The module learning objective:

  • To examine recommendations for a national policy on Information Warfare.

 

Directions

Congress is being pulled in all directions by these groups:

  • Supreme Court
  • Industry
  • Individual citizens
  • Defense
  • Foreign interests
  • Law enforcement
  • Special interest groups

Although a political solution has not been identified, it does exist. The path toward the answer can be significantly narrowed. The historical evolution of our constitutional rights provides the reliable road map. Our country's Constitution, legislative enactment, executive orders, and Supreme Court rulings form the boundaries within which future policies.

Congressional leaders will be challenged to set upon the path to deriving legislation that secures our nation's critical infrastructures. In doing so our nation's leaders will have to pay close attention to the following influences. Otherwise, the legislative process will become bogged down in debate or litigation and much needed legislation will ultimately be delayed.

  • First, fourth and fourteenth amendments
  • Individual citizens
  • Special interest groups
  • Law enforcement
  • Defense
  • Lochner lesson
  • Industry
  • Foreign interests
  • Supreme Court rulings

 

Finding the Path

Finding the path consists of:

  1. Identifying the problem (threat) and opportunity.
  2. Determining a process (committee structure).
  3. Gathering information (who has interest and what are those interests?).
  4. Forming a strategy (review of draft legislation).
  5. Implementing the strategy.

 

The Next Step

The IW threat has been identified and the process of reporting such is on-going. The next step, Determining a Process, has been done by the formation of a presidential bipartisan committee (commission) on securing our Nation's critical infrastructures.

This committee will focus on protecting those infrastructures critical to national defense and preserving the American way of life; however, in doing so issues that resonate at the core of each American's individual right to freedom will have to be considered. Groups which support various positions during these debates will have to carefully formulate their strategy to insure that the needs of their constituents are addressed.

 

What is the Problem (an example in problem solving)?

This may sound elementary, but one of the most difficult aspects of problem solving is correctly identifying the problem, or determining what really needs to be fixed. Interestingly, the threat of an informational attack itself is not the central issue. Depending upon the specific target infrastructure the central issue may be one of several: knowing the event has occurred, motivations of the attackers, the loss of service, or the attacker's ultimate goal (which could be the second or third order effect).

The following example is offered as a mental exercise to help illustrate that identifying the central issue is not always easy and that often solutions are sought that do not solve the actual problem.

The Scenario

The setting is a college class room.

On the first day of a freshman engineering class thirty students have filled the room, confident that they have the ability to become world-class engineers. The instructor introduces himself and displays the following sign for the student's consideration:

The instructor asked two questions, with the first being What is the problem? After about twenty minutes, the students were ready to present their analysis. The students finally decided that the following was the problem: the bridge freezes before the road surface.

The second question was, What is the best solution? There was little consensus. The students devised clever solutions to the problem. Here are some of their creative solutions:

  • An automatic salt dispenser that operates during freezing conditions.
  • Keep bridges dry with an inexpensive covering.
  • Heat the bridge during the winter months.
The Result

So, two questions were asked: What is the problem? and What is the solution? Obviously, the students did not get either question correct. As the students continued to work on this assignment, the voice of a young lady emerged from the back of the room.

The sign is the solution, she said.

The instructor then asked, What is the problem?

She replied that the problem is not the bridge freezing. It is the fact that a driver who is not paying attention and traveling on a surface with good traction suddenly reaches an area where the road surface is icy. The problem is the unsuspecting driver, not the freezing bridge.

Therefore, the sign is the solution as it makes the driver aware of a potential hazard. She was right!

 

Example Summary

The example was given to illustrate how easy it is to arrive at a solution to the wrong problem and miss the issue. Look at the recent Indecency Law passed by Congress and struck down by a Philadelphia Court as unconstitutional. The law sought to stop the posting of pornographers from being accessed by minors via the Internet. Did the engineers of this legislation lose focus of the real problem? As a young person, did you ever see pornography? Is the material the problem, its mode of publication, or its manufacturer?

As our nation enters the age of information many different issues will come into play: privacy, free speech, law enforcement, etc. Our congressional leaders (more importantly their staff members performing the analyses) will have to remain constantly aware that it is easy to diverge from the core issue, which is the national security threat posed by IW. The IW threat will raise many issues for congressional review. Not all of these issues deal with national security. Congress and executive agencies must continue to keep the national debate focused upon securing America. Only then can our nation adequately deal with the more social aspects of the emerging information age.

