- The importance of Information Technology (IT) to the functioning of our societies is evident in virtually every human activity. Computers are involved in and often control everything from government operations to transportation, from energy to finance, from telecommunications to water management. Every day an enormous amount of information is exchanged or stored by electronic means and trillions of dollars travel throughout the world electronically. Information technology has become even more pervasive with the widespread dispersion of personal computers. According to projections of the US Computer Industry Almanac, by the year 2000 there will be more than 550 million PCs in the world, 230 million of which will be connected to the Internet (92 million in the United States alone).
- The pace of technological change and our increasing reliance on technology are even more impressive. Five years ago, a computer chip could carry the equivalent of 1.1 million transistors. Now the number has increased to 120 million and engineers believe they can reach 400 million and even 1 billion. Capable of 256 billion multiplications per second, the latest desktop computers have acquired the speed of yesterday's supercomputers. This has accelerated the dispersion and use of the Internet. To achieve mass-user status, it took radio 35 years, television 13 years and the Internet only 4 years. Microsoft experts assert that Internet traffic doubles every 100 days and, according to other estimates, one billion people (one-sixth of humanity) will be on-line by 2005.
- The reliance of our societies on computers and the fact that many critical infrastructures are electronically interconnected poses evident security problems. Although computer experts have been working on these problems for years, only in the mid-1990s did Western defence analysts begin to pay serious attention to them. In a variety of studies and reports, a strategic catch phrase emerged to define a new concept: Information Warfare. In a 1997 Report, the NAA Science and Technology Committee provided a first assessment of Information Warfare, analysing most of the available sources on the subject. The threat of possible attacks on information systems and the potential risks for our military and civilian infrastructures were outlined in that Report. (1)
- In the last two years technological advances as well as governmental and international actions have changed the world of information security. As a consequence, the subject of information warfare has been extensively discussed and analysed, both within and outside the information technology and defence communities. This report analyses these new developments, starting with some new definitions of information warfare, assesses the effective strategic threats, and reports about the US and other governments' initiatives to counter them. It is also our intention to consider the concerns expressed by the science and technology community about the possible overstatement of such threats, especially with reference to some cases of media hyperbole.
* The Rapporteur would like to thank Almut Kaleschke for her assistance in preparing this Report.
II. WHAT IS INFORMATION WARFARE?
- The cited 1997 STC Report emphasised the distinction between the use of information in warfare and the newer concept of information warfare, the first being recognised since ancient times and referring basically to tactical and strategic deception, war propaganda, and destruction of command and control systems. In the current conceptualisation, information warfare "extends far beyond the traditional battlefield, and its possible perpetrators and victims are by no means confined to the military". A few definitions were reported then, to which your Rapporteur would like to add some new ones. The first is proposed by the Institute for the Advanced Study of Information Warfare:
"Information warfare is the offensive and defensive use of information and information systems to exploit, corrupt, or destroy an adversary's information and information systems, while protecting one's own. Such actions are designed to achieve advantages over military or business adversaries." (2)
- The International Centre for Security Analysis of King's College, London suggests that information warfare "is about struggles for control over information activities" and distinguishes three levels or categories: ideational struggle for the mind of an opponent, struggle for information dominance, and attacks on, and defence of, information flows and activities. The first, highest level "encompasses the whole range of psychological, media, diplomatic and military techniques for influencing the mind of an opponent, whether that opponent is a military commander or a whole population". The second level could be assimilated with the Revolution in Military Affairs (RMA), whose theorists and advocates see, as the future evolution of armed forces, the goal of dominating the "information spectrum". The ultimate objective of this level of information warfare would be to render physical conflict "either unnecessary or at worst short, sharp and successful". At the third level the focus is on any kind of electronic attack upon military or civilian information infrastructures, including criminal hacking (or cracking), data disruption, illegal systems penetration, and also physical destruction, deception and psychological operations.(3)
- The Washington based Center for Strategic and International Studies (CSIS) recently published a comprehensive study on these issues and admitted that so many different activities have been classified under the label "information warfare" that it is now difficult to understand exactly what it is. Nonetheless, this study classifies information warfare activities according to the source, the form, and the tactical objectives of the attack. Thus, information warfare can be viewed as a combination of these three dimensions.
