Please adjust the frame on the left to read the following story to avoid using the stroll bars at the bottom.
(c)1995 Matthew G. Devost
_________________________________________________________________
NATIONAL SECURITY IN THE INFORMATION AGE
A Thesis Presented
by
Matthew G. Devost
to
The Faculty of the Graduate College
of
The University of Vermont
In Partial Fulfillment of the Requirements
for the Degree of Master of Arts
Specializing in Political Science
May, 1995
_________________________________________________________________
TABLE OF CONTENTS
[Note: Page Numbers Not Applicable for Electronic Version.]
ABSTRACT
ACKNOWLEDGMENTS ii
CHAPTER 1 - Introduction 1
The Information Age 2
The Knowledge-Based Economy 4
CHAPTER 2 -. New Territory, New Concepts and New Warfare 10
New Concepts: Information Warfare 14
New Weapons 16
HERF Guns 17
EMP/T Bombs 18
System intrusion 18
Emissions capture and espionage 20
Viruses, trojan horses and worms 21
Normal accidents 24
Information Warfare: Isolated Examples 24
Operation Datastream 25
The Hacker Spy 26
Hacker Attacks During Gulf War 28
Infrastructure Attacks 30
The Phone System 31
The Power Grids 33
The Big Picture 34
CHAPTER 3 - The Political Context of Information Warfare 38
What is National Security 38
Political Attractions of Information Warfare 41
Low Cost 41
Timely and Not Location Specific 42
Anonymity 43
Minimal Loss of Human Life 44
First Strike Advantage 47
Offensive Nature of Information Warfare 47
Deterrents to Waging Information Warfare 48
Economic Interdependence 49
Fear of Escalation 52
Lack of Technical Expertise 53
Information Warfare as Terrorism 54
The Realist/Liberal Approach to Information Warfare 56
The Realist Approach to Information Warfare 57
Problems with the Realist Approach 59
The Liberal Approach to Information Warfare 61
Problems with the Liberal Approach 62
The Realist/Liberal Conflict 64
The Strategic and Security Impacts of Technology:
A Historical Perspective 68
Decentralizing the Military: The Conoidal Bullet 69
Information Warfare: The Bushnell Turtle of the Information Age 71
CHAPTER 4 - National Security Solutions for the Information Age 74
The Computer Security Act of 1987 74
Operation Sundevil 76
Information Warfare: A Threat Assessment Portfolio 77
National Security Solutions for the Information Age 80
Step One: Declassify the Threat 80
Step Two: Increase Security 81
Step Three: Increase Vendor Accountability 82
Step Four: Facilitate Private/Public Sector Cooperation 83
Step Five: Conceptualize Our Information Sphere 84
Step Six: Multi-Level Education 88
Step Seven: Use Hackers as a National Resource 90
Step Eight: Global Institutions and International Agreements 95
Conclusion: National Security in the Information Age 96
FOOTNOTES
SELECTED BIBLIOGRAPHY 101
_________________________________________________________________
ABSTRACT
This thesis examines the impact information technologies have had on
the national security of the United States. It looks at how these
technologies have evolved into a significant component of the
economic, military, and social construct of the nation resulting in a
transition from the Industrial Age to the Information Age.
It introduces a new paradigm for conflict among nations based upon
attacking information infrastructures. The political attractions and
deterrents to using these new information warfare methods are
discussed at great length. The debate is then placed in a traditional
realist/liberal context and examined from both perspectives,
suggesting ways in which each side would remedy the national security
threat. Historical technological developments are explored and
contrasted with new technology to develop hypotheses regarding the
future strategic impacts that these new technologies will have.
An increased reliance on information technology which is highly
vulnerable to failure and sabotage has created a new risk to the
national security of the United States. These vulnerabilities will be
exploited during any conventional military conflicts between nation
states, but several political deterrents including economic
interdependence and fear of escalation decrease their attraction
during peacetime. Despite this, the political and strategic
attractions of information warfare make it a likely terrorist weapon.
The final chapter offers policy prescriptions and solutions for
integrating these concerns into the framework of the United States'
grand strategy to decrease the security threat and facilitate
international cooperation in this area.
_________________________________________________________________
ACKNOWLEDGMENTS
I am greatly indebted to a number of people who have made this thesis
possible. First and foremost, my parents, family and friends who have
provided unlimited support and encouragement. This thesis is dedicated
to them.
A special acknowledgment to Robert D. Steele. From the beginning, he
has provided encouragement and opportunity. The scholarship he
provided to attend his International Symposium: "National Security and
National Competitiveness: Open Source Solutions," allowed me to
exchange ideas with innovators and experts from around the world.
Special thanks to Dr. Mich Kabay and the National Computer Security
Association for giving me the opportunity to speak at the Second
International Conference on Information Warfare.
Within the University of Vermont: Professor Cherie Steele, for her
patience and dedication as my thesis advisor; Professors Tony
Gierzynski and Tom Streeter, for sitting on my thesis committee; and
Professor Tom Rice and the rest of the Political Science department
for providing support and funding for my graduate research.
Many others were helpful, perhaps without realizing it: Winn
Schwartau, Bob Stratton, Eric Hughes, Emmanuel Goldstein, and numerous
members of the digital underground.
_________________________________________________________________
Chapter 1
Introduction
Conceptions of national security can and do change. A series of new
threats to American national security have developed with our
transition into the Information Age. New technological developments
and an increased reliance on computer-based technology will cause a
shift in conceptions of national security for all advanced
post-industrial societies. Nations face the danger of having their
information infrastructures destroyed, altered, or incapacitated by
new offensive technologies. Accordingly, grand strategies must
integrate these new threats and vulnerabilities into their general
framework. Although Eugene Skolnikoff argues that the vulnerability of
large systems is rarely noticed until disruption or catastrophe
occurs(1), this thesis argues that these issues must be dealt with
pre-emptively to minimize their economic and political costs.
Political scientists and political leaders must recognize and examine
the threats posed by new technology and how it will effect both
national and international political relationships. This thesis
provides an introduction to these new technologies and suggests ways
they have been utilized in the past to threaten the national security
of the United States. The threat is also placed in a theoretical
political context by examining how it relates to paradigm-shifting
technologies of the past, what its political attractions and
deterrents are, and how it would be analyzed and addressed within
traditional realist/liberal national security schools. It concludes
with policy prescriptions to assist policy makers in the transition to
a new national security agenda that includes the concepts examined in
this thesis.
The need for work in this area is great. Very little work has been
done in the political science field to examine security issues related
to information technology.(2) David Ronfeldt argues that "with few
exceptions, policy makers and analysts are just beginning to discern
how government and politics may ultimately be affected by the
information revolution."(3) As a result, this thesis draws from a wide
range of material that has been taken from multiple disciplines and
weaves it all to reveal national security vulnerabilities and what can
be done about them.
The Information Age
The United States is making a transition to a new age. Alvin Toffler
referred to this transition as the Third Wave(4), in his 1980 book of
the same title.(5) According to Toffler, the pattern of societal
development follows a series of waves, each of a lesser timespan than
the previous. Toffler writes:
Until now the human race has undergone two great waves of change, each
one largely obliterating earlier cultures or civilizations and
replacing them with ways of life inconceivable to those who came
before. The First Wave of change - the agricultural revolution - took
thousands of years to play itself out. The Second Wave - the rise of
industrial civilization - took a mere three hundred years. Today,
history is even more accelerative, and it is likely that the Third
Wave will sweep across history and complete itself in a few
decades.(6)
Toffler's predictions about the coming Third Wave were written over
fifteen years ago, and the societal revolution he predicted is readily
acknowledged today as the Information Revolution.
This terminology is used by the leaders of the United States to
describe the transition to a knowledge-based economy. Vice President
Al Gore argues that "we are in the midst of an Information
Revolution."(7) President Clinton often speaks of the Information Age
and during his presidency he has created various working groups and
committees to develop the foundations for a National Information
Infrastructure.(8) Various scholars argue that the United States has
already made the transition into the Information Age and that a
majority of our jobs are already knowledge-based jobs.(9) In fact the
decline in industrial based jobs looks very similar to the decline in
agricultural jobs brought about by the transition from the First to
the Second Wave. The swell of the Third Wave is already visible and
its crest no longer unimaginable.
The Knowledge-Based Economy
If this coming Sunday, you were to sit down and read the entire New
York Times, you would absorb more information in that one reading that
the average person absorbed in a lifetime in Thomas Jefferson's
Day.(10)
Information revolutions are not new. Gutenberg's printing press
launched an information revolution over five hundred years ago. His
invention allowed for the mass distribution of information, permitting
common men to posses otherwise scarce texts like the Bible. This
created less reliance on hierarchical sources of authority for
interpretation of texts and granted anyone with the resources to
operate a printing press access to large audiences. To take the
argument even further, author Kevin Kelly argues that cultural
advances, like the printing press "prepared a possibility space that
allowed human minds and bodies to shift so that some of what it once
did biologically would afterwards be done culturally."(11) Under this
view, the printing press served a dual purpose. It revolutionized the
way human beings interact and it contributed to our evolution by
decreasing the amount of information our minds needed to store. In
this regard, the Information Revolution is similar to the printing
revolution. Computers increase our capacity to store and search for
information externally.
Other mediums of communication might be considered revolutionary as
well.(12) One need only think of the changes brought about by the
invention of the telephone, radio, and television to realize that
information revolutions have their place in history. Each of these
technologies increased our capacity to communicate over great
distances. In some cases, the communication took place over physical
cables, and in other cases the communication took place over frequency
waves with no physical connection required. How does this information
revolution promise to be different?
