Information Warfare - Part 2 Issues in Current Infowar (original) (raw)

In part one of this series we explored some of the fundamentals of Infowar, and the developing political and economic scenario in the 21st century. The essential conclusion is that Infowar in its manifold forms is a reality which we cannot escape, and one which will ever increasingly be a consideration for the computing community.

What remains is to explore contemporary issues in Infowar, and attempt to identify clear trends in the immediate future.

Many happenings anticipated in recent years have materialised. We have seen the first public demonstrations of a HERF gun at a recent InfoWarCon conference, public testimony to a congressional subcommittee by David Schriner describes a TED (Transient Electromagnetic Device) spark gap weapon capable of crippling machines from tens of metres, we have the United States' military ostensibly admitting to hacking the air defence computers of the Serbian national air defence forces, and we have an ever growing penetration problem with crackers getting into high profile websites and playing often embarrassing pranks. Internet newsgroups are frequently inundated with ultra-nationalists and oft weird special interest groups.

None of these developments fall outside of the predictions of five years ago. The technological community has warned of this and it has indeed transpired, as expected.

We could of course reiterate these issues in more detail, but in perspective, this does little to illuminate the future.

I therefore decided to consult a wiser head in these matters. I posed Winn Schwartau, widely acknowledged to be the originator of the Infowar concept as we know it today, the following question - what are the most important issues in Infowar today ?

His response was to articulate the following six points:

  1. Dealing with the human factors problem.
  2. Dealing with the legal problems.
  3. Defining Rules of Engagement.
  4. Solving the damage assessment problem.
  5. Isolating damage effects to minimise collateral damage.
  6. How do we structure forces to execute information warfare.

To these six cardinal points I am tempted to add a seventh:

7. Accommodating the cumulative effects of Moore's Law in computing technology.

A good starting point for developing these issues is to point out, that Infowar is inevitably, as any survival contest is, split between the offensive and the defensive. The popular notion that Infowar can be a purely defensive play is utterly irrational, and flies in the face of five millenia of history. The advantage more than often lies with the attacker, who can choose the time and the place of the engagement.

This point leads us into the issue of the human factors problem.

How should we articulate this problem ? In the simplest of terms it is a result of many people not taking the issue seriously, at every level of our government and industry. At the lowest level it is manifested in ostensibly trivial sins like sloppy password management procedures. Stepping up a level, it is manifested by managers who choose not to spend resources on security, or company directors who decide that the overheads of hiring security consultants or specialists in security oriented system admin are a waste of effort.

The problem extends further, to legislators who are completely illiterate in computing, let alone Infowar, and choose to frame legislation around ridiculous and ultimately futile agendas such as content control on the Internet, while remaining utterly blind to the real problem areas.

We could argue that it is a widespread case of "ignorance is bliss", but this in many respects flies in the face of the huge volumes of public debate and discussion on these issues, and the incessant sensationalised media coverage of the issue.

The problem really runs much deeper, and is clearly related to collective community values.

We should consider the fact that our culture has exceptionally well defined protocols and legislation covering the handling of money. Money is kept in bank vaults, virtually every cent is carefully accounted for in every till, while frequently draconian penalties are applied for theft, usually in proportion to the magnitude of the theft in question. Frequently a person is judged on his monetary worth or earning capacity, first and foremost, all other attributes and qualities falling by the wayside.

This should not be surprising since we are essentially in our values a mercantile culture, in a medieval Christian culture piety would be a measure of one's worth, while in a communist culture the individual's fanatical devotion to the cause would be such. The values of a culture are implicitly tied to whatever mechanism is central in making that culture work.

In the digital age information/knowledge is that central mechanism, and therefore we would expect our culture's value system to reflect exactly that, and accord information/knowledge the very same worth that a classical capitalist culture accords to money. Protect it for what it is worth, and treat it with the respect it deserves. Reward those who can create it and most effectively exploit it.