Here is a recommended rule of thumb. If you are suggesting a solution ask yourself, Why would I want to do that? Continue asking yourself until you arrive at a basic, repeating conclusion. Considering our students in the example and their initial solutions. Would they have come to closure more quickly had they asked the simple question, why? Would Congress have passed the recent Indecency Law had they done the same?

 

Summary and Conclusions

Module 10

The Lesson

 

The module learning objective:

  • To summarize and draw conclusions from the previous lessons.

 

Module 1 Summary - How Did We Get Here?

  1. The Internet was born from a DoD requirement for a survivable communications system. As a result the Global Information Infrastructure (GII) which utilizes the Internet protocol is evolving into a robust information sphere where individuals are discovering a political and social freedom never before available. There is an evolving new indestructible cyberspace where individuals are free from race, color, age, or sexual bias; only one's ideas matter. Our planet is undergoing an information revolution. Module 1 illustrates what many call the nuclear model. This reference suggest that just as the threat of nuclear war forced America to develop new national policy focused on defending America from a new threat, so does the emergence of an Information Warfare threat establish a need for an Information Civil Defense. Such an IW Civil Defense would consolidate national policy to protect America's critical infrastructures (communications, power, financial, transportation) from attacks launched via the net.
  2. A comparison between now and then: The Internet concept (ARPANET) was born from a Cold War requirement when the United States government leveraged over 90% of all telecommunications research. As a result, the Internet protocol (TCP/IP) was accepted by industry and academia. Today, the Internet offers a viable market place rich for corporate and public investment. With the end of the Cold War, the United States government now contributes less than 10% of telecommunications research funds.
  3. Once capable of supporting an independent communications network, the Department of Defense enjoyed the security of a dedicated and redundant network. However, faced with diminishing defense budgets and a rapidly expanding commercial telecommunications infrastructure, DoD is now economically forced to rely on the Public Switched Network, a network that has been demonstrated to be vulnerable to information attack. For the first time in history, DoD is critically dependent upon an infrastructure that it does not control or influence. This begs the question, "Who will be responsible for securing America's critical infrastructures?" And for the first time, DoD and the intelligence community must grapple with the concept of leading from behind, where contributions to the national debate are to provide accurate, sound advice on what constitutes the Threat, and which entities are positioning themselves to take advantage of America's critical infrastructures.

 

Module 2 Summary - The Threat

  1. Why is Information Warfare a threat? IW levels the international playing field (political, economic, and military), i.e., most nations cannot challenge American policy using traditional force-on-force. Information Warfare is very cost effective, and offers a non-attribution capability that can be completely hidden during development and deployment. Finally, the United States, whose policy is often the target of attack by emerging or rogue states, is the most vulnerable to IW.
  2. DoD analysis suggests that when 95% of government networks were subjected to informational attacks, less then 5% were detected. Further, of the 5% detected, very few are successful in closing the hole to future attacks.
  3. The groups posing the threat to America's critical infrastructure are:
    Threat Threat Level
    Individual Hackers Low lever threat (nuisance)
    Coordinated hacking (Instructor/tutor) Low/Med level of threat
    Funded, coordinated (focused, employed) High level
    State sponsored, focused (Intel provided, spec tasking) Extremely High


    A new management philosophy is needed.

  4. Old Business - New Focus (Spies of the 21st century). As security products become available to the public and commercial sector the focus of international espionage will be redirected from the individual with access to desired information toward the network system administrator. Just as any industry seeks the most bang for the buck, so will foreign case officers seek to target the system administrators of key computer systems. This threat transcends the traditional focus and will expose virtually every aspect of American society. In the past corporations needed only to enforce strict security upon those facilities handling classified government material. The spies of tomorrow will target institutions such as banking (ATM, investment), transportation (Federal Express, UPS, rail, trucking) and industry (chemical, power, computer, etc.).
  5. The new business of spying. As the world enters the information age, international economic competition will become more fierce. Nations will set as a national priority the goal of acquiring America's customer base. Industrial espionage will escalate into industrial sabotage. For example, a foreign power may recruit a critical software or hardware engineer in an effort to implant destructive code that can be remotely triggered. The focus of such an attack may be as simple as to force a general product recall, and the timing of the execution could coincide with a critically weak period for the company. Thus a simple failure that forces a product recall may precipitate a disastrous fall of stock prices and takeover of the company. (Industry will need to re-think its current security practices and be more aware of the threat posed by grieving and/or disgruntled employees)