The difference is our increased ability to access, distribute and
store incredibly large quantities of information in very little time.
It is now possible to send the entire Encyclopedia Brittanica across
the country in about two seconds.(13) Access to large quantities of
information through electronic communications is a realizable goal
anywhere there is access to a standard phone line or cellular cell. In
the near future, a series of low orbit satellites will allow
electronic communications technology to be utilized from any location
on earth.(14) In addition to this, the Internet, currently the world's
information backbone, is increasing at a rate of twenty-five percent
per month and the World Wide Web has been experiencing growth rates of
341,634 percent per year.(15)
With this increase in interconnectivity and information resources, the
labor force of a Third Wave nation becomes knowledge-based. Peter
Drucker writes:
The basic economic resource - "the means of production," to use the
economist's term - is no longer capital, nor natural resources, nor
labor. It is and will be knowledge. The central wealth making
activities will be neither the allocation of capital to productive
uses, not labor - the two poles of nineteenth and twentieth century
economic theory, whether classical, Marxist, Keynesian, or
neo-classical. Value is now created by productivity and innovation,
both applications of knowledge to work. The leading social groups of
the knowledge society will be knowledge workers and knowledge
executives who know how to allocate knowledge to productive use, just
as the capitalists knew how to allocate capital to productive
use...Yet, unlike the employees under Capitalism, they will own both
the means of production and the tools of production.(16)
Other scholars have expressed similar sentiments. Daniel Bell echoes
Drucker's argument when he proposes that "the crucial point about a
post-industrial society is that knowledge and information become the
strategic and transforming resources of the society, just as capital
and labor have been the strategic and transforming resources of the
industrial society."(17)
The key financial institutions of knowledge-based societies also
become information-based. A majority of the financial transactions
within the United States do not involve the physical transfer of
capital or physical representations of money such as gold or currency,
but rather the transfer of information. For example, when money is
loaned between institutions no physical transfer of funds takes place.
Instead, the informational representation of money is exchanged.
Information now represents money and "finance no longer has anything
to do with money, but with information."(18) Whereas industrial
societies were concerned with protecting physical capital and
providing safe routes for the transport of resources, information
societies must be concerned with protecting information and the
transfer of information. Where the destruction of bridges was a threat
to the national security of an industrial society, the destruction of
information networks, especially those involved with financial
transactions, is a threat to the national security of information
societies.
This is the nature of conflict of the Information Age. Where the
politics of the last one hundred years centered around Industrial Age
technology, the politics of the future will be based on Information
Age concerns oriented towards the storage, protection and exchange of
information. The premiere issue of the magazine designed for the
Information Age, appropriately named Wired, had this to say about the
emergence of new technology.
The medium, or process, of our time - electronic technology - is
reshaping and restructuring patterns of social interdependence and
every aspect of our personal life. It is forcing us to reconsider and
re-evaluate practically every thought, every action, and every
institution formerly taken for granted.(19)
The purpose of this thesis is take this concept one step further. It
will demonstrate that with the Information Age comes new threats to
the infrastructure of the United States. It will show that our
reliance on computer technology and our quick transition into a
knowledge-based economy has left us vulnerable to attack, and that
vulnerability creates difficult political dilemmas that must be dealt
with should we wish to continue following the currents of the Third
Wave.
In Chapter Two, a new paradigm for conflict based upon attacking
information infrastructures is introduced and examples are given to
demonstrate how this new paradigm is rapidly developing to threaten
the security of Third Wave nations. Chapter Three then places the
issue in a theoretical context by examining the political advantages
and deterrents to nations utilizing the capabilities of new technology
for offensive purposes. The issue is then examined from both the
realist and liberal perspective to speculate how each side would
respond to the acknowledged national security threat. Similarities to
historical technological developments are explored and contrasted with
new technology to develop hypotheses regarding the future strategic
impacts that these new technologies will have. The final chapter
offers policy prescriptions and solutions for integrating these
concerns into the framework of the United States' grand strategy in
order to decrease the security threat and facilitate international
cooperation in this area.
_________________________________________________________________
Chapter 2
New Territory, New Concepts and New Warfare
What is the National Information Infrastructure? For the purposes of
this paper, the NII is defined as the physical and virtual backbone of
an information society and includes, at a minimum, all of the
following:(20)
* Financial networks: used for the transfer of information between
financial institutions.
* Private corporate and institutional networks: Used for the
exchange of information between international components of the
same organization.
* Public fee accessed networks: Telephone networks and other
privately provided communications networks.
* Cooperative networks: Used to link educational and research
facilities for mutual benefit, as is the case with the Internet.
* Subscription networks: Fee based access to enclosed virtual
communities as is the case with Prodigy, Compuserve and America
On-line. Also, increasingly connected to cooperative networks to
create large national networks for the exchange of information.
* Government and defense networks: Used for government and defense
communications. Department of Defense networks used for C3I
(command, control, communications and intelligence.)
* Computer reliant public utilities: Power plants, water and sewage,
transportation vehicles and traffic systems.
* Computer reliant technology: Environment and security control in
large buildings, chip reliant cars, and a plethora of other
conveniences.
This rather broad list has been compiled to demonstrate our current
reliance on computer technology. The National Information
Infrastructure is usually described as a utopian network for the
cooperative exchange of information. However, from a security
perspective, the NII encompasses a much more extensive sphere. Not
only does it include systems required for the flow of information, but
the hardware those information flows have helped create, as well.
Where information flows are concerned, one might separate information
content into three distinct groupings with occasional overlaps:
1) Military information, which deals with actual military
developments, top secret operations, intelligence, systems control,
correspondence between high ranking officials, troop files and credit
ratings, general troop activities and lower level correspondence.
2) Business information, which consists of business records, bank
transactions, individual credit records, business systems, and other
financial transactions.
3) Personal information, which includes individual credit records,
personal systems, files and correspondence between individuals.
An attack or threat on lower levels of information, credit card fraud
for example, is more of an inconvenience than a national security
threat. Replacement costs may be high for this type of information,
but the costs are not nearly as high as they are for military or
business information. A successful attack on just a few business
information systems could cause a severe lag in the American economy.
Robert Steele notes that "It costs a billion dollars and takes six
weeks to recover from a one day bank failure and we have them all the
time."(21) If Wall Street suddenly closed down, or if bank
transactions suddenly disappeared the United States would lose
hundreds of billions of dollars. It is estimated that the daily value
of telephone transactions on Wall Street alone, is in excess of one
trillion dollars.(22)
A potential attack on military information, especially that which is
classified, poses a national security threat from a strategic
standpoint. From a command and control perspective, denying
communications capability or altering and destroying intelligence can
have profound effects on the capabilities of modern militaries.
General Colin Powell notes that "A downsized force and a shrinking
defense budget result in an increased reliance on technology, which
must provide the force multiplier required to ensure a viable military
deterrent... Battlefield information systems became the ally of the
warrior. They did much more than provide a service. Personal computers
were force multipliers."(23) Whereas Sun Tzu regarded the skillful
command of troops as having the potential "of round boulders which
roll down from mountain heights,"(24) in today's military it would be
round boulders capable of rolling by themselves, both on flat ground
and up steep grades. Soldiers in battle are less reliant on a
hierarchical command structure and are capable of making more
autonomous decisions based on an increased ability to receive and
analyze real-time information regarding the condition of the
battlefield. In this situation, the emphasis is not on the function of
command, but on maintaining the supply and value of the
information.(25)
Robert Steele argues that information warfare is "about applied
intellect - it is about harnessing intellect and protecting intellect,
and it is above all about providing the commander - including the
civil commander in the role of political, economic, or cultural leader
- with survivable, reliable, decision-support through war and
operations other than war, on the home front as well as on the
traditional front line - and to do so largely with 'out of control'
civil resources."(26) With military command and control placed in this
context, threats to national security are present not only when
military communications are targeted, but also when civilian support
to operations is targeted. One cannot harness the distributed
intelligence of a nation if the information content is diverted or
destroyed.
What threat is posed to American national security if, during a war,
the enemy were able to get information on troop movements or discover
flaws in one of our weapons systems? Or if the Soviets, during the
Cold War, had been able to access information on the Strategic Defense
Initiative or stealth aircraft designs? What if one fourth of all the
computer systems in America stopped working one day?
New Concepts: Information Warfare
Information warfare is about destroying information, reducing
information flows, reducing the reliability of information content,
and denying access to services. Author and security expert Winn
Schwartau writes:
Information warfare is waged against industries, political spheres of
influence, global economic forces, or even against entire countries.
It is the use of technology against technology; it is about secrets
and the theft of secrets; it is about turning information against its
owners; it is about denying an enemy the ability to use both his
technology and his information.(27)
Historical patterns reveal that information warfare is undoubtedly
warfare of the future. Traditionally, warfare has followed the
different waves of development in society. Science has always been
applied to war.(28) Agrarian society saw the development of the
crossbow. As scientific capacity increased, so did the weapons
societies used in warfare. As nations industrialized, they used their
factories to create tanks. As our capacity to understand physics
increased, we used nuclear fission to deal devastating blows from high
altitudes. Today, computer-guided electronics allow us to deal even
more damage from the comfort of an underground bunker thousands of
miles away. As we move, or have already moved, into the Third Wave or
Information Age, it is only natural that our weapons or means of
warfare will follow.