Herein lies the crux of the "people problem" in Infowar, and the root cause of many of the people related problems we see in the computing game. Our community value system is still firmly rooted in the mercantile viewpoint of the world, and has yet to catch up with the modern economic, military and social reality of the digital age. Granted, we have seen Mr Gates become the richest individual on the planet, but most people have yet to come to grips with the most fundamental reality of the digital age.

Information/knowledge = value, in the same sense as "money = value".

Whether that information/knowledge is static data, as in a database or document, or an executable program, which essentially replicates and automates a recipe for performing a task, that information/knowledge is a package of value, no different in many respects from a bundle of banknotes.

Until community values realign to reflect this new reality, and information/knowledge, and the capacity to generate it, are recognised for what they are worth, the extant problem with people and Infowar will persist. Indeed the public have yet to equate a file server with a bank vault, and a credit card capable website with a till in a supermarket.

How soon will this come about ? If we accept Kuhn's arguments relating to paradigm shifts, this will take at least a generation, the time it takes for people wedded to established values to die out.

The big question is whether we can we afford to wait another generation for this to come about ? The need for community values and our legislative base to reflect the current paradigm is urgent and cannot wait for decades. Judging from the value of the NASDAC, and the profitability of the digital finance "industry", Kuhn's model may yet be proven wrong here, nevertheless things are not happening quickly enough.

The issue of legislation brings us to the second critical item in contemporary Infowar.

The problem is a very simple one, which is that legislation today does not reflect the realities of conflict in the information/knowledge domain. A good example is the problem of dealing with jurisdictional boundaries. The simple instance of attempting to prosecute a cracker overseas, or somebody who harasses another in cyberspace, is literally a legal minefield. This becomes all the more difficult once we must grapple with a hostile government.

Consider the canonical scenario of nation A tasking its military or para-military computing professionals with cracking into an nation B's banking system and stock market, and taking both down to induce an economic collapse. Of course, nation B can be expected to play exactly the same game. In a conventional war, either side might shoot missiles or drop bombs on one another with the understanding that providing agreed protocols on targeting are observed, the best player wins.

Yet today many Western democracies are in the position whereby it is legally easier for them to drop a laser guided bomb through an opponent's window, than crack into his computer system. Indeed legislators, and the public at large, as yet have failed to grasp the fact that another government cracking into a government computer, or putting a hacksaw through a fibre cable, is acting no differently than if they were shooting off a ballistic missile or lobbing a satchel charge into a munitions depo. It is an act of war, in every sense of the word.

A government which sponsors crackers to bust into another country's computing infrastructure is performing at a minimum the equivalent to a special operations commando penetration of its opponent's military basing or government buildings. Yet the latter evokes responses which are as forceful as large scale bombing raids or land force invasions. The former does not.

Contemporary IW theorists have argued this issue extensively, but typically encounter stubborn resistance.

The underlying cause for this clearly irrational posture is related to item 1, without any doubt. The gravity of the act is undervalued, and it is therefore dismissed as being of substantially lower importance than it really is. Until such an attack produces a truly dramatic, Pearl Harbour category disaster, it is unlikely the message will get across.

This issue is further complicated by the boundaries between military and civil operations. Whereas legislation may eventually allow a nation's armed forces to respond in kind, or respond pre-emptively to an information attack, with a like information attack, or conventional counterstrike, civilian agencies and commercial players are unlikely to be afforded such latitude.

Whereas a security guard at a bank may be allowed to open fire at an armed bank robber who walks in the front door, the notion of a bank's systems programmer launching a denial of service attack against a criminal attempting to break into the bank's internal network is at this time legally problematic. More than likely it would result in the criminal's ISP successfully suing the bank in question.

The issue of legislation is indeed a thorny one, and one which will take some time to sort out. If conventional, precedent based legal practices are to apply, many of these issues will have to wait for test cases to produce rulings. In the meantime, a good measure of paralysis will exist.