- First, an attack could originate either from outside or from within the targeted organisation or system. Second, four categories of attack can be identified:
- Data attacks are conducted by inserting data into a system to make it malfunction.
- Software attacks, similar to data attacks, are conducted by penetrating systems with software causing failure or making them perform functions different from those intended.
- Hacking or cracking is seizing or attempting to seize control of an information system (or a vital part of it) to disrupt, deny use, steal resources or data, or cause any other kind of harm.
- Physical attacks are the traditional form of attack (bombing, assaulting, and destroying) directed against information systems. An electromagnetic pulse (EMP) produced by nuclear explosions can also be included in this kind of attack.
- All these different forms of information warfare attack can be categorised by their goals or tactical objectives: they could be aimed at exploitation, deception, disruption or destruction of information systems. (4)
- The French Ministry of Defence has also offered an interesting definition of information warfare. It has singled out three types:
- War for information (guerre pour l'information): to obtain information about the enemy's means, capabilities and strategies in order to defend ourselves;
- War against information (guerre contre l'information): at the same time to protect our information systems and to disrupt or destroy the enemy's.
- War through information (guerre par l'information): to conduct misinformation or deception operations against the enemy in order to achieve "information dominance".(5)
- All the above are accurate and acceptable definitions, but for the sake of clarity we can try to summarise them into a simpler and more limited formula. Information warfare could be then defined as defensive and offensive operations, conducted by individuals or structured organisations with specific political and strategic goals, for the exploitation, disruption or destruction of data contained in computers or transmitted over the Internet and other networked information systems. (6)
B. ASSESSING THE THREAT
- In general terms, a threat can be defined as the combination of a capability and a hostile intent. According to many analysts, the reason for concern about attacks upon information systems, or information warfare, is that the means of offence are widely available, inexpensive and easy to use. In a world where even governments and the military tend to rely on computer hardware and software available commercially off-the-shelf (COTS), virtually anybody with a computer and the technical skills could become a cracker or a cyberterrorist. Moreover, the progress in information technology makes the electronic tools available to conduct such attacks more sophisticated every day and, through the Internet and the interlinked computer world, easier to acquire. But the most potentially dangerous feature of information warfare is that it can be conducted from anywhere in the world and the possibilities of discovering the attack's origin, or even its presence, are extremely difficult.
- Who can conduct such attacks? A recent analysis has listed the potential "enemies" according to the levels of threat. At the lower level are the crackers, or "hackers with malicious intentions", sometimes highly knowledgeable in technical matters and very determined, but often isolated and without a clear political agenda. Then we have some pressure groups, organisations that fight for specific political causes and might decide to acquire the technology in order to attack the information systems of other organisations or even of states. Terrorists come next in the scale: some groups are becoming increasingly sophisticated in the use of technology and can conduct strategic offensive information warfare. At the highest level are the states, many of which now have access to extremely sophisticated technology and can acquire the necessary organisational infrastructure to conduct both offensive and defensive information warfare. In fact, some experts doubt the effectiveness, capability, or even willingness of the non-state actors to conduct attacks that can seriously threaten other nations' security. (7)
- In the last fifteen years, both the private and public sectors' information systems have been subjected to attacks that have substantially increased with the growth of the Internet. Computer viruses have been a primary concern of information security experts. These are generally very small programmes, often with destructive capabilities, designed to invade computer systems or individual PCs by attaching themselves to other bits of executable programme codes. Created by hackers, computer science students or disgruntled programmers, these viruses have been extremely destructive to many computers and networks, but have not proved to be particularly effective as weapons to date. Because of their non-professional origins, the viruses often contain errors and, moreover, their authors are often incapable of envisioning the complexity and variety of the systems they are attacking.
- Of course, it is still possible that a state or a terrorist group can assemble a team of experts capable of creating malicious viruses and using them to conduct information warfare attacks. But computer viruses are extremely unpredictable and far from precise in their behaviour, and they might eventually damage the attacker as much as the victim. In addition, the international anti-virus industry is mature and is well positioned to create necessary antidotes to almost any new virus.
- Other, more dangerous attacks on information systems have been conducted by criminal hacking intruders. Private corporations, particularly in the financial sector, are regularly penetrated by cybercriminals: the FBI estimates that these electronic intrusions cause yearly losses of about $10 billion in the United States alone. This is probably only the tip of the iceberg. In fact, concerns about protecting shareholder value and customer confidence may keep many firms from reporting all the attacks to law enforcement agencies.