Information warfare, as a concept, is not entirely new. In 1912, when
the British cableship Telconia hauled up and cut the five cables that
linked Germany to the outside world: (two to the Azores and North
America, one to Vigo, one to Tenerife, and one to Brest); the British
were waging information warfare.(29) The British recognized the
strategic significance of wartime communications and utilized their
capabilities to hinder Germany's ability to communicate. Likewise,
when the United States intercepted and decrypted Japanese
communications intelligence during wartime operations and diplomatic
negotiations, the United States was waging information warfare.(30)
The only problem with these examples is that the environment in which
they took place is not as relevant today. These attempts at
information warfare were waged against industrial societies in which
information was just one valuable asset, ranked lower on the hierarchy
of strategic importance than protection of the industrial base.
Today's Third Wave societies are no longer based entirely on
industrial concepts and information has a higher strategic value now
than it has had at any point in history. This means that information
warfare poses a greater threat to national security in the Information
Age than it did in the Industrial Age. In fact, for several reasons
illustrated later, information warfare may become the preferred method
of conflict among Third Wave nations. General Gordon Sullivan and
Colonel James Dubik acknowledge that "To succeed against an industrial
state generally requires the destruction not only of its army, but
also of the military infrastructure, resources and manufacturing base
of the total war-making capability. Achieving victory against an
information-based state will entail destroying that country's armed
forces, as well as destroying its war-making capability (which may
well include industrial and information-related targets) and its
information systems."(31) Not only is information warfare an entirely
new paradigm for waging war, it must also be adopted as a supplement
to traditional and conventional means of warfare if successful
campaigns are to be waged.
New Weapons
With a new type of warfare comes a new breed of weapons. In order to
understand the vulnerabilities of systems and the capabilities of
possible adversaries, a brief overview of offensive information
warfare weaponry is required.
HERF Guns. High Energy Radio Frequency guns allow adversaries to
create denial-of-service scenarios against a wide variety of targets.
The concept behind the HERF Gun is very simple and they are incredibly
easy to build. Depending upon the size of the power source used and
range or accuracy desired, HERF guns can be designed to take many
different shapes and forms. HERF Guns direct a blast of high energy
radio signals at a pre-selected target. Schwartau explains:
Electronic circuits are more vulnerable to overload than most people
realize, and that weakness is exploited by a HERF Gun. A HERF Gun is
nothing more than a radio transmitter, conceptually similar to the
real tall ones with blinking red lights on top to keep planes from
hitting them. Your portable CB or cellular phone are also radio
transmitters, with different purposes, working at different power
levels. The HERF Gun shoots enough energy at its target to disable it,
at least temporarily. A HERF Gun can shoot down a computer, cause an
entire network to crash, or send a telephone switch into electronic
orbit. The circuitry within modern computer and communications
equipment is designed for low-level signals; nice quiet 1s and 0s
which operate within normal limits. The HERF Gun is designed to
overload this electronic circuitry so that the information system
under attack will become, at least temporarily, a meaningless string
of babbling bytes.(32)
The damage that a HERF Gun can do when directed at a variety of
creatively selected targets is clearly obvious. Not only is a
situation created in which information systems fail, but it becomes
extremely difficult to identify the cause of failure.
EMP/T Bombs. Electromagnetic Pulse Transformer Bombs operate under the
same principle as HERF Guns; however, they are thousand times more
powerful.(33) Also, the damage induced by EMP/T Bombs is permanent.
Governments have been concerned with the threat of electromagnetic
pulse since the invention of the atomic bomb. A 1980 Federal Emergency
Management Agency report concluded that the following hardware would
be most susceptible to failure from EMP: computers, computer power
supplies, transistorized power supplies, semiconductor components
terminating long cable runs (especially between sites), alarm systems,
intercom systems, life support system controls, telephone equipment,
transistorized receivers and transmitters, transistorized process
control systems, power control systems, and communications links.(34)
If EMP/T Bombs were detonated over densely populated urban areas, the
results would be disastrous. Not only would all communications and
electronic equipment fail, but the city would also experience a
blackout, thus creating a prime environment for civil unrest and
riots.
System intrusion. Interconnected communications and computer systems
are also susceptible to intrusion. Commonly referred to as hacking,
system intrusion creates a wide variety of security concerns. Hacked
systems can be utilized for information gathering purposes,
information alteration, and sabotage. Vulnerabilities exist in almost
every externally networked computer in the United States. A report
prepared by the Computer Security division of the National Institute
of Standards and Technology notes that "connectivity allows the hacker
unlimited, virtually untraceable access to computer systems."(35) An
entire subculture dedicated to the issues concerning hacking has
developed and its numbers increase substantially every year. In the
summer of 1994, over one thousand people from around the world
descended on New York city for an organized convention called "Hackers
on Planet Earth."(36) Being a sensational subject, computer hacking
has also generated a lot of attention in the American media. The
recent apprehension of known computer hacker Kevin Mitnick generated a
plethora of front page stories across the nation. Unfortunately, with
this media attention, the term hacker itself has taken on an entirely
new meaning. Steven Levy first described hackers as computer
explorers, "adventurers, visionaries, risk-takers, artists... and the
ones who most clearly saw why the computer was a truly revolutionary
tool."(37) Levy's hackers were the pioneers of the computer industry:
Steven Jobs, Bill Gates and Stephen Wozniak. These are men who are
recognized today as establishing a competitive advantage in personal
computer hardware and software for the United States. Today, the term
hacker is often used to indicate a computer criminal. This creates a
difficult dilemma for those who wish to use the term with positive
connotations. For the purposes of this paper, the term is used in both
capacities, with the focus not on the intent of hackers or computer
criminals, but on their capabilities. Intent, reliability and
disposition only come into play when computer explorers are considered
a potential national security asset in Chapter Four.
Emissions capture and espionage. Computer hackers can also utilize
several tools for the capture of vital information secrets such as
passwords or data. Van Eck emissions enable hackers to capture the
contents of computer screens from up to two hundred meters away.(38)
Devices designed to capture these emissions can be developed at very
low cost. To further complicate the matter, current government
regulations prevent non-governmental organizations from protecting
themselves by installing TEMPEST(39) equipment.(40) Information and
telecommunication networks are also easily monitored for information
that might be utilized for system intrusion.(41)
Viruses, trojan horses and worms. Viruses, trojan horses and worms
have huge destructive potential. Perhaps the greatest threat of the
three is the computer virus, a program which has the ability to attach
itself to legitimate files and then propagate, spreading much like an
infectious disease from computer to computer as files are exchanged
between them. The more interactivity a computer has with other
computers the higher the chance of it contracting a virus. The virus
continues to hide itself until a certain criterion is met. These
criteria change from virus to virus, but some of the most deadly are
viruses that wait a certain length of time before initiating their
destructive capabilities. This insures that the virus has had enough
time to copy itself to many systems, thus increasing its damage
potential. Once the criteria are met, the virus can attack a system in
one of many ways: by erasing files, destroying hard disk drives, or
corrupting databases.
Imagine a virus that spreads to a bank computer and then randomly
modifies numbers within a database, or simply causes the bank's
computers to shut down. The potential for damage is enormous, but it
is mostly monetary damage. Now imagine that same virus attacks a
hospital computer system. Human lives are at stake, making that virus
a tool of murder no less dangerous than a loaded weapon. Viruses are
very difficult to protect against because a copy of the virus is often
needed to create a vaccine or program to detect it. We do not usually
find copies of the virus until they have caused damage. It has been
estimated the cost of removing the viruses infections over the next
five years will be over $1.5 billion - not taking into account the
value of the data that will be destroyed.(42) There are already many
documented cases of companies losing millions of dollars in business
and thousands of hours of computing time due to viruses attacks.(43)
That number will only increase in the future.
By 1992 there were over 1,500 catalogued viruses in the West, with
that number expected to have doubled by the end of 1993(44) One of the
most popular was the Michaelangelo virus, which received news coverage
on all the major television networks. What many Americans do not
understand is that Michaelangelo is just one of many potential
attackers of their computer systems. In Bulgaria, companies have set
up virus factories producing more viruses than the anti-virus industry
can combat. How should the U.S. deal with companies whose only concern
is to produce destructive software? This is one of the many questions
we must ask ourselves when creating policies to ensure safe computing
in future years.
The trojan horse derives its name from the famous attack on the city
of Troy, and operates much like the trojan horse of ancient times. A
trojan horse is a program that pretends to be a benign program but is
really a program of destruction. The program tricks the user into
running it by proclaiming to perform some useful function; however,
once initiated it can be as destructive as a virus. Trojan horses are
less of a danger because they are easily destroyed: one simply deletes
the program, since they contain no means of copying themselves
independently.
The worm operates much like a virus, but is can travel along a network
on its own. Perhaps the best known worm was the one created in 1988 by
Robert Morris, the son of an National Security Agency official. Morris
created a worm to seek out sites on the Internet by traveling along
its many connections and copying itself onto remote computers. Morris'
worm was not created to damage any systems, but he made an error in
designing the program. This error caused the worm to begin propagating
itself at an exponential rate, slowing down Internet sites and causing
communications to come to a standstill. The reaction among Internet
users and system administrators was mass hysteria. The following are
some highlights of the events as they unfolded over the course of
twelve hours
5:00 p.m. - Morris launches his worm onto the Internet
8:00 p.m. - System operators at computer systems across the nation
begin noticing that something is slowing their computer system down.