 

Module 3 Summary - DoD Roles and Missions

  1. America's military is in the process of aligning itself as the Cold War threat diminishes. Tomorrow's military will continue to stand ready to defend America if faced with the traditional two major regional conflicts scenario; however, it will be forced to do so with fewer resources. Economizing will be sought through advanced Command and Control Warfare. Further, America's military will be more likely to operate with a global reach utilizing new strategic offensive information warfare. Tomorrow's military will prepare the theater of conflict by seizing control of all critical infrastructures utilized by the enemy. Tomorrow's enemy will only be able to communicate, finance, or logistically relocate that which our leadership allows. Our adversary will be blinded by a complete cyberfog of war.
  2. Just as these new weapons for peace are being developed, so are the controlling mechanisms. Currently the Joint Chiefs of Staff has both an offensive and defensive group addressing these very issues. Mechanisms are currently in place and being honed to ensure that each new strategic weapon is controlled within the required authority for release.
  3. From the defensive perspective, DoD is currently inhibited as its mandated authority prohibits involvement in securing the public and corporate sector of America's critical infrastructure. This offers the greatest challenge to future military leaders, as they have little influence in securing a vulnerable America which is open to an Information Pearl Harbor. Just as America pulled together a nation threatened by a cold war, our nation's leaders must define America's Information (infrastructure) Civil Defense.

 

Module 4 Summary - Information Assurance

To expand the DoD perspective of securing America from groups that wish to influence U.S. policy throughout infrastructure attacks, our nation's leadership, both political and industrial, must define a process by which America can be secured. The National Information Infrastructure will be used by tomorrow's enemies to gain access and attempt to control or influence our nation's critical infrastructures. Policy makers will be faced with the challenge of respecting and balancing the basic rights of Americans. For example, a balance between the right to privacy vs. law enforcement represents one of many issues which will be hotly debated. However, there is one positive aspect; the threat posed to America's infrastructure via IW attacks is by its nature non-partisan. The threat is real and is focused against all of America. As a result, our political leaders will come to closure on this issue much more quickly. This contrasts sharply with the health care debates of the early 90's which ended with few positive results.

The key to Information Infrastructure security is clearly defined by our forefathers:

We hold these truths to be self-evident, that all men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty, and the pursuit of Happiness. That to secure these rights, Governments are instituted among Men, deriving their just powers from the consent of the governed. That whenever any Form of Government becomes destructive of these ends, it is the Right of the People to alter or to abolish it, and to institute new Government, laying its foundation on such principles and organizing its powers in such form, as to them shall seem most likely to effect their Safety and Happiness.

Our fore fathers believed that individual rights were granted by God and secured by government. Our nation's leaders will be challenged to find the right balance - this represents the heart of the debate in securing America.

 

Module 5 Summary - The Political Quagmire

The focus for change must come from Congress. The issues associated with defending America in the age of information can only be equitably debated through this branch of government. This is not to suggest that the President and the Judicial branch will not play a major role; they will... Congress will have to take the lead in forging new policy as our nation enters the 21st century.

Role of the President: Lead from behind by directing the Executive branch departments and agencies to provide critical information (data) for use by Congress, Industry, and the public in forming the national debate. The Executive branch must provide a clear representation of the Threat that IW poses to our nation's infrastructure. Further, the President must ensure that any technical skills and associated knowledge resident in the U.S. Government is available to industry and Congress for their use in formulating national information policy.

Role of the Supreme Court: The Supreme Court will, as it has in the past, ensure that legislated policy does not encroach on the rights of Americans. Just as the Supreme Court played a major role in interpreting legislation as America entered the Industrial Revolution, it will do so for the Information Revolution. However, history has shown that such interpretations are molded over time as society's needs and perspectives change. For example, the balance between economic rights and the needs of business.

Role of industry: Corporate America will be called upon to provide a realistic view of industry's security needs. This view is currently not possible as most of corporate America is either fearful of disclosing the extent of the threat, or is unaware of the intentions of its adversaries. To remedy this, the President must commit America's intelligence community to directly providing relevant indications and warnings to industry. Congress must engineer a policy where industry is required to report the number and nature of IW attacks against its infrastructures. Such disclosures by industry must be protected to guard against erosion of the public confidence. Today many nations desire U.S. military products, tomorrow they will want American security products that protect critical infrastructure. If our nation's policy makers pass legislation that encourages the will of American industry, the "Made in America" label will appear on security systems world wide.