- Electronic intrusions into the military information infrastructure cause deep concern in the United States. According to the CSIS, probe attacks against the Pentagon number in the tens of thousands every year. John J. Hamre, Deputy Secretary of Defense, recently stated that from January to mid-November 1998, the National Security Agency (NSA) recorded more than 3,800 incidents of intrusion attempts against the Defense Department's unclassified computer systems and networks. Over 100 of these attacks reached root-level access and many were even able to break down some kinds of service. This reflects only what has been reported to NSA, but "the actual number of intrusions probably is considerably higher".(8)
- The literature and the chronicles are full of examples of successful network intrusions at the US Department of Defense (DoD) and other Western defence institutions. One of the most interesting is the break-in at the Air Force's Laboratories in the town of Rome, in New York State, when two British boys hacked into the system with the help of what is called a "sniffer" programme, able to capture passwords and user log-ins to the network. The case served as a learning experience for the Air Force Information Warfare Center, which then developed the advanced technical skills to counter these intrusions. Similar hacker intrusions are regularly experienced by all other US military services and government agencies.
- While most of the attacks in the last few years were generally conducted by individuals or by small groups of intruders, with little or no political purpose, recently some cases suggested the possibility of state-sponsored hacking or cracking. Additionally, some anti-state, politically motivated activity has occurred. In October 1998, China launched a new website to publicise its efforts in human rights. A few days later, hackers replaced the home page of that site with a message condemning Beijing for its poor record in human rights. (9)
- Another, more revealing case occurred in Ireland, where refugees from East Timor had set up a website to protest against the occupation of their country by Indonesia. The Irish Internet provider even created a new domain name ".tp", as if East Timor were an independent country. In January 1999, a concerted attack against the East Timorese server started, originating from 18 different places as far apart as Australia, the United States, Japan, the Netherlands and Canada. The attackers managed to render the web server useless and forced the Irish provider to disconnect its entire system. Clearly, this was not an ordinary cracker intrusion, though many doubt that the Indonesian government had the capability to conduct such a concerted information warfare action. The most probable culprit is a group of politicised hackers sympathetic with the Indonesian position.(10)
- The NATO information system was also indirectly threatened in October 1998, when a Serbian group of hackers known as Black Hand penetrated a Kosovo Albanian web server and threatened to sabotage the Alliance's information system. The organisation temporarily closed all foreign access to its web server and its web site was down for two days. Realising that the electronic defences of the NATO web server were extremely weak, experts took some countermeasures, which proved to be insufficient in the light of subsequent events.(11)
- During the Kosovo crisis, hackers attacked the NATO web site, causing a line saturation of the server by using a "bombardment strategy". The organisation had to defend itself from macro viruses from FRY trying to corrupt its e-mail system, which was also being saturated by one individual sending 2,000 messages a day. These attacks were possible because NATO was using the same server for the e-mail system and its web-pages. When these tasks are done by separate servers, as is now the case at NATO, the threat is reduced. Allied governments' web sites have also been targeted during the war, and according to US Air Force sources the attacks came not only from FRY, but also from Russia and China. It is unclear, however, whether these attacks were state-sponsored or the work of groups of hackers. Conversely, FRY's information systems were severely damaged by NATO bombings and electronic operations - although Belgrade itself dismantled communication systems to deprive its people of outside information. In addition, thousands of Western civilian hackers conducted online attacks against the FRY government's web servers.(12)
- Such cases might not prove the existence of state-sponsored information warfare or cyberterrorism, but they offer good examples of what could happen if the capability is coupled with a hostile intent. The subsequent question is: could a group of state-sponsored terrorists or individual crackers damage the information infrastructure of another nation so as to cause a major strategic disruption? The US Department of Defense seems to think so.