2:38 a.m. - The virus has spread onto many systems including the
Lawrence Livermore National Laboratory, NASA Ames Laboratory, Los
Alamos National Laboratory, and the Department of Defense's Milnet
network.
- A worried system operator releases the following message onto the
Internet. "We are currently under attack by a computer virus."
5:00 a.m. - An estimated 6,200 computers have been infected in the
course of 12 hours. System operators begin breaking network
connections to protect their systems. Later calculations revealed that
only around 2000 computers had been attacked.
Days later, system operators were still cleaning up and containing the
Internet worm which had caused over one million dollars in damage.(45)
Morris was convicted for the damage initiated by his worm and
sentenced to three year's probation, a $10,000 fine and four hundred
hours of community service.(46) Though Morris's actions were illegal,
he managed to expose the vulnerability of the computer networking
system. If one college student could do so much damage by accident,
what could a rogue nation or terrorist group do on purpose?
Normal accidents. In his 1985 book, Charles Perrow discusses threats
posed by accidental failure of advanced technology.(47) The same
threats exist with computer technology and information systems. It is
not uncommon to read in the newspaper about power lines being cut
causing airports to shut down for extended periods of time or for
unexplainable electronic gremlins to cause multiple failures at great
cost. This was the case in Chicago in September 1994 when several
unexplainable electronic failures shut down airports and financial
institutions throughout the city.(48)
Information Warfare: Isolated Examples
Although there have been several examples in which national security
has been breached in the past five years, no single event constitutes
an enduring national security threat. But collectively, these events
highlight a national security threat based upon internal weaknesses in
the security of information technology systems in the United States.
Operation Datastream
Recently released information reveals that a sixteen-year-old computer
hacker from Britain was able to infiltrate United States Department of
Defense computer systems for seven months without being detected. He
obtained access to ballistic weapons research, aircraft design,
payroll, procurement, personnel records and electronic mail. In all,
over one million passwords were compromised. The Ottawa Citizen
reports that "the U.S. Defense Information Systems Agency admitted in
a private briefing, which has been confirmed, that the hackers had
affected the departments' 'military readiness'."(49)
It is also believed that the hacker had access to sensitive and
classified computer databases regarding nuclear inspection details in
North Korea.(50) The security implications in this case are
intensified by the fact that information could have been altered. Had
the North Korean government had access to this information, it is
possible that they might have altered databases and communications to
assist their development of nuclear weapons. In fact, there is no
evidence to suggest that North Korea was not involved in operations of
this sort on its own. It is acknowledged that the only reason the
British hacker was caught is because he left his computer terminal
connected to a U.S. defense computer overnight.
This is obviously a case where information warfare techniques have
substantial implications. Nuclear weapons are regarded as one of the
most devastating threats to the physical security of nation states.
This case demonstrates that information warfare can be used to assist
nuclear proliferation, creating two major security concerns. North
Korea might have been able to alter inspection reports and falsify
data to cover up their nuclear proliferation efforts, or it might have
utilized the information to find out which sites the United States was
targeting for inspection.
The Hacker Spy
Perhaps the best publicized account of a hacker breaking into U.S.
military computer systems took place in 1986 when Cliff Stoll at the
Lawrence Berkeley Laboratory (LBL) discovered a German hacker using
the university's computer to access sensitive databases. Stoll's
adventure began when he found a seventy-five cent error in the LBL
accounting system that tracks system usage and then bills the correct
party. By exploring the accounting software, Stoll found that a user
named Hunter had used seventy-five cents worth of computing time in
the last month. Stoll also discovered that Hunter did not have a valid
billing address, so he had not been properly charged. Through much
work, Stoll discovered that Hunter was in fact a computer intruder, a
hacker using LBL's system to access other systems. In most cases the
user would have been shut out, but Stoll, an astronomer by trade, not
a computer security expert, decided to track the activity of the
hacker.(51)
When Stoll first discovered that the hacker was accessing military
computers, no one believed him. The people in charge of maintaining
these sensitive systems did not know, nor did they believe, that a
hacker had entered their system. Stoll had a even harder time trying
to convince law enforcement agencies that this was indeed a crime
worthy of having the hacker's call traced. This one hacker attempted
to break into many military computer installations including the
Redstone Missile Command in Alabama, the Jet Propulsion Laboratory in
Pasadena, and the Anniston Army Depot. In many of the cases the hacker
successfully gained full access to computer systems and searched for
keywords like stealth, nuclear, White Sands and SDI.(52) When he found
the files he copied them to his home computer.
The search for the hacker continued for almost a year. The activity
was eventually traced to a West German citizen named Markus Hess.
Hess, a member of the hacker group called the German Chaos Computer
Club, used the pseudonym Pengo among his colleagues. He was known as
one of the best hackers in the Hannover area. On February 15, 1990,
Hess and two colleagues were convicted of espionage for selling
secrets to the KGB.(53)
Surely one must look at this case as a threat to U.S. national
security, especially in the context of the Cold War. Gone are the days
of searching for Ivans in elite factions of the U.S. military. Now any
twenty-year-old German drug addict can accomplish the same thing from
an apartment in West Germany. The vast computer networks gives him the
means, and the lax security of the United States computer systems
allows him to gain access to them and compromise national interests.
Hacker Attacks During Gulf War
The United States inability to protect its computer systems was
demonstrated by attacks on Department of Defense computer systems
during the war with Iraq. Testimony before a Senate committee
confirmed that during April and May of 1991, computer hackers from the
Netherlands penetrated thirty-four Department of Defense computer
sites. Here are few highlights from the report:
At many of the sites, the hackers had access to unclassified,
sensitive information on such topics as (1) military
personnel--personnel performance reports, travel information, and
personal reductions; (2) logistics - descriptions of the type and
quantity of equipment being moved; and (3) weapons system development
data. Although the information is unclassified, it can be highly
sensitive, particularly during times of international conflict. For
example, information from at least one system, which was successfully
penetrated at several sites, directly supported Operation Desert
Storm/Shield. In addition, according to one DOD official, personnel
information can be used to target employees who may be willing to sell
classified information.(54)
U.S. soldiers put their lives on the line to fight a war for a country
that cannot even protect the sensitive information related to their
activities, let alone personal data that could be used against their
families. What is most distressing about the report is its conclusion
that the hackers exploited known security holes to gain access to a
majority of these systems. The United States government knew that
these security holes were there, yet it did nothing to fix them. The
report also indicates that the hackers "modified and copied military
information,"(55) and that many of the sites were warned of their
vulnerability but failed to realize the implications. The report ended
with a warning of things to come: "Without the proper resources and
attention, these weaknesses will continue to exist and be exploited,
thus undermining the integrity and confidentiality of government
information."(56)
The Dutch hackers are one of the most respected hacking groups in the
world. Luckily for the United States, the Dutch exploits were for
educational purposes only. Their attacks were blatant, open and
recorded by video.(57) In order to ensure that their explorations were
noticed they created a user account named after Vice President Quayle.
Had the Dutch hackers been acting with malicious intent, or under the
sponsorship of another nation state, who knows how much damage they
could have inflicted on Allied operations in the Gulf War.
Infrastructure Attacks
The three examples given above demonstrate instances where sensitive
military information was accessed, erecting a breach of security with
serious national security implications. Although these attacks were
dangerous, they caused very little damage to the flow of information.
Attacks that target information infrastructures with the intent to
damage information flows are of equal, if not greater, concern.
In an information-based or knowledge-based economy, denying access to
information transfers causes economic instability. However, due to the
infancy of the information-based economy and an increased hesitance to
report instances where damage is incurred, there are very few examples
in which individual actors have inflicted this sort of damage.
Instead, this section will focus on examples of accidental failure
that demonstrate vulnerabilities in the infrastructure of Information
Age societies.
The Phone System
On January 15, 1990 seventy million phone calls went uncompleted.(58)
In Queens, New York two teenage hackers wondered if they were to blame
for the outage.(59) The phone company also wondered if hackers might
be at fault as well. In fact, several hackers were being closely
monitored for illegally accessing, altering and using various phone
switches. As it turned out, a programming error was to blame for the
failure, however, a sense of urgency regarding the security of the
phone networks was established.(60)
Crashes since then have not been uncommon. Steven Bowman writes:
Telephone switching stations which are scattered about the U.S. cities
are crucial to our communications network. They are squeezed into any
number of unprotected locations. In 1992, a failed AT&T switching
station in New York put both Wall Street and the New York Stock
Exchange out of business for an entire day, with an estimated loss of
billions of dollars in trading value. The failure resulted in 4.5
million blocked domestic long distance calls, nearly 500,000
interrupted international calls, and the loss of 80 percent of the
Federal Aviation Administration's circuits. A similar failure on
November 5, 1991, in Boston resulted in a 60 percent loss of calls in
that area.(61)
Today, the security of the phone networks upon which rely for everyday
communications and business transactions is still questionable.
Reports, detailing the recent arrest of America's most wanted computer
hacker, Kevin Mitnick noted that Mr. Mitnick manipulated telephone
company switches to disguise his whereabouts.(62)
We rely on telephone communications daily. Many American businesses
would be unable to function without them. Not only is there an
inherent vulnerability of this service being denied, but phone lines
can also be manipulated to divert calls to competitors or can be
eavesdropped upon. In what has been called the Hacker Wars, competing
hacker groups within the United States used such techniques on a daily
basis. Not only did they manipulate phone switches, but they also
gained access to numerous private computer networks, including some
military sites. Though losses were minimal, it is only because phone
system crashes have been isolated and uncoordinated. Should someone
target several large phone networks at once, the results would be more
than an inconvenience. It would have a devastating effect on the
economic prosperity of many businesses. Should the denial of service
be maintained for extended periods of time, many businesses,
government agencies, and even some military installations would be
electronically paralyzed.
