Information Warfare and Deterrence
Information Warfare (IW) and Deterrence was the focus of the sixth workshop in a series sponsored by the Directorate of Advanced Concepts, Technologies, and Information Strategies (ACTIS), of the National Defense University. The topic arose from both (1) issues that surfaced in earlier workshops on subjects as diverse as Coalition Command and Control (C2), Technologies and Operations Other Than War (OOTW), and Command Arrangements for Peace Operations; and (2) interests expressed by ACTIS sponsors in the Joint Staff (J-6) and the Office of the Secretary of Defense, Assistant Secretary of Defense for Command, Control, Communications, and Intelligence (ASD/C3I).
The Workshop focused on three principal issues:
As with past ACTIS workshops, this one brought together senior analysts and technical experts, as well as active military leaders and action officers with operational responsibility in the affected areas, for a non-attribution discussion working toward consensus or clear articulation of alternatives and their consequences. This workshop was conducted at the Secret level, which inhibited discussion of some topics largely by preventing discussion of particular systems and examples. However, the participants were able to engage in a rich give-and-take and achieved a high degree of candor.
Key Concepts and Implications
On one level, deterrence and information warfare are well matched. Both belong to the world of robust ideas with broad implications. Both are highly relevant to the post-Cold War era in which conflict has been transformed from bipolar global structures to multi-sided, local and regional contests in which the military element is a crucial part of, but not the driving force for, competition and conflict. On the other hand, the two topics can be seen as orders of magnitude apart. IW is a huge domain, ranging from media wars to electronic combat and from economic competition to strategic conflict waged against civilian populations. Deterrence, while it has proven robust (i.e., applies across a range of situations), actually is a narrow concept that works only under a set of quite restrictive assumptions. Not surprisingly, therefore, the workshop participants found the relationship between the two concepts to be spotty -- highly relevant on some topics, marginally so on others, and not at all relevant in many areas.
Deterrence in the Information Age
The concept of deterrence is well understood. The workshop readily reached consensus on a basic definition of deterrence as "prevention or discouragement, by fear or doubt, from acting." Clearly, this definition implies an actor and a target. Moreover, the group also agreed on a simple set of conditions necessary for successful deterrence. These were seen as:
On the other hand, workshop participants were well aware that "deterrence theory" was largely a product of the Cold War era. This suggests that those whose experience is from that era may bring extraneous concepts or baggage to the topic. Hence, they readily agreed that deterrence applications outside the nuclear war arena must be thought through carefully and should be exposed to domain experts from the appropriate arenas before they are considered mature.
The Domain of Information and Information Warfare
The read-ahead package for the workshop included a paper that stressed the size and complexity of the information warfare domain (see Appendix B). As illustrated in the paper, three relatively independent dimensions are required to capture and describe the information warfare arena: the degree of conflict/cooperation, substantive focus (political, military, social, economic, etc.), and the nature of the actors involved (individuals, private organizations, nation states, international organizations, the general public, media, etc.).
The workshop participants generally accepted the broad nature of the information warfare domain and the central role of information systems and processes in the world today. However, they inferred several very important implications from this broad characterization of the relevant domain.
Workshop participants were aware of a variety of policy initiatives to create interagency working groups and coordinating mechanisms as well as public-private dialogues and mechanisms for both exchanging information and developing plans for dealing with information age threats that cut across communities. Considerable progress has been made in generating better awareness of the threat and some effort has been made toward cooperation. However, the general consensus was that these helpful activities were only now developing momentum and were far from successful completion.
Information Warfare and Deterrence
At the abstract level, the interface between these two concepts is dependent on setting the context clearly. First, deterrence is always from an actor toward a target. The very nature of the actor and target, as well as the degree of asymmetry between them, is important.
Moreover, the nature of the relationship between the parties is important to the analysis. Hence, specification of the context (type of relationship, nature of the actors, substantive domain) is essential before any conclusion is possible about the potential or actual effectiveness of deterrence.
The most important insight arising from looking at the two concepts, however, is the fact that they are only relevant to one another in highly selective contexts. The analogy that emerged was that of a steamroller and a wrench. Both are tools and, depending on the situation, appropriate wrenches may be useful for, or even crucial to, the operation of the steamroller. However, most of the things the steamroller does are irrelevant to the wrench and most of the things the wrench can be used for do not involve a steamroller. In many cases, therefore, the workshop found itself venturing away from a pure consideration of the two concepts and into meaningful discussions in areas related to one or more of the central topics.
How Might IW Attacks on the United States Be Deterred?
Workshop participants divided discussion of this topic into two very different topics: deterring attacks directed through computers and their connectivity (cyber-war attacks) and those directed at the general public through public media such as television, radio, and print. Indeed, one of the most profound dimensions of disagreement among workshop participants was the degree to which the Department of Defense ought to consider media attacks at all. However, because media messages can influence, and arguably have (Beirut bombing, Mogadishu television pictures, etc.) influenced, both the tasking of military assets and mission accomplishment, both types were examined.
