To these six cardinal points I am tempted to add a
seventh:
7.
Accommodating the cumulative effects of Moore's Law in computing
technology.
A good starting point for developing these issues is to
point out, that Infowar is inevitably, as any survival contest is,
split between the offensive and the defensive. The popular notion that
Infowar can be a purely defensive play is utterly irrational, and flies
in the face of five millenia of history. The advantage more than often
lies with the attacker, who can choose the time and the place of the
engagement.
This point leads us into the issue of the human factors
problem.
How should we articulate this problem ? In the simplest
of terms it is a result of many people not taking the issue seriously,
at every level of our government and industry. At the lowest level it
is manifested in ostensibly trivial sins like sloppy password
management procedures. Stepping up a level, it is manifested by
managers who choose not to spend resources on security, or company
directors who decide that the overheads of hiring security consultants
or specialists in security oriented system admin are a waste of effort.
The problem extends further, to legislators who are
completely illiterate in computing, let alone Infowar, and choose to
frame legislation around ridiculous and ultimately futile agendas such
as content control on the Internet, while remaining utterly blind to
the real problem areas.
We could argue that it is a widespread case of
"ignorance is bliss", but this in many respects flies in the face of
the huge volumes of public debate and discussion on these issues, and
the incessant sensationalised media coverage of the issue.
The problem really runs much deeper, and is clearly
related to collective community values.
We should consider the fact that our culture has
exceptionally well defined protocols and legislation covering the
handling of money. Money is kept in bank vaults, virtually every cent
is carefully accounted for in every till, while frequently draconian
penalties are applied for theft, usually in proportion to the magnitude
of the theft in question. Frequently a person is judged on his monetary
worth or earning capacity, first and foremost, all other attributes and
qualities falling by the wayside.
This should not be surprising since we are essentially
in our values a mercantile culture, in a medieval Christian culture
piety would be a measure of one's worth, while in a communist culture
the individual's fanatical devotion to the cause would be such. The
values of a culture are implicitly tied to whatever mechanism is
central in making that culture work.
In the digital age information/knowledge is that central
mechanism, and therefore we would expect our culture's value system to
reflect exactly that, and accord information/knowledge the very same
worth that a classical capitalist culture accords to money. Protect it
for what it is worth, and treat it with the respect it deserves. Reward
those who can create it and most effectively exploit it.
Herein lies the crux of the "people problem" in Infowar,
and the root cause of many of the people related problems we see in the
computing game. Our community value system is still firmly rooted in the
mercantile viewpoint of the world, and has yet to catch up with the
modern economic, military and social reality of the digital age.
Granted, we have seen Mr Gates become the richest individual on the
planet, but most people have yet to come to grips with the most
fundamental reality of the digital age.
Information/knowledge = value, in the same
sense as "money = value".
Whether that information/knowledge is static data, as in
a database or document, or an executable program, which essentially
replicates and automates a recipe for performing a task, that
information/knowledge is a package of value, no different in many
respects from a bundle of banknotes.
Until community values realign to reflect this new
reality, and information/knowledge, and the capacity to generate it,
are recognised for what they are worth, the extant problem with people
and Infowar will persist. Indeed the public have yet to equate a file
server with a bank vault, and a credit card capable website with a till
in a supermarket.
How soon will this come about ? If we accept Kuhn's
arguments relating to paradigm shifts, this will take at least a
generation, the time it takes for people wedded to established values
to die out.
The big question is whether we can we afford to wait
another generation for this to come about ? The need for community
values and our legislative base to reflect the current paradigm is
urgent and cannot wait for decades. Judging from the value of the
NASDAC, and the profitability of the digital finance "industry", Kuhn's
model may yet be proven wrong here, nevertheless things are not
happening quickly enough.
The issue of legislation brings us to the second
critical item in contemporary Infowar.
The problem is a very simple one, which is that
legislation today does not reflect the realities of conflict in the
information/knowledge domain. A good example is the problem of dealing
with jurisdictional boundaries. The simple instance of attempting to
prosecute a cracker overseas, or somebody who harasses another in
cyberspace, is literally a legal minefield. This becomes all the more
difficult once we must grapple with a hostile government.
Consider the canonical scenario of nation A tasking its
military or para-military computing professionals with cracking into an
nation B's banking system and stock market, and taking both down to
induce an economic collapse. Of course, nation B can be expected to play
exactly the same game. In a conventional war, either side might shoot
missiles or drop bombs on one another with the understanding that
providing agreed protocols on targeting are observed, the best player
wins.
Yet today many Western democracies are in the position
whereby it is legally easier for them to drop a laser guided bomb
through an opponent's window, than crack into his computer system.
Indeed legislators, and the public at large, as yet have failed to
grasp the fact that another government cracking into a government
computer, or putting a hacksaw through a fibre cable, is acting no
differently than if they were shooting off a ballistic missile or
lobbing a satchel charge into a munitions depo. It is an act of war,
in every sense of the word.