The Power Grids
Power grids, like telephone networks, are prone to failure, both
accidental and intentional. Stephen Bowman writes:
The United States power system is divided into four electrical grids
supplying Texas, the eastern states, the midwestern states and the
northwestern states. They are all interconnected in Nebraska. A unique
aspect of the electrical grids, as with communication grids, is that
most built-in computerized security is designed to anticipate no more
than two disruptions concurrently. In other words, if a primary line
went down, the grid would ideally shut off power to a specific section
while it rerouted electricity around that problem area. If it ran into
two such problems however, the grid is designed to shut down
altogether.(63)
The national security implications of major power failures are
obvious. Blacking out several large cities at once would result not
only in large economic losses, but would likely spawn civil unrest and
chaos. One need only think of the damage inflicted by the Los Angeles
riots in 1992. For social reasons, outside the realm of this paper,
our cities have become highly unstable and prone to disruption. Amory
B. and L. Hunter Lovins note that "However caused, a massive
power-grid failure would be slow and difficult to repair, would
gravely endanger national security and would leave lasting economic
and political scars."(64)
The Big Picture
Are you telling me that we spend almost $4 trillion dollars, four
goddam trillion dollars on defense, and we are not prepared to defend
our computers?(65)
Isolated incidents of electronic communications, computer, and power
failures are inconveniences with heavy price tags, but they are not a
threat to the national security of the United States. Accidents
happen. We are prepared to deal with most. We are not, however,
prepared to deal with an internal or external attack on our entire
information infrastructure as defined earlier in this chapter. Nor are
we prepared to deal with the domestic and international political
consequences that such vulnerabilities create, as will be discussed in
chapter three.
I wish to conclude this chapter by bringing all the pieces together in
a hypothetical threat assessment so that an in depth evaluation of the
security implications can be discussed. It is estimated that with as
little as 1 million dollars and less than twenty well trained men, the
infrastructure of this nation can be brought to its knees.(66) More
conservative figures estimate it at 100 million dollars and 100
men.(67) Never before in history, has new technology created such
vulnerabilities to national security at so low a cost to the attacker.
Imagine a well trained team of saboteurs, operating over several
years, infiltrating several high technology companies like Microsoft
or Novell, a few major automobile manufacturers, or a couple of
airlines. Viruses or trojan horses are timed to detonate on a certain
day, rendering computer systems inoperable. A small team of hackers
infiltrates large computer, telecommunications and power centers
preparing them for denial of service attacks. Another team constructs
several large EMP/T bombs and HERF Guns to be directed at targets like
the Federal Reserve and Wall Street. Doomsday arrives and the
countries electronic blood stops flowing. No transfer of electronic
funds, no stock exchange, no communications and power in a majority of
locations, no traffic control, no air travel. At this point, what is
the situation? Our physical integrity has been maintained, the loss of
life has been minimal, and we have no one to blame. Has our national
security been breached? Information warfare and intelligence expert
Robert Steele argues that the United States can not recover from a
similar, even if much smaller, attack:
We can not afford the luxury of waiting for an electronic Pearl Harbor
to mobilize public opinion, for two reasons: first, because the
catastrophic outcome of a major electronic disaster, one which
degrades or destroys major financial centers - eliminating trillions
of digital dollars- or other key elements of our national fabric, is
not supportable by our existing economies. We cannot afford the cost
of the time to reconstitute our civil sector. The second reason is
more frightening: it is highly unlikely that we will be able to prove
with any certainty which nation, organization or individual was
responsible for the attack.(68)
Consider the following report by Robert Ayers, Chief of the Center for
Information Systems Security. Mr. Ayers group recently used readily
available hacker tools freely available on the Internet to test the
vulnerability of U.S. systems. He found that:
88% of the time they are effective in penetrating the system,
96% of all system penetrations are undetected, and
95% of the instances where penetration is detected, nothing is
done.(69)
According to a report in OSS Notices, Mr. Ayers "estimates that only 1
in 1000 successful system penetrations is ever reported and that in
any given year government systems are illegally accessed, though not
necessarily maliciously so, at least 300,000 times."(70)
On the virus front one U.S. government organization found 500 software
and hardware viruses in a single year, all of which were intercepted
and scanned at its loading dock in the original shrink-wrapped
packaging.(71) These problems will only continue as information
networks continue to grow at exponential rates and as viruses are
created faster than we can detect them.
Ivan Bloch has stated that the "future of war [would be] not fighting,
but famine, not the slaying of men but the bankruptcy of nations and
the break-up of the whole social organization."(72) The transition
into the Information Age makes such a vision all the more plausible.
Where national security is concerned, information networks have
created a tunnel to the center of our vulnerability, usable by any
nation or collective of individuals at their discretion.
_________________________________________________________________
Chapter 3
The Political Context of Information Warfare
Ultimately, information warfare must be seen in a political context.
How should nations deal with the threat posed by information warfare,
both internally and internationally? What are the political and
strategic attractions of waging information warfare? What are the
deterrents? Should nations be concerned with capabilities or
intentions? How does information warfare compare with traditional
concepts of national security and the development of other new
technologies? The purpose of this chapter is to answer these
questions, demonstrating how the concept of information warfare fits
within the framework of traditional national security studies, but, in
order to find solutions, we must move beyond them.
What is National Security
Much work has been dedicated to the study of what comprises national
security. At its simplest level, a nation's security has been defined
as "no more than the total of the individual's perceived sense of
security."(73) More encompassing definitions suggest that national
security entails the "range of physical threats that might arise for
the nation and the force structures, doctrines and military policies
mobilized to meet those threats... also those internal and external
factors - such as economic or technological change - that might arise
and whose direct or indirect effect would be to diminish or to enhance
the nation's capacity to meet physical threats."(74)
Using this definition alone, information warfare can be categorized as
a national security threat. Given the vulnerability of military
information networks and the military's reliance on commercial
communications paths for ninety-five percent of its
communications,(75) information warfare can hamper the military's
ability to respond to conventional threats. The military's reliance on
computer technology for digital mapping and intelligence also creates
a vulnerability to our conventional military forces. It took two
months to meet the digital mapping requirements to use Tomahawks in
Gulf War.(76) Had the threat been immediate, the United States would
not have been able to utilize its smart weapons capabilities and
collateral damage would have been higher. Also, EMP/T bombs can be
used to destroy radar installations with little to no human deaths, as
they were in the Gulf War,(77) thus decreasing a nation's ability to
respond to missile and aircraft threats.
To fully realize the potential threat of information warfare, the
definition of national security must be broadened. The economic
arguments of scholars like Luttwak, Thurow and Prestowitz(78) must be
included in our definition of national security. Is United States
national security threatened if our ability to maintain a prosperous
economic system declines? If so, how might other nations gain
competitive advantages against U.S. industries and financial markets
using information warfare techniques? How might electronic
eavesdropping through Van Eck emissions capture and communications
interception be used to threaten national security by threatening
American prosperity? The recent expulsion of five alleged American
spies from France demonstrates that other nations consider industrial
espionage a serious threat.(79) Unfortunately, this area is too large
to deal with in the confines of this paper, but this prosperity aspect
must be drawn into an expanded definition of national security to
realize the threat posed by information warfare.
Information warfare endangers not only our ability to respond to
physical threats, but our economic prosperity, as well. Traditionally,
our ability to remain prosperous has been directly linked to physical
threats. In the Information Age this is no longer true. Economic
prosperity, indeed the very lifeblood of our economic identity, can be
destroyed without any physical damage being inflicted. Once the threat
is recognized, one must ask: In this post-Cold War world, why would
states want to wage information warfare against each other?
Political Attractions of Information Warfare
Politically and strategically there are many attractions to
state-sponsored information warfare. It is low cost, timely, not
location specific, provides no early warning, is not taboo, inflicts
low human life costs, and can be waged in complete anonymity. Each of
these must be examined at length before a clear understanding of how
information warfare is strategically and politically advantageous can
be achieved.
Low Cost
Information warfare is relatively cheap to wage. You get a high return
on your investment with information warfare techniques. Both Steele's
and Schwartau's estimates of what it would cost to reduce the United
States to information rubble ($1 million and $100 million
respectively) are incredibly cheap when compared to the cost of
conventionally military weapons. This makes offensive information
warfare attractive to Third World states and offers them the same
basic capability to inflict damage on information infrastructures as
Second and First World nations.
Timely and Not Location Specific
Information warfare is timely and it is not location specific.
Information warfare can be waged at the drop of pin, to steal an
analogy from the telecommunications industry. There is no early
warning system for information warfare. You don't know it is coming,
so you must always anticipate it. This creates a high level of
paranoia. No radar can pick up a long distance phone call from
overseas, yet that one phone call may cause more monetary damage that
a dozen planes carrying conventional bombs. The World Trade Center is
a perfect example. The damage to the flow of information, estimated at
over $1 billion(80), proved to be more costly than the structural
damage inflicted on the building. Viruses can be imported into the
United States through information networks, telephone lines, or on
simple floppy disks which do not attract the attention of U.S. Customs
Inspectors.
Although a well-planned information warfare attack might take several
years to orchestrate, it can occur instantaneously. To uncover plans
for such an attack would involve a great deal of investigation and
intelligence or a stroke of luck. Most of the actors would be
invisible, both to the victim and to each other. Most of the
preparatory work for lower levels of information warfare can be done
outside the traditional territorial boundaries of the victim nation.