Role of the individual: The Internet is growing exponentially. Within it there are many references to the sanctuary of cyberspace. There have been declarations of cyber-independence and calls for a hands-off by governments. People of the world are experiencing for the first time what Americans have taken for granted: Freedom of Speech. The ability to publicly voice one's opinion is bringing a passion to the Internet that is indescribable. Non-Americans are naturally hesitant to embrace any government association with the Internet. However it must be remembered that it was America, specifically the U.S. Department of Defense, that made the Internet possible. According to the Declaration of Independence, America's government is formed by its people to protect the rights granted by the Creator. This brings us to one of the most fundamental arguments of society (State): when do the rights of the many outweigh the rights of the few? This issue has been argued since the dawn of logical thought. Our policy makers (Congress and the President) must receive a balanced view from their constituents. Often our nation has applied the oil only to the squeaky wheel. The Congress must initiate public community debates to help bring the message to Washington. When called individuals must educate themselves to the issues and voice their opinion.

Lessons from the Past

Look to our nation's transition during times of great change, e.g., the industrial revolution, the Great Depression, and the nuclear threat (Cold War). During each period the concept of free enterprise provided the technical means to a solution. Likewise, each transition, required a new assessment of the balance of rights. Looking more recently to the second half of the 20th century, it can again be illustrated that free enterprise enabled America to become the global leader in technology. The voices of our forefathers offer guidance; if only we would listen.

Specific Lessons from History
  1. Legislative actions have historically supported economic and industrial growth.
  2. The mean trend of U.S. Courts has been to lean toward the rights of the individual. The right to privacy has and will continue to be at the center of such debates.
  3. The technical solutions to all of America's needs have come from the industrial sector. History has shown that with the encouraging government policy the pace of development can be greatly accelerated, e.g., America's race for the moon in the 1960's.
  4. Look to the benefits of AT&T's divestiture. What other aspects of America's critical infrastructure could benefit from similar considerations, i.e., electric power distribution?
  5. Consider the recent cases involving free speech; for example the Philadelphia Court striking down legislation on indecency. What can be learned from this? Was Congress reactive or proactive? Were legislators responding to impulse demands of a minority? Congress must carefully consider the implications of oiling the squeaky wheel, as this may lead to action without thoughtful representation.

 

Module 6 Summary - IW Weapons

Information Warfare Weapons fall into three categories: Strategic, Theater, and Tactical. Each category has its own unique capabilities and thus requires different safety mechanisms to prevent inadvertent release. Consider nuclear weapons. They too can be employed to support a tactical, theater and/or strategic objective. However, nuclear weapons must ultimately be released for use by the President and usually by recommendation of the National Security Council. IW weaponry is very similar, but there are exceptions.

The Commander In Chief (CINC) will always implement the directions of the President. In such a capacity certain IW weapons can be left to the discretion of the CINC for implementation. Likewise, traditional theater level Electronic Warfare (EW) or PSYOP that is enhanced by IW capabilities fall under CINC authority.

Strategic IW weapons however, will most likely be reserved for release by the highest level. For example, a computer virus that would cripple a nation's monetary system or may seize control of international satellites must be controlled by either the President (SECDEF if authority has been delegated). Justification: a response in-kind would have a direct impact on the American homeland, i.e., the loss of sanctuary.

So who pulls the trigger? In general the command to launch an IW attack will at least be reviewed by the National Security Council, possibly the President (weapon dependent), and ordered by the CINC. One must remember that some strategic weapons will only be released on authority of the President. Note: during the planning process the CINC will be the single person responsible for the overall campaign and will decide his or her weapons of choice, but just as in the case of nuclear weapons, IW weaponry will require a higher lever of coordination and authorization for release.

 

Module 7 Summary - Loss of Sanctuary

America has the strongest, most capable military in the world. This fact challenges many nation's objectives which conflict with American policy. No nation has the capability to challenge the United States using traditional force-on-force. Further, the acquisition of weapons of mass destruction by such nations is also considered futile, as America's response would be direct and massive. This leaves many developing nations with few options in countering America's military force. That was until the introduction of Information Warfare.

Many nations in competition with the United States, either in the political or economic realm, are actively developing IW capabilities. They hope to use these capabilities to gain an industrial edge by stealing U.S. industrial secrets, and when possible disrupt America's industrial base.