A government which sponsors crackers to bust into
another country's computing infrastructure is performing at a minimum
the equivalent to a special operations commando penetration of its
opponent's military basing or government buildings. Yet the latter
evokes responses which are as forceful as large scale bombing raids or
land force invasions. The former does not.
Contemporary IW theorists have argued this issue
extensively, but typically encounter stubborn resistance.
The underlying cause for this clearly irrational posture
is related to item 1, without any doubt. The gravity of the act is
undervalued, and it is therefore dismissed as being of substantially
lower importance than it really is. Until such an attack produces a
truly dramatic, Pearl Harbour category disaster, it is unlikely the
message will get across.
This issue is further complicated by the boundaries
between military and civil operations. Whereas legislation may
eventually allow a nation's armed forces to respond in kind, or respond
pre-emptively to an information attack, with a like information attack,
or conventional counterstrike, civilian agencies and commercial players
are unlikely to be afforded such latitude.
Whereas a security guard at a bank may be allowed to
open fire at an armed bank robber who walks in the front door, the
notion of a bank's systems programmer launching a denial of service
attack against a criminal attempting to break into the bank's internal
network is at this time legally problematic. More than likely it would
result in the criminal's ISP successfully suing the bank in question.
The issue of legislation is indeed a thorny one, and one
which will take some time to sort out. If conventional, precedent based
legal practices are to apply, many of these issues will have to wait
for test cases to produce rulings. In the meantime, a good measure of
paralysis will exist.
The legal issues are closely related to the issue of
Rules of Engagement (RoE), the fundamental constraints and protocols
which are applied to any military operations. In conventional wars,
such as those fought in the Persian Gulf in 1991, or over Serbia in
1999, Western warriors did battle under some frequently complicated and
often very restrictive RoE. Whichever side of the argument of RoE one
chooses to take, the reality is that in conventional wars the RoE are
very carefully crafted to reflect political and operational
constraints. What can and cannot be attacked, and under which
conditions it can be attacked, is carefully (or not so carefully in
some instances) defined and set down as inviolate constraints to
military personnel.
The purpose of RoE is primarily to set boundaries for
military operations, either in terms of geography or types of targets
to be engaged. A typical RoE package today includes constraints from
the Law of Armed Conflict (LOAC), which are mostly aimed at preventing
the loss of innocent civilian lives, or the destruction of significant
historical or cultural artifacts. While much debate continues to as to
the merits of many RoE packages and philosophies, it is a fact of life
that few Western democracies would go to war without some kind of RoE.
Defining a meaningful RoE package for Infowar (IO) is a
non-trivial task, and one which is yet to be properly resolved.
Consider the scenario in which an opponent's electricity
grid and communications network are taken down. Both are target sets
which evoke much argument in conventional targeting, since it can be
argued that denial of both services can cause indirectly civilian
casualties, and impose unreasonable hardship upon the population.
Indeed the use of non-lethal carbon-fibre bombs against Serbia in 1999,
designed to produce intermittent dropouts, was deemed to be more
appropriate than simply putting high explosive 2,000 pounders into
every powerplant in the country.
Taking down an opponent's finance infrastructure or
stock market could produce similar arguments. If a country is plunged
into an economic collapse of the ilk seen in Malaysia or Indonesia
recently, does this constitute a violation of established protocols
designed to protect civilians from unreasonable hardship ?
These are all very interesting, and also very important
questions. Consider that the wrecking of a nation's economy via a
systematic information attack on its finance infrastructure could
produce wider repercussions, by damaging countries with mutual economic
dependencies with the target nation. No differently from physically
wrecking its economy by large scale air raids.
While the latter may not incur legal side effects, the
former may under the current scheme of things. This indeed complicates
the whole issue to no end.
The other side of this coin is dealing with players who
choose not to observe any RoE. This has been the source of much
argument in the context of conventional wars, since the countries which
Western democracies most frequently clash with tend to be tin-pot
dictatorships who usually have no respect for international conventions
or legislation such as LOAC. Indeed the standard scenario is that
Western RoE are played for what it is worth, and parking a surface to
air missile launcher in the grounds of hospital, or putting a civilian
air raid shelter into the same facility as a military command post, are
both good examples of such behaviour. Players who fall into this
category are unlikely to restrict their offensive information operations
to target sets deemed legitimate under international law.
The issue of RoE is a messy one, which like issues of
cultural values and legislation remains to be resolved.
The issue of damage assessment is one which is closely
related to targeting, and amounts in the simplest of terms to assessing
the effect of an information attack. This is in a sense a broader
problem relating to the use of all non-lethal weapons. While assessing
the effect of an air or cruise missile attack may be as simple as
looking for a smoking hole in the ground where the intended target
stood, determining the effects of an information attack is not so
simple.
Taking down an electricity grid or a stock market may be
easy to assess by observing changes in activity. But taking down an air
defence radar network or military intelligence database may be much
trickier, since the opponent may choose to "play dead" and then activate
the system at a most inconvenient time.