Other forms of information warfare, (HERF Guns, EMP/T Bombs) require
the breaching of international boundaries, thereby allowing greater
capabilities to those nations that have easier access to U.S. visas or
are subject to less stringent immigration regulations. However, as the
World Trade Center bombing proves, our nation's boundaries are capable
of being breached by any foreign nationals or terrorists with
malicious intent.
Anonymity
Information warfare can be waged anonymously. Anonymity is the nature
of new technologies, especially telecommunications. An anonymous
attack creates two problems. Not only has a state's national security
been breached, but there is no one to hold accountable for the attack.
This makes information warfare very attractive tool to covert
operators. However, given the nature and intent of terrorism, it is
highly unlikely that terrorists will remain anonymous while engaging
in information warfare, since it is in their best interest to claim
the damage they have inflicted.
Political dilemmas arise in the victim state when citizens demand
retribution. The government has no target. The result will be
political instability as citizens focus blame on the government for
allowing this to happen. It might even be possible to collapse a
particular political system with prolonged, systematic anonymous
attacks.
We need computers in our lives, but we do not trust them. Winn
Schwartau calls these conflicting feelings "binary schizophrenia."(81)
When used anonymously, information warfare plays on feelings of binary
schizophrenia causing insecurity and chaos. In this regard, anonymous
information warfare is comparable to the German blitzkrieg of World
War II. It makes an impact on the citizenry as well the government.
Targets can be strategically selected to generate the maximum amount
of chaos and insecurity possible.
Minimal Loss of Human Life
Information warfare can also be waged to minimize the amount of human
life lost within the target nation. This makes information warfare
techniques politically attractive since there are no global taboos
associated with waging war against machines. Jeff Legro gives three
reasons why states might restrain from using certain weapons or means
of warfare. He argues that "countries may pursue restraint because
popular opinion vilifies certain weapons; because leaders calculate
that escalation would damage their domestic and international
political support; or because states fear retaliatory attacks."(82)
How does information warfare fit within this framework? Because
information warfare causes low levels of human casualties and
structural damage, there is little reason to believe that popular
opinion will vilify it. In fact, populations will not even know
information warfare is being waged against them until it is too late.
Even at that point, very few people will understand the methods used.
Therefore it is highly unlikely that information warfare will be
considered an inhuman way to pursue diplomacy by other means.
Also, there is little reason to believe that using information warfare
will be politically damaging to the aggressor country. Information
warfare's anonymity assures that the aggressor will be identified only
if they wish to be. When information warfare is waged by one nation
against another without anonymity, the political outcomes would
resemble those of traditional warfare. Strategic alliances could be
formed and some states could chose to remain neutral, though it is
highly unlikely that neutral states will be able to avoid the global
economic aftershocks of high intensity global information warfare.
If waged without anonymity, it is very likely that a victim nation
would respond to information warfare with retaliatory strikes. In this
regard, fear of retaliation or escalation will act as a deterrent to
using information warfare. However, the first strike advantage of
information warfare might neutralize any fears regarding retaliation
using counter information warfare, leaving victim nations with the
difficult decision of responding with conventional military force.
In Legro's essay he uses three examples to demonstrate that military
culture is a strong factor determining when alternative or taboo forms
of warfare will be used. Since information warfare is a relatively new
concept, it is doubtful that it has been fully adopted by the military
culture. However, recent trends indicate that information warfare is
an area that is getting a great deal of attention and increased
funding in an age of reduced military budgets. This shows that the
military culture perceives information warfare as a reasonable and
perhaps preferable form of warfare. At least three branches of the
United States Armed Services have publicly admitted to concentrating
on information warfare concerns.(83) Aerospace Daily reports that
"Major advances in information technologies are spurring the U.S. Air
Force to mainstream information warfare into its operations by
incorporating information warfare into its doctrine."(84) With Legro's
thesis in mind, perhaps the military culture will accelerate the use
of information warfare as a method of conflict resolution. The use of
information warfare techniques by the Allied forces in the Gulf War
indicate that the military culture has already accepted information
warfare as a supplement to conventional military tactics.
First Strike Advantage
In information warfare there is a huge first strike advantage, but
only if the goal is unlimited destruction and anonymity is utilized to
prevent a conventional response. There is a high correlation between
the extent to which a nation damages its enemy's information
capabilities and their ability to respond using purely information
warfare techniques. A nation can execute this first strike anonymously
if it so desires, thus delaying retaliation indefinitely.
The first strike advantage of information warfare complicates matters
further by creating a security dilemma in which those countries
exercising the greatest amount of restraint will likely incur the most
damage. In information warfare, a first strike decreases the
likelihood and may even prevent an adversary from responding. The
strategic advantages of waging a first strike means that nations will
always keep a finger on the trigger. In an anarchic international
system, hostilities or conflict might escalate quickly into
information warfare in an effort to generate a strategic advantage
over one's adversary. If conventional conflict is inevitable, then
whoever destroys their adversary's information systems first, gains a
strategic advantage in battle.
Offensive Nature of Information Warfare
Information technology and computer systems, are vulnerable by nature.
Therefore, taking defensive measures against the information warfare
threat will always be difficult and costly. Improving the defense of
information systems also contributes to the security dilemma since
decreasing one's susceptibility to information warfare increases the
attraction of using information warfare offensively. There are,
however, as will be examined in the next section, several deterrents
to waging state-sponsored information warfare among technologically
advanced nations that will entice states to pursue defensive postures.
In order to neutralize the security dilemma presented by defensive
postures, states may share defensive technologies to ensure that a
defensive equilibrium is maintained. This serves a dual purpose: a
relative balance of power is maintained among states; and the
offensive threat of rogue states or terrorist entities is reduced.
Though states will want to maintain offensive "just-in-case"
capabilities, security is best maintained, due to the nature of the
threat, by developing defensive capabilities.
Deterrents to Waging Information Warfare
Among technologically advanced nations, there are several deterrents
to waging information warfare. Factors such as economic
interdependence, fear of escalation, and lack of technical expertise
detract from the advantages of state sponsored information warfare
Economic Interdependence
Perhaps the most useful definition of economic interdependence in any
discussion of information warfare, is the one put forth by Richard
Cooper. He uses the term to "refer to the sensitivity of economic
transactions between two or more nations to economic developments
within those nations."(85) Focusing on economic sensitivity allows us
to disregard conventional measures such as trade surpluses and
deficits and look at the interlinked effects of economic stability
between interdependent nations.
Our focal point, from the information warfare perspective, must be
upon the extent to which interdependent nations will feel the economic
aftershocks of economic instability. Should the U.S. fall victim to
information warfare directed at our financial institutions, what
effect would it have on the economic stability of the European
Community or Japan and the Pacific Rim nations? If interdependence is
to act as a deterrent to information warfare, then levels of
interdependence must be high enough as to ensure that the costs of
waging information warfare outweighs the benefits. According to
Rosecrance and Stein, the interdependence of the financial system is
now formal because we have vested interests in not letting the
reserves of foreign currencies drop below a certain threshold which
would harm our own economy.(86)
With the realization that information warfare has devastating economic
effects, interdependence will act as a disincentive to state-sponsored
information warfare. Economic interdependence introduces new complex
variables into offensive information warfare strategies. Joseph Nye
notes that there is power to be derived from making oneself less
interdependent with other nations.(87) This is especially true where
information warfare is concerned. The effectiveness of offensive
information warfare is increased as benefits exceed costs. One benefit
of less interdependence with the target nation is that economic
aftershocks will have less effects on the aggressor's economy.
Decreasing economic interdependence might be seen as a precursor to
waging information warfare, but is not a readily realizable goal for
most technologically advanced nations. Reducing levels of economic
interdependence is costly for two reasons: the benefits of
interdependence can no longer be extracted and distributed among the
citizenry, perhaps decreasing a nation's prosperity; and domestic
political constraints can disrupt the nation's internal balance of
power. The domestic sectors of society that benefit from
interdependence (multi-national corporations, financial institutions,
and other investors) will likely logroll interests to prevent the
breaking of interdependent links.(88)
A decreasing level of economic interdependence also contributes to the
intensity of security dilemmas and increases the likelihood of
escalation. Decreasing economic interdependence might be interpreted
as a threatening posture, especially if one nation is more susceptible
to attack than the other, as is the case with the United States and
most of its trade partners. Increasing economic interdependence,
however, might be seen as increasing relative security, especially for
the nations most susceptible to attack. This creates difficult policy
decisions since traditional forms of negative foreign policy, like
economic sanctions, become less effective and perhaps even
threatening. If one nation is perceived as a threat, then the most
effective way of deterring that nation from attacking is to make the
costs of information warfare exceed the benefits. This can be done by
threatening to use conventional military force or increasing levels of
economic interdependence.
It must also be noted, that interdependence does nothing to prevent
states from waging information warfare against specific corporations
of economic sectors to increase comparative advantage in those areas.
Since such actions are being taken by allies of the United States such
as Germany, France and Japan(89), interdependence becomes an
ineffective deterrent. Fear of escalation will act as a more effective
deterrent, or at least will place limits on the extent to which
limited information warfare can be waged.