America possesses many infrastructures: power, transportation, economic. But there are others not normally considered. Our nation possesses a knowledge infrastructure where critical scientific information is freely shared between academia, government, and industry. This infrastructure, like others, is open to attack by IW weapons.

America has typically enjoyed a protected sanctuary provided by the two great oceans. Not until Pearl Harbor and the subsequent nuclear threat did America become aware of it's loss of sanctuary. With the fall of the Iron Curtain and the end of the Cold War, Americans have returned to believing in a new protected sanctuary. This is far from the truth. Daily, America's critical infrastructures are being probed and investigated by foreign powers. Our nation's industries currently lack the capability to adequately detect the implantation of IW weapons into our infrastructure.

Many nations are looking for ways to attack our financial networks to gain economic advantage. Likewise our industrial base is under attack. Cyberspace has no geographic boundaries. Nations are contracting the efforts of cyber-terrorists to maintain non-attribution. It is possible that some nations we traditionally consider allies and friendly are set on a path of economically and industrially conquering America.

America's sanctuary has been lost. Our nation is under a quiet, sometimes organized attack by many forces whose goal is to topple America's global position.

 

Module 8 Summary - The Military Perspective

The military perspective on the beta version of this tutorial was composed from various unclassified briefings and presentations. Each service has been distributed the beta version with the intent of providing input into the final version due in October 1996. As you explore the military perspective please remember that military offensive aspects of IW cannot be discussed openly. Nonetheless these efforts are ongoing!

Just as America's military transitioned into the industrial age and adopted the concept of mechanized war, so will it adapt to warfare in the information age. That said, the transition will not be easy. Just as military leaders resisted accepting a mechanized calvary and concept of an Air Force there will be great hesitation to adopt IW. By its nature any military must adhere to tradition and order. How else can a person be commanded into combat? But tradition typically stalls advancement of new technologies. America's military will become tomorrow's information warriors, and when future military leaders look to this period they will again wonder why acceptance of such an natural concept was hard to comprehend.

The Army has and will always command the ground aspect of warfare. The information revolution will provide a battlefield (situational) awareness unimaginable today. The fog of war will be greatly reduced if not totally eliminated. Likewise, offensive IW will render our nation's enemies dispersed and informationally isolated. The enemy's fog will be extended to a complete blindness. All aspects of today's Army will be enhanced by the information revolution.

The Navy and Marine Corps will continue to control the seas and provide the heavy strategic reach capability America now enjoys. Global sensory networks will ensure the Navy has the capability to track any form of naval enemy on a global basis. New information technologies will extend the track and reaction time of many naval weaponry for both hard and soft kills.

The Air Force and its command of the skies will continue. Tomorrow's air defense weaponry and electronic warfare will be unrecognizable to today's military leaders. The ability to precisely strike a hostile nation's command and control, air defense, or critical infrastructures will be just a push-button away. If a hard kill is required, the enhancement of IW will ensure the safety of our service personal and reduce the amount of physical force necessary. Precision strike will place munitions on a target in ways now considered impossible.

 

Module 9 Summary - Recommendations

The nation is ready to debate the issue of Information Warfare and begin to decide that delicate balance between protecting the individual rights and national security. For the past three years we have come a long way. First the term Information Warfare was discussed, i.e., what does it mean. Then groups began to discuss organization structure and identify needed policy. Today, insiders understand IW and its threat to America's infrastructure. It is now time to mode the debate to the people and industry and answer the question, how do we protect America's Critical Infrastructure form Information Warfare.

The following Executive Order was issues by President Clinton on July 15, 1996. It focuses the necessary ingredients for the national debate: 

WASHINGTON, July 15, 1996

Executive Order  

     
Certain national infrastructures are so vital that their incapacity or 

destruction would have a debilitating impact on the defense or economic 

security of the United States.

     
These critical infrastructures include

     

 telecommunications,

 electrical power systems,

 gas and oil storage and transportation, 

 banking and finance,

 transportation,

 water supply systems,

 emergency services (including medical, police, fire, and rescue), and 

 continuity of government.

     

Threats to these critical infrastructures fall into two categories:

     
1. physical threats to tangible property ("physical threats"),

     
2. and threats of electronic, radio-frequency, or computer-based attacks 

on the information or communications components that control critical 

infrastructures ("cyber threats").