- In the summer of 1997, a simulation exercise called "Eligible Receiver" was conducted at the Pentagon, ordered by the Joint Chiefs of Staff, to test the ability of the nation's military and civilian infrastructure to resist a concerted information warfare attack. A team of fictional hackers, the Red Team, was allowed to use only COTS materiel and information available on the Web and had to act within the US law. So far, the results of this exercise remain strictly "top secret". Nonetheless, many officials have referred to it in public declarations and some have partially revealed the outcome. James Adams, a journalist based in Washington DC, claimed in a book to have interviewed senior officials about "Eligible Receiver":
"The [simulated] attacks focused on three main areas: the national information infrastructure, the military leadership and the political leadership. In each of these three areas, the hackers found it exceptionally easy to penetrate apparently well-defended systems. Air traffic control systems were taken down, power grids made to fail, oil refineries stopped pumping - all initially apparent incidents. At the same time, in response to a hypothetical international crisis, the Defense department was moving to deploy forces overseas and the logistics network was swinging into action. It proved remarkably easy to disrupt that network by changing orders [É] and interrupt[ing] the logistics flow [É]. The hackers began to feed false news reports into the decision-making process so that the politicians faced a lack of public will about prosecuting a potential conflict and lacked detailed and accurate information [É]. (13)
- In conclusion, according to Adams' sources, a team of skilled hackers, using standard equipment and publicly available information and playing by the rules, was able to cause a "serious degradation of the Pentagon's ability to deploy and to fight". In other words, they demonstrated that an "electronic Pearl Harbor" was possible.
- Many things have changed in the last two years due to the fast pace of progress in information technology. Moreover, the policies and actions taken by the US government may have reduced the vulnerability of the nation's infrastructure. Nonetheless, if technology is helping Western governments establish better defences, it also helps potential enemies improve their capabilities to attack. A recently announced new breed of hacker software, that can learn and adapt to the network environment it attacks, may represent a new threat. According to information technology experts, the new programmes can change their mode of operation, or their targets, based on external stimulants. Pre-programmed to search for specific types of files common to most networks, such software, once in the system, can target data or files of interest to the intruders, even those marked secure or for internal use only. (14)
- In addition, many nations are trying to acquire the capabilities needed to conduct information warfare operations and new terrorist groups like Osama bin Laden's are known to use computers and satellite telecommunications. China has recently intensified its information warfare programmes, both to protect its own military infrastructures and to enable the People's Liberation Army to conduct electronic attacks. According to James Mulvenon, a defence specialist at Rand Corporation, Beijing "is seeking the ability both to interfere with Taiwan's command system, and ultimately to Ôhack' into US military networks which control deployment in the Asian region." (15)
- A serious physical threat to information systems can be posed by the effects of the electro-magnetic pulse (EMP) produced by nuclear explosions. The immediate energy release from a detonated nuclear device produces intense, rapidly varying electric and magnetic fields that can extend for considerable distances and severely affect all electronic equipment and electrical or radar transmissions even to the point of destroying equipment circuits, microprocessors, and other components. Therefore, a single, very high-altitude nuclear blast above Europe or the United States, which may cause no physical damage to structures or people, could disable or disrupt all non-hardened information systems. While few nations currently have both nuclear weapons and the missiles capable of delivering them in space, the increasing number of "rogue" nations with nuclear weapons that are also developing or acquiring long-range missiles may present an extremely serious EMP threat in the near future.
- EMP effects from nuclear explosions and non-nuclear weapons, such as HERP (High-Energy Radio Frequency) guns or EMP/T (Electro-Magnetic Pulses Transformer) bombs, may be much more dangerous for civilian information systems than for military ones, most of which are now EMP hardened. Shielding of iron or other materials such as copper mesh or non-magnetic metals is generally available only for the protection of sensitive military technology.
III. RESPONSES TO THE THREAT
- Efforts to respond to the threat of attacks to information systems, or information warfare, have been made by many nations. Generally, the military and defence "think tanks" have been the first to address the issue, but now most Western governments have taken steps towards more co-ordinated and structured responses.