Fear of Escalation
It has already been demonstrated that the military culture will
probably use information warfare methods as a strategic supplement to
conventional methods in any military conflict and that the escalation
of information warfare is likely. But does the reverse hold true? Will
information warfare escalate to conventional military conflict? In
order for the fear of escalation to act as a deterrent, information
warfare must be allowed to escalate into military conflict. A country
will not wage information warfare, especially against a country with
strong military capabilities, if they fear that the situation might
escalate into military conflict.
Under these circumstances, information warfare becomes highly
politicized and the domestic bases of power can be compromised. It is
important that political leaders declare ahead of time, the value of
information systems and assure the international community that
conventional military tactics, even though they involve the loss of
human life, will be used to counter information warfare attacks.
Given the fact that information warfare causes minimal loss of human
life, response will be difficult for nations without strong
information warfare capabilities. The urge to respond using Industrial
Age warfare techniques will be great, but justifying such responses
will be difficult unless the value of these information systems is
declared before they are attacked. A press release saying "any attack
on the information infrastructure of this nation will be viewed as an
act of war and any state sponsored information warfare may be
responded to with military strikes," may seem a little drastic, but
information warfare can not be taken lightly. This type of warfare
erodes a nation's strength, destabilizes its economy, and threatens
its autonomy. Such responses might be necessary and will certainly be
advocated by many policy makers should the circumstances arise. In
order for the fear of escalation to work as a deterrent to information
warfare, this position must not only be advocated, but adhered.
Lack of Technical Expertise
Lack of technical expertise is perhaps the weakest deterrent to
information warfare. It is not really a deterrent, but what Bruce
Sterling has referred to as a "protective membrane" of computer
literacy.(90) It is foolish to think that this protective membrane
prevents any nation state from developing information warfare
capabilities. If they don't have the experts in-house, they can import
them from another country, whether it be a scientist from Russia or
hackers from the United States. While interviewing a very prominent
U.S. hacker, I discovered that his most lucrative employment offers
came from nations developing strong offensive information warfare
capabilities.(91) This export of U.S. security experts might be viewed
as a security threat in itself.
Information Warfare as Terrorism
Given the offensive nature of information warfare and acknowledging
that in most circumstances the deterrents of waging non-anonymous
information warfare among technologically advanced nations outweighs
the advantages, information warfare becomes a very attractive
terrorist tool. When waged anonymously or by non-state entities, all
of the advantages of information warfare are present but the
deterrents are not. Economic interdependence means nothing to
terrorist groups, therefore, the most powerful deterrent becomes
neutralized. Fear of escalation also does little to deter information
terrorism since most acts will be committed anonymously or by groups
who do not fear military retaliation. Lack of technical expertise
still acts as a deterrent to some extent. However, offensive
information warfare weapons are easily built using open source
material. Lack of resources does little to prevent information
terrorism, but lack of patience may help minimize and isolate the
damage to levels which do not threaten the autonomy of a nation. Quite
possibly, the greatest deterrent to information warfare being used by
terrorists, may be the United States' lack of policy regarding these
areas. Terrorists may feel that an information warfare attack will not
generate enough controversy and may conclude that bloody bombs are
more effective than EMP/T ones for their purposes. This deterrent,
however, will evaporate as the United States recognizes the importance
of its information systems, and as terrorists realize how much
economic damage they can inflict.
Where terrorism is concerned, Legro's three constraints might have
adverse influences, perhaps causing terrorists or rogue states to
pursue information warfare rather than restrain from it. Within
terrorist organizations or rogue states there is no popular opinion to
vilify the use of certain weapons or means of warfare. Moreover, the
popular opinion of those represented by terrorists may vindicate the
use of weapons that maximize damage or inflict the greatest pain on
the target. Leaders of these groups or states may use these weapons to
gain domestic support, and may have little apprehension about loosing
international political support since such support is usually
negligible in the first place. In addition, terrorists or rogue states
seek retaliation, rather than fear it, because retaliation focuses
attention on their organization and their cause.
For these reasons, terrorists are likely to utilize non-anonymous
information warfare because the benefits far exceed the costs. As
knowledge disseminates, the number and locality of the threats will
increase as well. Mr. Schwartau often speaks of cyber-civil
disobedience. This disobedience may take the form of information
terrorism. After the California couple who ran the Amateur Action BBS
in California were sentenced to jail in Memphis Tennessee for
violating Tennessee pornography standards(92), messages circulated on
the Internet requesting volunteers to help take down the Memphis phone
and power grids to protest the use of local community standards for
information transfers that take place on phone lines. Whoever posted
these messages was soliciting help to conduct information terrorism.
Anarchists have talked about creating information anarchy should the
commercialization of the net continue. Again, this would be
information terrorism in a very limited sense.
This numerous and diverse array of potential threats, substantiates
the proposition that information warfare is best averted by
concentrating resources on defensive initiatives. Information
terrorism can be decreased by making the costs exceed the benefits.
This can only be done by reducing the potential for damage to our
information infrastructure should the United States be attacked.
The Realist/Liberal Approach to Information Warfare
Ultimately, information warfare must be addressed in a political
context. How does information warfare fit into traditional conceptions
of national security? How will states approach the problem and what
kind of political conflicts and tensions will develop along the way?
This thesis argues that information warfare fits into traditional
national security debates. Several correlations can be drawn between
information warfare and other technologies that have influenced
conceptions of national security in the past. By examining the
influence of these technologies on war strategy and political
relationships within the international system, one might better
understand how information warfare will have similar influences.
The Realist Approach to Information Warfare
Realists perceive security as a relative concept. The realists are
primarily interested in maintaining a relative balance of power or
relative level of security. With nuclear weapons during the Cold War,
it was easy to gauge relative security. If the Soviets had two bombs
and we had four, and the Soviets increased their arsenal to four, then
we increased ours to eight. A relative security balance was
maintained.
The problem with the realist perspective is that it is does not
usually include economic prosperity as a component of national
security. This makes it difficult to address the information warfare
threat, because it is economic in nature. However, given the possible
impact of information warfare might have on the United States' ability
to use conventional weapons and its devastating effects on command and
control systems necessary to thwart physical threats, most realists
would recognize information warfare as posing a genuine national
security threat.
Once the threat is acknowledged, the realists would focus on ways to
increase the United States relative security. Since the realists
believe that the international political system exists in a state of
anarchy, in which distrust is a natural component, there is very
little use in cooperative agreements designed to deter information
warfare. The realist approach to information warfare would consist of
the following objectives:
1) Increase security of information systems at home. This objective is
easier stated than realized. There are, however, several ways in which
the security of United States' information systems can be improved
through enhanced security procedures, increased focus on education,
and greater vendor accountability. These suggestions will be expanded
upon in chapter four.
2) Constant evaluation of possible adversaries information systems for
weaknesses. The difficulty with the realist approach is that you need
a way to measure the security of rival nation states in order to
determine your own level of security. Since security is relative, the
realists would create weaknesses where possible, either through
backdoors in software or chipping(93) of hardware. Offensive
information warfare capabilities should be enhanced and readily
available.
3) Formation of possible responses. Develop responses allowing for the
use of both counter information warfare and conventional military
warfare. The United States willingness to use conventional military
forces in response to information warfare should be readily
acknowledged and publicized to deter possible offensive actions
against them.
4) Develop methods for assessing information damage. We are not
currently capable of assessing information damage inflicted or
information damage incurred. In order to measure relative security you
must have some way to create scenarios measuring both offensive and
defensive capabilities.
5) Decrease levels of interdependence. Since interdependence decreases
relative security, interdependence should be reduced. Interdependence
poses a security threat to realists in two ways. First, it reduces the
effectiveness of offensive information warfare waged by the United
States against other nations, since the economic aftershocks of such
an offensive attack would damage the American economy as well. Second,
interdependence leaves the United States susceptible to third party
information warfare waged either against or between nations that are
its trading partners. It possible for nations to damage the United
States' economy by attacking its economic allies.
6) Create autonomous networks. Make networks more autonomous in order
to minimize the domino effect of accidental or intentional failure.
This would be carried out first at the military level and then at the
commercial level for those networks that help support C4I (command,
control, communications, computers and intelligence). However, this
may be another area, where the costs of unplugging systems from the
global network exceed the benefits of security through autonomy. This
will be discussed at greater length in Chapter Four.
Problems with the Realist Approach
Since the United States is arguably the most vulnerable to information
warfare, increasing relative security becomes incredibly difficult.
Apart from an all-out conventional war, offensive information warfare
is not an alluring way for the United States' to pursue its interests.
The costs of reducing interdependence alone greatly exceed any
benefits that could be extracted. These high costs, such as loss of
economic prosperity and domestic political support, make decreasing
economic interdependence in today's highly linked global economy a
non-achievable goal.
Also, under the realist approach, state-sponsored industrial espionage
becomes a necessity if weaknesses are to be implanted in the
information systems of other nations. Given the United States
reservations in using state intelligence agencies for this purpose,
the realists would be hard pressed to create the necessary weakness
required by their doctrine. The United States lacks the linkage
between governmental and private sector goals that are an inherent
component of other nations, like Japan and France, that would enable
it to conduct the level of espionage required to reduce relative
balances of security among possible adversaries. The United States
also faces the possibility of losing global political prestige should
such operations be discovered.
Realism's greatest contribution to the debate is its suggestion that
internal security be increased. Given offensive capabilities should
hostilities occur, as long as the United States increases its level of
internal security at a rate that is equal to, or greater than its
neighbors, it will be able to maintain a relative balance of power. By
decreasing vulnerabilities the United States is decreasing the threat,
regardless of where it originates.