Considerable discussion was required for the group to agree on the wide range of types of computer attacks that must be considered. Initially, some felt the discussion should focus only on protection of internal DoD systems, while others wanted to include broad strategic or operational attacks on the banking system or other commercial or quasi-governmental arenas. The workshop was aware, however, of an ACTIS analysis of Defensive Information Warfare (Appendix D) that differentiates attacks by their targets and implications into:
In addition, workshop participants stressed that not all information warfare attacks on computer systems need take the form of computer intrusion. Physical destruction of crucial telephone switching stations or other national information infrastructure assets would, themselves, be very damaging.
One significant finding was that the workshop participants consistently found themselves assuming that a visible set of defenses was the beginning point for deterring attacks on important computer systems. In essence, the argument was that information attacks are instrumental acts and will not occur if the attacking party perceives little opportunity for success.
At the same time, the workshop also noted that "success" has very different meaning for different types of actors and that some individuals, particularly those with "typical" hacker attitudes, would be likely to perceive a more robust defensive posture as a challenge, not as discouragement. This, of course, is a lesson in the need for specific contexts when discussing deterrence and IW. What works in some circumstances may be very wrong in others.
Regardless of whether good defenses necessarily deter attacks, there was consensus that the set of defenses now in place is inadequate for discouraging any but the least well prepared intruder. Not only are systems poorly protected, very few intrusions are detected (reportedly about 5%) and few of those (another 5%) are actually reported, even within the Department of Defense. If these figures are correct, the likelihood of knowing about an attack is .0025 (one-quarter of one percent) and the risk of being caught must be, by definition, even lower. Improved indications and warning (I&W), as well as improved reporting of detected attacks, are essential elements of improved defensive systems. In this context, the workshop also concluded that assessing the ability of DoD or others to deter attacks will require a sound understanding of the pattern of attacks being experienced. Better data collection as well as I&W was also a priority.
Finally, a variety of defensive measures were identified for computer systems. These are not unique to the deterrence arena, but rather reflect the workshop participants' assumption that some attacks will be deterred by effective defenses. The technical representatives in the workshop also stressed that for the foreseeable future the advantage in the cyber-war arena will lie with the offense. Hence, building defenses does not guarantee success. Creating redundancy as well as the capacity to contain, recover from, and reconstitute in spite of successful attacks are essential elements of a successful deterrence strategy. Vice Admiral Cebrowski, the JCS J-6, argued, in his luncheon presentation to the workshop, that decoupling information attacks from their purpose is an effective deterrent.
The workshop explored the potential for media attacks to deter effective military action in a Middle Eastern context. The scenario involved a campaign aimed initially at public attitudes in friendly and other regional countries whose cooperation is essential for major U.S. operations in and around the Persian Gulf, and later at public attitudes in the United States. The thrust of the argument was that prudent, even essential, military actions could well be called into question through media attacks with primarily political messages. Several conclusions emerged from these discussions.
Media warfare can put enormous time pressure on U.S. and allied decision making, particularly when the adversary is an authoritarian state with little or no necessity for either internal or international consultation.
Core Conclusion About Deterring Information Warfare Attacks on the United States
While recognizing that the variety of potential attackers, attack contexts, and arenas where information warfare attacks may take place is vast and too complex for simple solutions, the workshop participants were confident that the United States already has basic policies in place that serve as effective deterrents in many circumstances. In essence, some information warfare attacks on the United States are deterred by the same policy that deters other types of attack. Acting under its rights as a sovereign state, the U.S. stands ready to respond to any attack on its interests with all appropriate means, including law enforcement as well as military capacity.
Finally, the workshop recognized that considerable legal work needs to be completed in this arena. First, U.S. law (both state and federal) needs to be clear about the definition of crimes in the information arena. Second, international agreements and treaties are needed to ensure that foreign attackers can be prosecuted effectively and that acts of war are clearly identifiable.
Using Information Warfare to Deter Foreign Governments
In large measure because the discussion on defending against information operations was so rich, but also to a certain extent because of the relatively low level of classification for the meeting, this topic was addressed more quickly and in less detail than the others.
Some limits on U.S. offensive activities were noted. First, media manipulation that involves government personnel providing false information is neither politically wise nor consistent with U.S. policy and law. Second, information attacks are attacks and therefore subject to international law.
Those limits having been noted, the workshop participants also recognized that the technical capacity to render an adversary "ignorant," poor, uncertain of the capability to control its own forces, unable to communicate with its population, or uncertain of the quality of its basic information, could have a profound effect on its willingness to undertake a military adventure and thus equate to a powerful deterrent.
Moreover, while barely unveiling the true potential of highly leveraged information and superior battlefield awareness, Desert Storm has provided the world with a demonstration of the potential advantage of information dominance. Finally, the workshop concluded that research and development into tools and techniques that can impact potential adversaries' knowledge of the battlefield, control of their own forces, resources necessary to support armed conflict and deliver services to their populations, or leverage uncertainty about their own information, should go forward.
A series of more focused roundtables (smaller working groups with selected expertise) is planned to follow up on significant issues left unresolved or where more sensitive issues need to be considered.