- In the United States, different panels, commissions and study groups have been examining these issues since the early 1990s and the government has taken several important measures. Congressional Committees have held hearings to investigate the nature of the information warfare threat. The National Defense University has extensively worked on the issue since the early 1990s. However, the most comprehensive appraisal of the nation's vulnerabilities in the field of information technology has been provided by the Presidential Commission on Critical Infrastructure Protection, created in 1996, involving officials from the energy, defence, commerce and law enforcement areas, as well as representatives of the private sector. After 15 months of study, the Commission published an extensive report highlighting the vulnerabilities of the US infrastructure and the weakness of the information systems, which proved to be a potentially easy target for any concerted attack. The report also indicated that government and industry do not efficiently share information that might give warning of an electronic attack and that the federal R&D budget does not include the analysis of the threats to the information systems in the infrastructure. (16)
- The work of the Presidential Commission resulted in the issuing in May 1998 of two Presidential Decision Directives, 62 and 63, on Critical Infrastructure Protection. The provisions of these Directives included:
- interagency co-ordination for critical infrastructure protection;
- definition of the roles and responsibilities of US agencies in fighting terrorism;
- improvements in capabilities for protecting the national information structure, the most important of which is the creation of a National Infrastructure Protection Center (NIPC) in the FBI;
- promotion of partnerships with industry and other private players to enhance computer security;
- study of plans for minimising damage and recovering rapidly from attacks to its vital infrastructures.
- Some experts criticised the US administration decisions, claiming that the above provisions underestimated the realities of the information warfare threat. Nonetheless this is the most comprehensive and complete initiative taken so far by any Western government to respond to the risks of attacks on information systems.
- Moreover, the DoD, actively participating in the government initiatives, has recently created a Joint Task Force for Computer Network Defense (JTF-CND) to co-ordinate all the activities in this field and direct the Pentagon's response to computer network attacks. The JTF-CND will plan defensive measures, leverage existing capabilities and develop procedures for the military commanders-in-chief, services and agencies, as well as provide strategic focus at all levels. Fully operational in the summer of 1999, the JTF-CND will also develop relationships with intelligence and law enforcement agencies, the NIPC and the private sector. (17)
- Among European nations, France appears to have developed a coherent strategy to deal with attacks on information systems. In the absence of a general programme for infrastructure protection, such as that in the United States, the Dlegation gnrale pour l'armement (DGA) of the Ministry of Defence has concentrated technical activities in the field of information warfare at the Centre d'lectronique de l'armement (CELAR). This centre employs some 900 experts in many scientific and technological areas, and has resources and capabilities with probably no equal on the continent. All CELAR activities are related to information warfare (guerre de l'information), defensive and offensive, and are divided into five tasks: weapon systems for electronic warfare, information security, information systems, telecommunications, and electronic components. CELAR analyses the threats, establishes the needs, and tests the proficiency and the limits of the systems and equipment. In particular, within the information security field of CELAR, the Centre de l'armement pour la scurit des systmes d'information (CASSI), is responsible for the development of all security programmes and strategies in the Ministry of Defence and acts as a consultant for other ministries and governmental agencies. (18)
- In Germany, the efforts of the Government and the Bundestag to address the problem of security in information technology led to the creation, in 1991, of a Federal Agency for Security in Information Technology (Bundesamt fr Sicherheit in der Informationstechnik, or BSI). The BSI is responsible for assessing the risks and developing the criteria, tools and procedures to assure the security of vital information systems. However, according to German officials, the BSI has concentrated its work on the non-military aspects of information warfare. In other words, it has considered the possibility of attacks to information systems only in the civilian field. At the same time, the German military has conducted some studies on information warfare and has recently initiated a new one, called "2020", which will consider the future evolution of the topic. Recently, a working group has been created at a federal level to draft a policy paper on "Information Warfare and IT Security", aimed at reaching a better co-ordination within the civilian and military fields.
- The UK Ministry of Defence has addressed, in various areas, the problems related to information warfare, recognising that "the potential vulnerabilities and risks arising from Ôinformation warfare' go much wider than the Armed Forces and the defence infrastructure" (19). The MoD is therefore known to be working with other areas of Government, allies and suppliers of key services to co-ordinate security policies and find technical solutions to protect the nation's infrastructure.
- Other countries, such as Finland, Norway, Sweden and Switzerland have taken initiatives similar to those of the United States. Australia, Canada and Israel are investing in studies of defensive measures and approaches (20). NATO has recently analysed the threats of information warfare attacks and given indications to member states. For the moment, the most relevant studies conducted by the Alliance on the subject are classified.
IV. Information warfare or simplY Information Security?
- As it is often the case with extensively debated issues, some defence analysts and information security experts are doubting the actual size of the information warfare threat as it is presented by the media and even by some official reports. They contend that newspapers and magazines report stories about dangerous viruses, violated military websites and crackers penetrating corporate information systems in distorted and exaggerated ways. Some also list errors and overstatements included in official documents and defence studies. Fairness demands that we also consider these points of view, and below we summarise the most salient issues.