The legal issues are closely related to the issue of Rules of Engagement (RoE), the fundamental constraints and protocols which are applied to any military operations. In conventional wars, such as those fought in the Persian Gulf in 1991, or over Serbia in 1999, Western warriors did battle under some frequently complicated and often very restrictive RoE. Whichever side of the argument of RoE one chooses to take, the reality is that in conventional wars the RoE are very carefully crafted to reflect political and operational constraints. What can and cannot be attacked, and under which conditions it can be attacked, is carefully (or not so carefully in some instances) defined and set down as inviolate constraints to military personnel.

The purpose of RoE is primarily to set boundaries for military operations, either in terms of geography or types of targets to be engaged. A typical RoE package today includes constraints from the Law of Armed Conflict (LOAC), which are mostly aimed at preventing the loss of innocent civilian lives, or the destruction of significant historical or cultural artifacts. While much debate continues to as to the merits of many RoE packages and philosophies, it is a fact of life that few Western democracies would go to war without some kind of RoE.

Defining a meaningful RoE package for Infowar (IO) is a non-trivial task, and one which is yet to be properly resolved.

Consider the scenario in which an opponent's electricity grid and communications network are taken down. Both are target sets which evoke much argument in conventional targeting, since it can be argued that denial of both services can cause indirectly civilian casualties, and impose unreasonable hardship upon the population. Indeed the use of non-lethal carbon-fibre bombs against Serbia in 1999, designed to produce intermittent dropouts, was deemed to be more appropriate than simply putting high explosive 2,000 pounders into every powerplant in the country.

Taking down an opponent's finance infrastructure or stock market could produce similar arguments. If a country is plunged into an economic collapse of the ilk seen in Malaysia or Indonesia recently, does this constitute a violation of established protocols designed to protect civilians from unreasonable hardship ?

These are all very interesting, and also very important questions. Consider that the wrecking of a nation's economy via a systematic information attack on its finance infrastructure could produce wider repercussions, by damaging countries with mutual economic dependencies with the target nation. No differently from physically wrecking its economy by large scale air raids.

While the latter may not incur legal side effects, the former may under the current scheme of things. This indeed complicates the whole issue to no end.

The other side of this coin is dealing with players who choose not to observe any RoE. This has been the source of much argument in the context of conventional wars, since the countries which Western democracies most frequently clash with tend to be tin-pot dictatorships who usually have no respect for international conventions or legislation such as LOAC. Indeed the standard scenario is that Western RoE are played for what it is worth, and parking a surface to air missile launcher in the grounds of hospital, or putting a civilian air raid shelter into the same facility as a military command post, are both good examples of such behaviour. Players who fall into this category are unlikely to restrict their offensive information operations to target sets deemed legitimate under international law.

The issue of RoE is a messy one, which like issues of cultural values and legislation remains to be resolved.

The issue of damage assessment is one which is closely related to targeting, and amounts in the simplest of terms to assessing the effect of an information attack. This is in a sense a broader problem relating to the use of all non-lethal weapons. While assessing the effect of an air or cruise missile attack may be as simple as looking for a smoking hole in the ground where the intended target stood, determining the effects of an information attack is not so simple.

Taking down an electricity grid or a stock market may be easy to assess by observing changes in activity. But taking down an air defence radar network or military intelligence database may be much trickier, since the opponent may choose to "play dead" and then activate the system at a most inconvenient time.

Cracking into an opponent's network and initiating a recursive remove in the root filesystem of a critical host system may only alert the opponent to a penetration, yet it may also cause considerable long term damage. This all depends on the opposing player's level of redundancy and backup policies.

The same applies should we choose to lob a 40 GigaWatt microwave warhead at a critical computing or communications site.

Just as the Argentines in 1982 managed to deceive the British into believing they had done more damage to the Port Stanley runway than they actually achieved, so it is possible for an opponent in the IW game to deceptively simulate greater damage levels than had actually been achieved.

Being too successful at taking down an opponent's networking and communications may indeed blind an attacker to what effect was actually achieved against other specific targets in the network.