Cracking into an opponent's network and initiating a
recursive remove in the root filesystem of a critical host system may
only alert the opponent to a penetration, yet it may also cause
considerable long term damage. This all depends on the opposing
player's level of redundancy and backup policies.
The same applies should we choose to lob a 40 GigaWatt
microwave warhead at a critical computing or communications site.
Just as the Argentines in 1982 managed to deceive the
British into believing they had done more damage to the Port Stanley
runway than they actually achieved, so it is possible for an opponent
in the IW game to deceptively simulate greater damage levels than had
actually been achieved.
Being too successful at taking down an opponent's
networking and communications may indeed blind an attacker to what
effect was actually achieved against other specific targets in the
network.
An issue which is closely related to damage assessment
is that of precisely controlling damage effects, so that only intended
targets are taken out. This indeed closely ties into the earlier
discussion of legal issues and RoE.
The difficulty lies in the fact that in most nations,
much of the information infrastructure is shared between civilian
government, military services and commercial organisations. If in the
course of disabling the air defence network you also knock out the
network supporting the country' hospitals, is this to be considered
acceptable or unacceptable collateral damage ?
The difficulty, other than the legislative/RoE aspects,
lies in the simple technical problem of identifying which services are
mutually dependent. This need not be an easy task, unless the network is
apriori penetrated very thoroughly and all services in use exactly
mapped out.
The problem can run much deeper, insofar as one may wish
to leave some services in operation for other reasons, such as
surveillance, intelligence gathering, deception and damage assessment.
Knocking out the key router to disable the opponent's surface to air
missile datalinks may preclude monitoring the alert status of the air
defence network, or even the deceptive manipulation of its state.
Achieving a precisely contained effect may in many
instances be impossible, and in some instances unanticipated side
effects may arise from mutual dependencies unknown apriori even to the
targeted operator of the system.
Some strategies devised for large scale information
attack, such as the massed use of electromagnetic bombs, are structured
upon the premise that the total disabling of the targeted system is the
desired end state. For an escalated large scale conflict this may indeed
be very true, from a military perspective. However, recent conflicts
such as that fought over Serbia last year would suggest that massed
attacks of this ilk are likely to be frustrated at the point of
conception by political micro-management of the desired target set.
Unrealistic expectations by political leaders seeking
politically "sanitary" campaigns have frequently complicated
conventional military operations to the point of unworkability. We can
expect repeat scenarios in any future conflicts fought in the
information domain, given extant experience since 1950. The potential
for a precise effect which can exist in information attack will offer an
irresistible temptation for many politicians, despite the fact that the
technological constraints border on the unimplementable. We have seen
similar foolishness in the Australian public and political debate on
Internet content, and this behaviour is very likely to spill over into
the much more serious area of Infowar.
The final point articulated by Winn Schwartau is that of
structuring forces for the conduct of Infowar. While this problem may
superficially be seen to be confined to deciding whether it should be
performed by the air force, army, navy, or military / civilian
intelligence agencies, it like many other problems in Infowar runs much
deeper.
Considering that the issue encompasses civil law
enforcement, and also arguably penetrates the interests of commercial
organisations, it is a problem of vast complexity.
Should every player field its own Infowar teams, should
these teams be split into offensive and defensive groups, or should a
single civilian or military agency be formed to cover this whole domain
? We can rest assured that every single one of these strategies will
have its vociferous proponents and opponents.
While economies of scale and the demand for high levels
of technical specialisation would enhance the case for a single IW
agency or body, the unique idiosyncrasies of IW characteristic of
military vs law enforcement, and air/land/sea/space military
operations, would in turn strengthen the case for individual IW
capabilities in all of these extant bodies. There is no simple answer
to the problem.
To complicate these evident problems in dealing with the
current IW paradigm, we must also deal with the rapid evolution of
technology resulting from Moore's Law. With compute performance, memory
capacity and storage capability doubling every 18-24 months, we are
facing a moving target. Technological capabilities for IW will continue
to evolve at a rapid rate for the forseeable future.
This has implications for the defensive play, since
cryptographic measures will continue to erode in effectiveness, while it
will also increase the potential capabilities of offensive tools.
Information Warfare as a discipline is still very much
in its adolescence, and it is clear that many critical issues remain to
be resolved.
My view as a competent observer is that the biggest
obstacle in coming years will continue to be technological illiteracy
in those outside the computing community, and the closely related
problem of illiteracy in the social, political and economic
implications of the digital revolution. While the former is easy to
understand, I find the latter frequently perplexing, since the effects
are clearly visible and a postgraduate degree in Comp Sci is not
required to understand them. Legislators, who are frequently
exceptionally well educated in the humanities, and are well tuned, one
would assume, to social and political issues, have little if any excuse
in this context. Yet many of them seem to be the least capable of
grasping the issues.
We do indeed live in interesting times.