- In 1997, for instance, a US government commission, that included former directors of the CIA and the National Reconnaissance Office, warned against a virus contained in an e-mail message entitled "Penpal Greetings". According to the commission's report, the virus "could infect the hard-drive and destroy all data present". Moreover, the virus was reportedly "self-replicating" and "would automatically forward itself to any e-mail address stored in the recipient's in-box." According to many computer security analysts, the report was wrong and the Penpal virus was in fact a hoax. However, more recently several viruses spreading by e-mail could nonetheless perform extremely destructive actions. (21)
- In March 1999, a type of macro virus propagating by e-mail called Melissa damaged, according to many journalistic sources, more than 100,000 computers. Hidden within a file of a popular word processing software, Melissa affected its security settings, rendering personal computers vulnerable to further attacks. While some defence leaders, experts on terrorism, lawmen and software executives hailed "another warning siren of the vulnerability of our networks" or even "a demonstration of what an electronic Pearl Harbor might look like", most computer security people defined Melissa as "just another dangerous virus", no more sophisticated than prior ones using the identical modus operandi. Moreover, they contended, Melissa (although very costly to many businesses) had no noticeable effect on Internet use or stock markets or electronic commerce. They also noted that most persons using the web on a regular basis would not open an unknown file attachment received by e-mail, especially if reportedly it contained a list of pornographic websites. (22)
- But computer scientists and IT security experts are not only highlighting general misinformation and myths about viruses. They contest as well the alarming figures suggesting that the Pentagon and other US vital infrastructures are under almost permanent attack by crackers or cyberterrorists. They admit that malefactors can break into military and civilian web servers, and maybe even cause serious damage, but that it is far from representing an "electronic Pearl Harbor" for the United States. As Kevin Ziese, the computer scientist who led the Rome Laboratories investigation, and other experts put it, these break-ins can be defined as the virtual equivalent of a "kid walking into the Pentagon cafeteria." (23)
- Equating computer viruses and hacker software with weapons of mass destruction, many analysts insist, is overreaching. And classifying them as such would be like considering teen hackers or virus creators equivalent to terrorists or "rogue" states. The recent attacks on the Alliance's information system during the Kosovo crisis, according to these sources, might have proved just that. In fact, they report that computer security experts in the US Department of Defense were "completely unimpressed by whatever it was Serbian hackers did during the Yugoslavian war. The worst it did is make the NATO administrator of the site work a little harderÉIt didn't have any impact on the Yugoslavian war at all." (24)
- With regard to the supposedly frightening results of the "Eligible Receiver" exercise, which are still considered "sensitive information" by the Pentagon, many object that they should be opened up to an independent audit. Until then, computer scientists declare that they will remain extremely sceptical. Moreover, they say the Pentagon's position is in stark contrast to the wide-open discussions of computer security vulnerabilities that reign on the Internet.
- According to William M. Arkin, an army veteran, defence analyst and editor of US Military Online, the excessive secrecy in the Pentagon's attitude towards information security reflects a basic misjudgement of the power of the Internet and the ability of the military to control it. A directive issued on 24 September 1998 by Deputy Defense Secretary John Hamre instructed all military services and agencies to "ensure national security is not compromised or personnel placed at risk" by information available on military websites. In fact, the Pentagon has for years had policies that required just that, and therefore only unclassified information has ever been made available on the Internet. John Pike of the Federation of American Scientists agrees with Arkin that the DoD issued this new policy out of "a desire to show vigilance, coupled with a profound lack of understanding of information and computer security", rather than because of any new threats coming from the Internet. (25)
- Many experts and scientists are critical of the approach taken by some of the Pentagon leaders not because they believe there are no threats coming from cyberspace, but because they feel those threats might have been overstated or mystified through what they call "info-warrior rhetoric". Computer security analysts, who have been working on these problems for years, have the impression that "information warfare" might just be old wine in new bottles. In fact, many of the activities now classified under this definition could be traditional intelligence work, intelligence analyses through the Internet or psychological operations and deception. For instance, the US Air Force Information Warfare Center (AFIWC, part of the Air Intelligence Agency) in San Antonio and other similar organisations are the equivalent of computer emergency response teams, and the military and civilians employed in them are all computer security specialists.