     
Because many of these critical infrastructures are owned and operated by 

the private sector, it is essential that the government and private 

sector work together to develop a strategy for protecting them and 

assuring their continued operation.

     
NOW, THEREFORE, by the authority vested in me as President by the 

Constitution and the laws of the United States of America, it is hereby 

ordered as follows:
    

Section 1.  Establishment.  There is hereby established the President's 

Commission on Critical Infrastructure Protection ("Commission").

     

        (a) Chair. A qualified individual from outside the Federal

Government shall be appointed by the President to serve as Chair of the 

Commission. The Commission Chair shall be employed on a full-time basis.

     

        (b) Members.  The head of each of the following executive branch

departments and agencies shall nominate not more than two full-time 

members of the Commission:

     

        (i)     Department of the Treasury;

        (ii)    Department of Justice;

        (iii)   Department of Defense;

        (iv)    Department of Commerce;

        (v)     Department of Transportation; 

        (vi)    Department of Energy;

        (vii)   Central Intelligence Agency;

        (viii)  Federal Emergency Management Agency;

        (ix)    Federal Bureau of Investigation;

        (x)     National Security Agency.

     

One of the nominees of each agency may be an individual from outside the 

Federal Government who shall be employed by the agency on a full-time 

basis.  Each nominee must be approved by the Steering Committee.

     

Sec. 2.  The Principals Committee.  The Commission shall report to the 

President through a Principals Committee ("Principals Committee"), which 

shall review any reports or recommendations before submission to the 

President.  The Principals Committee shall comprise the:

     

        (i)     Secretary of the Treasury;

        (ii)    Secretary of Defense;

        (iii)   Attorney General;

        (iv)    Secretary of Commerce;

        (v)     Secretary of Transportation;

        (vi)   Secretary of Energy;

        (vii)   Director of Central Intelligence;

        (viii)  Director of the Office of Management and Budget; 

        (ix)    Director of the Federal Emergency Management

                Agency;

        (x)     Assistant to the President for National

                Security Affairs;

        (xi)    Assistant to the Vice President for National

                Security Affairs.

     

Sec. 3.  The Steering Committee of the President's Commission on 

Critical Infrastructure Protection.  A Steering Committee ("Steering 

Committee") shall oversee the work of the Commission on behalf of the 

Principals Committee.  The Steering Committee shall comprise four 

members appointed by the President.  One of the members shall be the 

Chair of the Commission and one shall be an employee of the Executive 

Office of the President. The Steering Committee will receive regular 

reports on the progress of the Commission's work and approve the 

submission of reports to the Principals Committee.

     

Sec. 4. Mission. The Commission shall:

     

        (a) within 30 days of this order, produce a statement of its

mission objectives, which will elaborate the general objectives set 

forth in this order, and a detailed schedule for addressing each mission 

objective, for approval by the Steering Committee;

     

        (b) identify and consult with: (i) elements of the public and

private  sectors that conduct, support, or contribute to infrastructure 

assurance; (ii) owners and operators of the critical infrastructures; 

and (iii) other elements of the public and private sectors, including 

the Congress, that have an interest in critical infrastructure assurance 

issues and that may have differing perspectives on these issues;

     

        (c) assess the scope and nature of the vulnerabilities of, and

threats to, critical infrastructures;

     

        (d) determine what legal and policy issues are raised by efforts

to protect critical infrastructures and assess how these issues should 

be addressed;

     

        (e) recommend a comprehensive national policy and implementation

strategy for protecting critical infrastructures from physical and cyber 

threats and assuring their continued operation;

     

        (f) propose any statutory or regulatory changes necessary to

effect its recommendations; and

     

        (g) produce reports and recommendations to the Steering

Committee as they become available; it shall not limit itself to 

producing one final report.

     

Sec. 5. Advisory Committee to the President's Commission on Critical 

Infrastructure  Protection.

     

        (a) The Commission shall receive advice from an advisory

committee ("Advisory Committee") composed of no more than ten 

individuals appointed by the President from the private sector who are 

knowledgeable about critical infrastructures. The Advisory Committee 

shall advise the Commission on the subjects of the Commission's mission 

in whatever manner the Advisory Committee, the Commission Chair, and the 

Steering Committee deem appropriate.

     

        (b) A Chair shall be designated by the President from among the

members of the Advisory Committee.

     

        (c) The Advisory Committee shall be established in compliance

with the  Federal Advisory Committee Act, as amended (5 U.S.C. App.). 

