The latest information warfare discussion has seen the emergence of a new framework for understanding emerging vulnerabilities. David Mussington outlines the issues.
As late as 1997, the intellectual debate on information warfare focused on the ability of military and political authorities to operate in an environment of increased risk. The major issues were: the use and manipulation of information to advance the aims of an attacker or defender, attacks on the military command and control systems of an adversary to impede its ability to prosecute military action and attacks on computing and communications systems that provide connectivity between military commanders and troops in the field.
This focus also was joined with an increasing concern with the security of information systems that support military operations - both in theatre and in the homeland. This last issue has become the new centre of both policy and implementation activities. This new focus has the generic term of information infrastructure protection.
Information infrastructure protection
Infrastructure vulnerabilities refer to that set of vulnerabilities and system inter-dependencies that are manifest due to the characteristics of networked information and communications systems. The Internet is the most visible incarnation of this new "system of system vulnerabilities" upon which much of modern society is becoming dependent, but it is not the only one. Infrastructures that facilitate activities in modern society include, but cannot be reduced to: the electric power generation and delivery system, the public telephone system, oil and natural gas pipelines, emergency services (fire, police, etc), the air transportation system and railroads. Each of these systems is linked with others, creating clusters of systems (hence the "system of systems" metaphor), which compound vulnerabilities to deliberate or accidental disruption.
Examples of these disruptions include the concatenated severity of an earthquake, which cuts a gas main, which causes an explosion, which causes electrical substations to overload, which prevents emergency services from being called to provide assistance; an interruption in electricity that causes bank ATM networks to be unavailable, which creates a financial panic as consumers are unable to access their accounts, which in turn creates an economic emergency. Scenarios of this type are being used by governments to investigate the potential vulnerability of key systems to both accidental and deliberate disruption through information systems.
The latest information warfare discussion has seen the emergence of a new framework for understanding emerging vulnerabilities. In keeping with the new focus on homeland infrastructure (and military system support infrastructure) protection, the actors of primary importance as potential adversaries in information conflict have also shifted.
Figure 1 signifies the conceptual framework dominant during most of this decade, with military command and control issues still lying at the centre of the information warfare discourse. More recently, however, the vulnerability of civilian infrastructures has become the subject of considerable public attention, much of it catalyzed by the release of the report of the US Presidential Commission on Critical Infrastructure Protection in October of 1997. Figure 2 summarizes what might be viewed as the new terrain of infrastructure protection and vulnerability mitigation.
Contrasting Figures 1 and 2, immediately visible is the new focus on terrorism and crime. While visible in the old discourse, criminal and terrorist threats utilizing disruption of information infrastructures are a central focus of emerging thinking on information security.
Also of importance is the removal of the "strategic" item from the re-categorized classes of conflict discussion. This removal does not signify any lack of concern with the strategic impact of information operations by a particular adversary. Instead, the increased salience of terrorism and crime are themselves increasingly seen as strategic, in that they either, (a) are seen as representing "lesser included" cases, which "scale up" to strategic importance where they are coincident in a brief period of time and network interconnection, or (b) are indicative of the institutional responsibilities of those given the lead role in handling information infrastructure protection.
In both the United States and Great Britain, law enforcement authorities are broadly seen as the initial line of defence against infrastructure disruption. In turn, crime and terrorism, rather than any frontal assault by a foreign adversaries' military forces, are seen as the principal near-term focus of concern.
The leading country in responding to information infrastructure protection threats is the United States, but other states also are beginning to reflect on the emerging vulnerabilities that may go alongside increased Internet connectivity. A short listing of other countries with some activities in the information warfare/infrastructure protection domain includes: Australia, Canada, Denmark, France, Germany, Russia, Switzerland, Sweden and the United Kingdom
The United States has, however, launched the most public review and analysis of its own infrastructure protection concerns, the results of which were introduced in a presidential decision directive, PDD-63, in May 1998. This directive created a number of institutions and processes designed to reduce the vulnerability of US infrastructures to deliberate or accidental disruption.
To summarize some of these initiatives:
Each of these efforts is in its early stages, but it appears official Washington has begun to take notice of infrastructure protection as a potentially significant problem. Tentative moves in the direction of international cooperation - or a dialogue about international collaboration - also are anticipated, though these moves may be very difficult to develop.
The last year has seen a number of significant developments in infrastructure protection policy. Governments have begun to take the issue seriously, perhaps in anticipation of the approaching Year 2000 (Y2K) situation, which may offer a precursor of future problems of network-dependent societies. Early responses are encouraging, however, and represent a continuation of trends favouring the private sector as the principal terrain and actors in information warfare.
Because infrastructures in the industrialized world are increasingly controlled by the private sector, commercial companies constitute the key entities charged with insuring against interruptions in critical services. This fact forces governments to enter into increasingly novel partnership arrangements with industry in order to achieve national infrastructure protection goals. Experimentation in this area is just beginning and may produce intriguing variations of public / private infrastructure protection responses. It is too early to tell whether these responses will foster increased security against deliberate infrastructure attack.
What is certain, however, is that modern societies are facing at least the potential
for significant disruption of critical services due to the growth in infrastructure
interconnection and interdependence.
The opinions in this article are those of the author and do not represent the views of RAND nor of any agency of the United States government.