- In spite of these reservations, it is clear that there are many serious threats. In sum, according to George Smith, editor of The Crypt Newsletter, an Internet publication dealing with computer security for computer analysts:
"It is far from proven that the country [i.e., the United States] is at the mercy of possible devastating computerized attacks. On the other hand, even the small number of examples of malicious behaviour demonstrate that computer security issues in our increasingly technological world will be of primary concern well into the foreseeable future." (26)
- It is clear, even from the words of the most sceptical analysts, that the security of information systems must be a high priority for any nation. With the increasing dependence on information technologies, all our vital infrastructures are potentially vulnerable to some sort of external attack. Even if experts disagree on the extent and the nature of the threat, we need nonetheless to adopt measures to strengthen the protection of our information systems.
- The first priority should be to seek objectivity in the assessment of the real threats. An independent group should be set up to provide such assessment, maybe at the international level. An example is provided by the G-8 High Tech Crime Group, a multilateral forum seeking to enhance transnational co-operation in investigating and prosecuting criminal misuse and exploitation of information systems. Parliaments and governments, as well as the industry, the scientific community and computer security experts should work within a similar group focused on information warfare threats in order to share their knowledge and competence and analyse the subject from different perspectives. A serious evaluation of the claims of computer security software and hardware producers could be the first task of such a group.
- Programmes to raise public awareness and encourage education in the field of computer security and infrastructure protection would be extremely useful, and they should cover all possible audiences. They should include conferences, university studies, presentations at industry associations and professional societies, and sponsorship of graduate studies and programmes. In addition, research efforts are needed to both substantially improve and deploy more widely the existing technology. In particular, new capabilities for detection and identification of intrusion and improved simulation and modelling capability to understand the effects upon interconnected and interdependent infrastructures would be beneficial.
- The law has to keep pace with the development of new technologies. Parliaments can play an important role in reconsidering and readapting the laws regulating infrastructure protection and information systems assurance. The United States can provide some good examples in terms of both statutes and case law and the Justice Department has a section devoted to this area. However, due to the open and global nature of the Internet, this effort should involve computer security experts and legislators internationally. In fact, creating a specific international set of rules or conventions is an essential prerequisite for establishing a credible and efficient Internet economy.
- Intelligence can also contribute to a clearer understanding of the new threats of the information age in terms of actors, motives, and capabilities. Of course, the traditional intelligence work and organisation, developed during the Cold War, must be adapted to the new environment. Intelligence officials in all nations must reconsider their methods for information acquisition and rely on new sources. National agencies must also start recruiting special talents familiar with the new threats, such as skilled computer analysts with a direct experience of hacking methods.
- Since most experts agree that commercial information systems are now more vulnerable to external attacks, it is essential to foster public-private co-operation. Much of the information that private companies need to protect their information systems may be available from the defence, intelligence and law enforcement communities. Often the private sector can better identify, understand and evaluate the threats. In many countries, co-operation between industries and their governments could be extremely helpful to share "information and techniques related to risk management assessment, including incident reports, identification of weak spots, plans and technology to prevent attacks and disruptions, and plans for how to recover from them." (27) Of course, public-private collaboration also has its limits, such as classified and secret materials or proprietary and competitively sensitive information.
- Finally, in most Western countries, but particularly in the United States, the military should address many questions concerning the effective role of the information warfare programmes in their general policy. Programmes like those going under the definition of "Revolution in Military Affairs" (RMA) have already tried to assess the future impact that the use of information technology could have on weapon systems and on military organisation and strategy. However, the US military still needs to clarify its policy about the options for deterring an attack on vital information systems and the possible use of offensive information warfare. The link between information warfare and other military strategies should be better articulated: for instance, would it be possible to respond to an information warfare attack with conventional forces? Moreover, the possibility that the United States (or any other Western country) would develop and deploy offensive information warfare techniques has not been adequately discussed in public forums. This can be essential in order to build a national and possibly international consensus about the role of offensive information warfare and to clearly define its policies of use.