An issue which is closely related to damage assessment is that of precisely controlling damage effects, so that only intended targets are taken out. This indeed closely ties into the earlier discussion of legal issues and RoE.

The difficulty lies in the fact that in most nations, much of the information infrastructure is shared between civilian government, military services and commercial organisations. If in the course of disabling the air defence network you also knock out the network supporting the country' hospitals, is this to be considered acceptable or unacceptable collateral damage ?

The difficulty, other than the legislative/RoE aspects, lies in the simple technical problem of identifying which services are mutually dependent. This need not be an easy task, unless the network is apriori penetrated very thoroughly and all services in use exactly mapped out.

The problem can run much deeper, insofar as one may wish to leave some services in operation for other reasons, such as surveillance, intelligence gathering, deception and damage assessment. Knocking out the key router to disable the opponent's surface to air missile datalinks may preclude monitoring the alert status of the air defence network, or even the deceptive manipulation of its state.

Achieving a precisely contained effect may in many instances be impossible, and in some instances unanticipated side effects may arise from mutual dependencies unknown apriori even to the targeted operator of the system.

Some strategies devised for large scale information attack, such as the massed use of electromagnetic bombs, are structured upon the premise that the total disabling of the targeted system is the desired end state. For an escalated large scale conflict this may indeed be very true, from a military perspective. However, recent conflicts such as that fought over Serbia last year would suggest that massed attacks of this ilk are likely to be frustrated at the point of conception by political micro-management of the desired target set.

Unrealistic expectations by political leaders seeking politically "sanitary" campaigns have frequently complicated conventional military operations to the point of unworkability. We can expect repeat scenarios in any future conflicts fought in the information domain, given extant experience since 1950. The potential for a precise effect which can exist in information attack will offer an irresistible temptation for many politicians, despite the fact that the technological constraints border on the unimplementable. We have seen similar foolishness in the Australian public and political debate on Internet content, and this behaviour is very likely to spill over into the much more serious area of Infowar.

The final point articulated by Winn Schwartau is that of structuring forces for the conduct of Infowar. While this problem may superficially be seen to be confined to deciding whether it should be performed by the air force, army, navy, or military / civilian intelligence agencies, it like many other problems in Infowar runs much deeper.

Considering that the issue encompasses civil law enforcement, and also arguably penetrates the interests of commercial organisations, it is a problem of vast complexity.

Should every player field its own Infowar teams, should these teams be split into offensive and defensive groups, or should a single civilian or military agency be formed to cover this whole domain ? We can rest assured that every single one of these strategies will have its vociferous proponents and opponents.

While economies of scale and the demand for high levels of technical specialisation would enhance the case for a single IW agency or body, the unique idiosyncrasies of IW characteristic of military vs law enforcement, and air/land/sea/space military operations, would in turn strengthen the case for individual IW capabilities in all of these extant bodies. There is no simple answer to the problem.

To complicate these evident problems in dealing with the current IW paradigm, we must also deal with the rapid evolution of technology resulting from Moore's Law. With compute performance, memory capacity and storage capability doubling every 18-24 months, we are facing a moving target. Technological capabilities for IW will continue to evolve at a rapid rate for the forseeable future.

This has implications for the defensive play, since cryptographic measures will continue to erode in effectiveness, while it will also increase the potential capabilities of offensive tools.

Information Warfare as a discipline is still very much in its adolescence, and it is clear that many critical issues remain to be resolved.

My view as a competent observer is that the biggest obstacle in coming years will continue to be technological illiteracy in those outside the computing community, and the closely related problem of illiteracy in the social, political and economic implications of the digital revolution. While the former is easy to understand, I find the latter frequently perplexing, since the effects are clearly visible and a postgraduate degree in Comp Sci is not required to understand them. Legislators, who are frequently exceptionally well educated in the humanities, and are well tuned, one would assume, to social and political issues, have little if any excuse in this context. Yet many of them seem to be the least capable of grasping the issues.

We do indeed live in interesting times.