The Department of Defense shall perform the functions of the President 

under the Federal Advisory Committee Act for the Advisory Committee, 

except that of reporting to the Congress, in accordance with the 

guidelines and procedures established by the Administrator of General 

Services.

     

Sec. 6. Administration.

     

        (a) All executive departments and agencies shall cooperate with

the Commission and provide such assistance, information, and advice to 

the Commission as it may request, to the extent permitted by law.

     

        (b) The Commission and the Advisory Committee may hold open and

closed  hearings, conduct inquiries, and establish subcommittees, as 

necessary.

     

        (c) Members of the Advisory Committee shall serve without

compensation for their work on the Advisory Committee.  While engaged in 

the work of the Advisory Committee, members may be allowed travel 

expenses, including per diem in lieu of subsistence, as authorized by law 

for persons serving intermittently in the government service.

     

        (d) To the extent permitted by law, and subject to the

availability of  appropriations, the Department of Defense shall provide 

the Commission and the Advisory Committee with administrative services, 

staff, other support services, and such funds as may be necessary for 

the performance of its functions and shall reimburse the executive 

branch components that provide representatives to the Commission for the 

compensation of those representatives.

     

        (e) In order to augment the expertise of the Commission, the

Department of Defense may, at the Commission's request, contract for the 

services of nongovernmental consultants who may prepare analyses, 

reports, background papers, and other materials for consideration by the 

Commission.  In addition, at the Commission's request, executive 

departments and agencies shall request that existing Federal advisory 

committees consider and provide advice on issues of critical 

infrastructure protection, to the extent permitted by law.

     

        (f) The Commission, the Principals Committee, the Steering

Committee, and the Advisory Committee shall terminate 1 year from the 

date of this order, unless extended by the President prior to that date.

     

Sec. 7.  Interim Coordinating Mission.

     

        (a) While the Commission is  conducting its analysis and until

the President has an opportunity to consider and act on its 

recommendations, there is a need to increase    coordination of existing 

infrastructure protection efforts in order to better address, and 

prevent, crises that would have a debilitating regional or national 

impact.  There is hereby established an Infrastructure Protection Task 

Force ("IPTF") within the Department of Justice, chaired by the Federal 

Bureau of Investigation, to undertake this interim coordinating mission.

     

        (b) The IPTF will not supplant any existing programs or

organizations.

     

        (c) The Steering Committee shall oversee the work of the IPTF.

     

        (d) The IPTF shall include at least one full-time member each

from the Federal Bureau of Investigation, the Department of Defense, and 

the National Security Agency.  It shall also receive part-time 

assistance from other executive branch departments and agencies. Members 

shall be designated by their departments or agencies on the basis of 

their expertise in the protection of critical   infrastructures.  IPTF 

members' compensation shall be paid by their parent agency or 

department.

     

        (e) The IPTF's function is to identify and coordinate existing

expertise, inside and outside of the Federal Government, to:

     

                (i) provide, or facilitate and coordinate the provision

of, expert guidance to critical infrastructures to detect, prevent, 

halt, or confine an attack and to recover and restore service;

     

                (ii) issue threat and warning notices in the event

advance information is obtained about a threat;

     

                (iii) provide training and education on methods of

reducing vulnerabilities and responding to attacks on critical 

infrastructures;

     

                (iv) conduct after-action analysis to determine possible

future threats, targets, or methods of attack; and

     

                (v) coordinate with the pertinent law enforcement

authorities during or after an attack to facilitate any resulting 

criminal investigation.

     

        (f) All executive departments and agencies shall cooperate with

the IPTF and provide such assistance, information, and advice as the 

IPTF may request, to the extent permitted by law.

     

        (g) All executive departments and agencies shall share with the

IPTF information about  threats and warning of attacks, and about actual 

attacks on critical infrastructures, to the extent permitted by law.

         

        (h) The IPTF shall terminate no later than 180 days after the

termination of the Commission, unless extended by the President prior to

that date.

     

   Sec. 8.  General.

     

        (a) This order is not intended to change any existing statutes

or Executive orders.

     

        (b) This order is not intended to create any right, benefit,

trust, or  responsibility, substantive or procedural, enforceable at law 

or equity by a party against the United States, its agencies, its 

officers, or any person.

     

WILLIAM J. CLINTON  THE WHITE HOUSE, July 15, 1996.
en04.gif (47 bytes) en04.gif (47 bytes)