Battle for the Soul of Information Warfare: Pearl Harbor vs. the Hashishim
Michael Wilson [email@example.com]
Copyright 1996 by author. All rights reserved.
Information warfare is still only in its infancy, and already there is a difference of approach to
modeling the threat. Are the assumptions between the two philosophies so different that the
nature of infowar is in question?
These differences of assumptions are worth considering, since the implications--particularly in
design, implementation, and operation of defensive systems and subsystems, which depend on
clarity of definition--are significant.
The views of infowar can be split roughly into two 'camps,' and the philosophies can be attached
and shorthanded with two historical scenarios with which they share similarities--Pearl Harbor
and the Hashishim.
Pearl Harbor--the Historical Scenario
December 7, 1941. The Japanese, in an attempt to establish their dominance in the Pacific theatre
of operations, launched an all-out attack on U.S. Naval forces stationed at Pearl Harbor, Hawaii.
Historians differ whether the Japanese intended it as a 'surprise attack' (notification of the
declaration of war was in fact in progress), but 'sneak' attack or not, the military operation was
intended to cripple the fleet and keep the U.S. out of the war. As a misjudgment of national
character it has few historical parallels, and "Remember Pearl Harbor!" became a rallying cry to
victory for the U.S. in World War II.
The Hashishim--the Historical Scenario
~11th Century - ~14th Century. An Islamic sect led by Hasan ibn al-Sabbah, the Hashishim
(mispronounced as 'assassins,' the origin of the term) were unusual, by the standards of their
time or ours. Fanatical followers were given a 'taste' of the promised Heaven through the use of
recreational drugs (thus the term 'hashish') and a harem (note the 'motto' of the Hashishim was
"Nothing is True, Everything is Permissible") to show them their eventual reward for loyal
service. Members were then dispatched, disguised any way necessary (including various
violations of religious doctrine and dogma), to infiltrate the political, economic, and military
structures of the opposition, Christendom. Years could pass with agents rising in trust and
influence, unsuspected spies who also engaged in sabotage and subtle perversion (giving
deliberately misleading advice to royal, religious, civil, and military leaders and councils), not to
mention the use of the flame dagger left beside the head of a sleeping power figure (the
threat--next time, you're dead) or for immediate assassination. The Hashishim are credited for
collapsing at least one Crusade, and considerable other damage to the West.
The 'Pearl Harbor' infowar scenario is a massive attack on the military and governmental
(command and control) information infrastructures, with perhaps collateral attacks against
important civilian networks that aid and support military, governmental, and social stability.
'Hashishim' infowar scenarios trend along the line of the opposition force altering, damaging, or
destroying data and services in a protracted campaign; attacks are unannounced, leaving the
question of trust completely unsettled.
These two potential scenarios and their underlying assumptions are important to an
understanding of infowar and the infowar threat model; the differences between the models, if
not balanced, could lead to considerable difficulty in the future. An explicit expression of the
assumptions and the differences is therefore crucial, and what I hope to provide.
'Pearl Harbor' infowar approach == PH
'Hashishim' infowar approach == H
OpFor Approach, Intent, Focus, Targets
PH: Preemptive ('sneak'); first shot to 'settle the matter,' only marks the beginning of the conflict;
surprise lost once engagement initiated
H: Covert; continual moral and material surprise
PH: 'Clean' attack; direct force; not 'subtle'
H: Perversion; espionage; sabotage; coercion
PH: Damage/destroy force projection capability
H: Damage/destroy decision capacity, command structure
PH: Government targets, or target has direct connection to logistic support
H: Opportunistic targets; willing to accept greater degrees of separation; attacks on dependencies in
civil and military infrastructures
At a fundamental level, even such basic views on the infowar strategy are split. A 'Pearl Harbor'
infowar attack is viewed as being a preemptive attempt to take the target (presumed to be the
United States or other technology dependent political economy) and force it to failure, or damage
its functionality as the preliminary operation in a larger military strategy. This sort of attack is
still seen as a 'clean' form of warfare, adhering to the code of conduct that dictates attacks must
orient around military objectives. 'Hashishim' infowar attacks are far more nebulous and
indirect, harder to pin down, and greatly annoy most military (not to mention law enforcement
and intelligence) professionals by not 'playing by the rules.'
PH: Massive; concentrated
H: Long term; cumulative
'Pearl Harbor' attacks depend on the impact and effect in the target from the initial damage and
destruction; as such, they concentrate massive force into a small period of time. 'Hashishim'
attacks make up for mass by seeking effect over a long term, with the cumulative effect of
operations grinding the target down over the period.