NOTES AND REFERENCES
Lord Lyell, Lothar Ibrgger, Information Warfare and the Millennium Bomb, General Report, NAA Science and Technology Committee [AP 237 STC (97) 7]
Definition found on the website of the Institute for the Advanced Study of Information
Warfare, self-defined "a virtual non-governmental organisation",
Dr. Andrew Rathmell, "Information Warfare: Implications for Arms Control", Bulletin of Arms Control, No. 29, April 1998, on the web page of King's College London,
http://www.kcl.ac.uk/orgs/icsa/cds.html. With regard to the Revolution of Military Affairs,
see the STC 1998 General Report on the subject [AR 299 STC (98) 6]
CybercrimeÉCyberterrorismÉCyberwarfareÉAverting an Electronic Waterloo, CSIS Task
Force Report, Center for Strategic and International Studies, Washington DC, 1998,
Col Jean-Luc Moliner, "La guerre de l'information vue par un oprationnel franais",
L'Armement, No. 60, Dec. 1997-Jan. 1998, p. 11
Information warfare should be limited to "specific political and strategic goals" to avoid
confusion with cybercrime or industrial espionage. Attacks to private corporations (see
para.16) might be included only if conducted as part of political or strategic offensive.
The limit to "Internet and other networked information systems" helps avoid confusion with
espionage cases involving the use (or misuse) of restricted or secret information systems
and/or data bases (such as recent alleged espionage at DOE weapons laboratories).
Lorenzo Valeri, "Information requirements for Information Warfare: the need for a
multidisciplinary approach", presentation prepared for the 1999 InfoWar Conference,
27 May 1999, London; and George Ballantyne, "www.terrorism.now", RUSI Newsbrief,
April 1999, p.31.
From letter by John J. Hamre published in Issues in Science and Technology, Winter 1998-99, pp.10-11
Alden M. Hayashi, "The Net Effect", Scientific American, January 1999, p. 13
Niall McKay, "Indonesia, Ireland in Info War?" Wired News, 27 January 1999, at the website http://www.wired.com/news/; Michelle Knott, "Virtual Warfare", New Scientist,
27 February 1999, p.51
Chris Nuttall, "Kosovo info warfare spreads", BBC Online, 1 April 1999,
http://news.bbc.co.uk/ and interview with Mr. Chris Scheurweghs of the NATO Integrated
"Computer hackers in Belgrade", Aviation Week & Space Technology, 5 April 1999, p.23;
Patrick Riley, "E-Strikes and Cyber-Sabotage: Civilian Hackers Go Online to Fight",
Fox News, 15 April 1999, http://www.foxnews.com/ ; Bob Brewin, "General: Cyberattacks
against NATO traced to China", Federal Computer Week, 1 September 1999,
James Adams, The Next World War, Hutchinson, London, 1998, pp.187-8
George I. Seffers, "Stealthy New Software Enhances Hacker Arsenal", Defense News,
15 March 1999, p. 3
Tony Walker and Stephen Fidler, "China studies computer warfare", Financial Times, 16 March 1999, p. 4
Information on the Commission, as well as the text of the report are available on the Web at http://www.pccip.gov
George I. Seffers, interview with Maj. Gen. John Campbell, Defense News, 29 March 1999, p.30
Jean-Pierre Meunier, "Le CELAR, centre technique de la guerre de l'information",
L'Armement, N. 60, Dec. 1997-Jan. 1998, pp.84-88
Strategic Defence Review, Chapter 5: The Future Shape of Our Forces, available on the
Web at http://www.mod.uk/policy/sdr/
Andrew Rathmell, "Information Warfare and sub-state actors", Information, Communication & Society, Winter 1998, p. 490
Quoted in George Smith, "Truth is the first casualty of cyberwar", The Wall Street Journal,
8 September 1998
Kurt Kleiner, Matt Walker, "Melissa's mayhem", New Scientist, 10 April 1999, p.4; "The
Melissa media hangover", The Crypt Newsletter, available on the Web at
Quoted in George Smith, "An Electronic Pearl Harbor? Not Likely", Issues in Science and
Technology, Fall 1998
David Ruppe, "Cyber Scare", ABC News, 4 August 1999, available on the Web at
Daniel G. Dupont, "Out of Site", Scientific American, January 1999, p.26
G. Smith, "An Electronic Pearl Harbor? Not Likely", Issues in Science and Technology,
C. Paul Robinson, Joan B. Woodard, Samuel G. Varnado, "Critical Infrastructure: Interlinked and Vulnerable", Issues in Science and Technology, Fall 1998, p. 63