PH: Necessitates large resources; intense effort
H: Small; selective effort
The scale drives the effort, so 'Pearl Harbor' attacks need significant resources to make them a
reality; launching and maintaining this sort of effort will not escape notice without considerable
counterintelligence operations. 'Hashishim' attacks seem almost casual by comparison, allowing
minimal resources, choosing the time and target, and tailoring the effort to the objective; this
effort is hard to spot.
Management, Command & Control, Organization
PH: Centralized; coordinated; hierarchical
H: Decentralized; uncoordinated; heterarchical
The scale and resources of the 'Pearl Harbor' effort parallel those of their target, and thus the
tendency (probably correct) to assume that such operations will be centrally managed and
coordinated, with a singular or small command group setting strategy and tactics. A strong point
of the 'Hashishim' is the lack of a need for such a command structure, not to mention the
benefits of a heterarchy; this OpFor has no particular investment in the success or failure of a
specific operation (unlike the 'Pearl Harbor' model), seeking effect from the cumulative nature of
their effort. Interestingly, 'Pearl Harbor' attacks are likely to require a considerable decision loop
(Boyd cycle of Orient-Observe-Decide-Act), with the attack being automated for synchronization
and progressing the attack in the 'correct' order; 'Hashishim' attacks are iterative OODA loops,
but under live, active control.
The scale and resources to manage a 'Pearl Harbor' style attack dictates that funding be
congruent in magnitude; this is not warfare on the cheap, because while certain basics are
inexpensive (computers, access), others are not (personnel, intelligence). Operations by the
'Hashishim' can be launched dependent upon the availability of funds or other necessary
resources; such are the benefits of waiting for opportunity to knock.
PH: Hard targets
H: Soft targets; open source intelligence resource (including net-based)
Gathering and analyzing intelligence for attacks on military or dependencies inside the military
structure are actions against hardened targets; not impossible by any means, but 'Pearl Harbor'
intelligence requires skilled professional efforts, with continual risk of exposure of the effort and
the purpose of such. Almost by definition, the 'Hashishim' style of operations can map
dependency trees and seek attack points that are soft, and accessible to normal but thorough
Defensive Focus, Political View
PH: Crisis management; top down approach
H: Vigilant, active, paranoid, defense in depth; bottom up approach; aggregate
PH: Manageable by law enforcement, intelligence, military
H: Free market solutions; solve the problem where it originates
Preparations for and addressing the infowar attacks are very different; supporters of the 'Pearl
Harbor' threat model tend to believe in massive government-oriented efforts, including
legislation, intelligence operations, and pursuit of the issue as if it were a problem to be solved by
government. The 'Hashishim' threat model points out many of the flaws in the defensive strategy
of the 'Pearl Harbor' model; this model demands robust, overlapping, defense in depth
approaches that come from the composite of building solutions into the design, implementation,
and operations of potentially targetable systems. The issue of strong cryptography is a case in
point; 'Pearl Harbor' defense strategies require intelligence efforts that are only made harder by
free market use of strong cryptosystems, while 'Hashishim' defense strategies require strong
cryptosystems for data and operational privacy, security, and integrity through authentication.
Infowar operations are hardly going to be so clearly divided into such two distinct varieties. The
underlying assumptions, however, are clearly at odds. Infowar threat modeling needs to take into
account the variables involved in the strategies and tactics, starting with the assumptions of the
'Hashishim' approach through viewing the 'Pearl Harbor' scenario as an extreme but limited
case of 'denial of service' attacks.
Focusing on the 'Pearl Harbor' scenario, as many in the political arena, as well as law
enforcement, intelligence, and military community appear to be doing, leaves deadly holes in the
defense. Tailoring defensive responses for the 'Pearl Harbor' scenario eliminates the use of
strong cryptography widely, leaves much of the civilian infrastructure exposed, and makes other
dangerous assumptions as I mention throughout this paper. Using the 'Hashishim' scenario as the
starting place for defensive strategies and tactics puts strong barriers of privacy, security, and
authentication into the many layers of the civilian and military infrastructures (thus a robust
defense in depth), only requiring a few more refinements to protect against the 'Pearl Harbor'
Scaling out the attack scenarios helps to explain why professionals are gravitating to one scenario
or the other--is it more damaging to have 'lost' your system (pending reboot, reload of software,
patching the flaws, etc.--note that this is an attack that can/will be recovered from, just as Pearl
Harbor was), or to have continual attacks over time where you suffer numerous smaller losses,
damaged or perverted data, and the live with ever-present possibility that you will experience
future losses and can't trust the data you now possess?
Both are horrible scenarios, both are difficult and necessary problems to address--but not one
('Hashishim') at the expense of the other ('Pearl Harbor'). That way lies madness.
[Home][Back to Index][Email Us]