The Liberal Approach to Information Warfare
The liberal perspective is better equipped to recognize the threat to
national security imposed by information warfare based on information
warfare's potential to decrease the United States ability to remain
prosperous. For the liberals, the international political system is
not as anarchic as it is for the realists and it is possible to
achieve order through cooperative policy. The liberal approach to
reducing the threat of information warfare is based more on
cooperative measures than offensive or defensive abilities. The
liberal would pursue the following initiatives:
1) Increase levels of interdependence. Recognizing interdependence as
the greatest deterrent to offensive information warfare the liberals
would seek to increase U.S. interdependence with other nations. Not
only does this promote prosperity, but it reduces the attraction of
using offensive information warfare against the United States.
2) Create global institutions and international agreements. Though
some liberals argue that international agreements and institutions
should not be necessary if states act in their best interest, the
reality is that we rely on regimes for many aspects of cooperative
international relations.(94) Global institutions and agreements ensure
a somewhat stable environment in which states can pursue their self
interests and exchange information with reduced transaction costs.
Regardless, treaties designed to prevent the waging of information
warfare might be difficult to establish as traditional U.S. allies
openly admit to waging Class II(95) information warfare. However,
precautions to prevent Class III(96) information warfare might be
negotiated and would prove beneficial, especially to the United
States, since we are the nation most susceptible to attack.
Technologically advanced nations are likely to join in these
cooperative measures in order to avert the worst case scenario. In the
worst case scenario, offensive information warfare is waged and the
international economy collapses, possibly, but not necessarily,
leading to conventional military conflict. In this case, regimes are
created out of a common aversion to a particular outcome. The benefits
of cheating are outweighed by the possible costs of the worst case
scenario; therefore the regime will survive.
Problems with the Liberal Approach.
Increasing levels of interdependence, or facilitating one-way
dependence, with nations that pose information warfare threats seems
akin to succumbing to bribery. Could developing nations use the threat
of offensive information warfare as a method of integrating their
economies with the global economy? In a true free-market global
economy, increasing interdependence is inevitable. However, the
instability within many developing nations, might motivate developed
nations to keep the number of unstable links to their economy to a
minimum. Increasing interdependence as a deterrent to information
warfare only works if the developed nations are willing to extend
feelers to the entire developing world.
Increasing interdependence only decreases the threat from other nation
states. It does nothing to decrease the threat from terrorists
organizations. Since terrorists have already been cited as those most
likely to engage in information warfare, increasing interdependence
might be viewed as very ineffective policy as far as information
security is concerned.
The problem with creating international regimes is that cheating is
difficult to define. What qualifies as an offensive information
warfare tactic? Is state sponsored industrial espionage a violation or
exception to the guidelines of the regime? Since information warfare
is defined differently by different states, these are all difficult
questions that would need to be mediated. In addition to this, the
liberal approach does very little to prepare the United States for the
possibility of other nations cheating. The security problem is still
greatest for the United States, since it is the most vulnerable to
attack and the costs of the worst case scenario are highest for it.
Stein uses the acceptance of a global language among air traffic
controllers and pilots as an example of common aversion.(97) By
Stein's example, a worst case scenario would be two planes crashing
into each other, causing equal losses for both sides. To apply the
same example for information warfare, the worst case scenario would be
that the two planes crash, but the United States' plane is carrying
400 people, while the other plane is only carrying 50. Both states
have suffered losses by not avoiding the worst case scenario, but the
cost for the United States is greater.
The Realist/Liberal Conflict
The greatest conflict between the realists and the liberals centers
around the formation of international regimes. Stein writes that
"realists hold that since sovereign nations act autonomously in their
own self interest, international institutions are inherently
irrelevant to world politics."(98) The liberals, on the other hand,
accept regimes as methods to cooperatively avoid a worst case
scenario. Is there any middle ground to be found?
The answer is yes, if the formation of regimes are perceived more as
acts of self interest than cooperative agreements. By forming regimes,
in this case, the United States is pursuing its own self interest.
Since the United States has the most to lose in the worst case
scenario, it also has the most to gain from the aversion of the worst
case scenario. The regime might be viewed as the United States forcing
its self interest on the rest of the international community. Robert
Keohane argues that "rational self-interested actors, in a situation
of interdependence, will value international regimes as a way of
increasing their ability to make mutually beneficial agreements with
one another."(99)
One can argue strongly that regimes designed to prevent state
sponsored information warfare, from the United States' perspective,
are actions of self-interest in an anarchic international system and
therefore are acceptable under the auspices of both realism and
liberalism.
Regimes also pose the problem of what cryptographer Eric Hughes calls
"regulatory arbitrage."(100) There will always some states that will
not participate in the regimes and this will offer a favorable legal
climate for individual information warfare efforts. If, as part of the
regime, states agree to outlaw systems intrusion originating in one
country but directed at another, what do you do with the states that
do not participate in the agreement? A perfect example of this is the
Netherlands delay in establishing anti-hacking laws. A lot of attacks
on United States Department of Defense systems originated in the
Netherlands because hacking was legal under Dutch law. The Netherlands
provided a safe legal environment for those individuals wishing to
hack. This left the United States' options limited to increasing
internal security without being able to eliminate the source of the
threat. Is intervention justified at this point?
In order for regimes to work, they must include standardized laws
regarding systems intrusion that transcend all national boundaries.
This problem may be exacerbated in June of 1995 when a team of U.S.
hackers invades the computers of France.(101) After extensively
verifying that they have no legal liability if they violate the
hacking laws of France from within the United States, this group has
decided to test the waters. Hacker Erik Bloodaxe explains that
"International law is so muddled that the chances of getting
extradited by a country like France for breaking into systems in Paris
from Albuquerque is slim at best. Even more slim when factoring in
that the information gained was given to the CIA and American
corporations."(102) This case will provide an excellent test for how
states can resolve international telecommunications violations and
work towards cooperative agreements to prevent such behavior. It may,
in fact, be the catalyst for the first formation of international
regimes dedicated to preventing low levels of information warfare. It
may also provide the United States with a useful bargaining chip to
help deter government sponsored industrial espionage in countries like
France and Germany.
Where interdependence is concerned, neither the realist or liberal
approach offer a viable proposal to decrease the threat of information
warfare. Decreasing interdependence is not an attainable goal in
today's highly interlinked global economy, because interdependence
yields innumerable benefits. Increasing levels of interdependence in
order to deter information warfare threats is ineffective policy,
because it is too focused on specific states and does not encompass
the broad range of threats that exist.
Since, the realist suggestion to create information weaknesses in the
systems of possible adversaries would be a violation of any global
agreements that are likely to be developed, this objective would have
to be abandoned or pursued covertly in violation of the regime.
Increasing internal security through various methods would not
threaten the regime, since it is organized to prevent offensive
information warfare. The security of systems is likely to increase as
technological advances in the area of cryptography are utilized by
individuals and organizations. However, in order to prevent a security
dilemma, the United States would have to terminate export restrictions
on encryption technology.(103)
The remaining realist suggestions dealing with autonomous networks,
strategic planning and developing measures for damage assessment are
possible under liberal regimes as well. Each of these initiatives fall
into defensive categories, however, the creation of autonomous
networks is disadvantageous to technologically advanced nations. Since
distributed information networks contribute to the economic prosperity
of Third Wave nations, any movement towards autonomy may have negative
effects.
Realism and liberalism offer balanced approaches to dealing with the
national security implications presented by information warfare. Taken
alone, neither of them offers a satisfactory blueprint for dealing
with the threat. Combined, they might offer an adequate strategy for
realizing national security in the Information Age. This will be
discussed at length in the policy prescriptions offered in Chapter
Four.
The Strategic and Security Impacts of Technology: A Historical
Perspective
It is useful to examine how past technological developments have
changed military strategy and conceptions of security in the past. By
studying the effects of other technologies, we might increase our
capacity to understand the impact information warfare will have on
strategy and security concerns in the future. Although a nuclear
analogy is inevitable due to the offensive nature of information
warfare, there are several other comparisons which demonstrate how
information warfare can change the distribution of power on the
battlefield.
Decentralizing the Military: The Conoidal Bullet
Manuel De Landa argues that changes in information technology will
cause a shift towards decentralization in the military very similar to
the changes introduced by the conoidal bullet in the nineteenth
century battlefield.
Just as the critical point in speed can mark the beginning of
turbulence, so a critically new technology may set the art of war into
flux for decades. Today's computerized networks, for instance, are
imposing on the military the need to decentralize control schemes,
just as the conoidal bullet forced it in the nineteenth century to
decentralize its tactical schemes. When breech-loading rifles and
their spinning bullets made their appearance on the battlefield, they
allowed infantry to outrange artillery, disrupting the balance of
power that was several centuries old, and forced commanders to develop
new tactical doctrines. Before the advent of the conoidal bullet,
infantry were allowed no initiative on the battlefield, individual
marksmanship was discouraged in favor of synchronized volleys of
collective fire. With the rifle, individual initiative returned to the
battlefield and with these, and increased role for snipers and
skirmishers in the new tactics. Similarly, modern command networks,
after using a central computer to regulate the traffic of messages,
have been forced to grant "local responsibility" to the messages: in
the ARPANET, the messages find their own destination.(104)
In the Information Age, not only is the autonomy of soldiers increased
as command is decentralized, but the weapons have become self-capable
as well. Using vast information systems, we have created weapons that
seek out their own destination. Where the infantry men of nineteenth
century were capable of outdistancing artillery with the advent of the
conoidal bullet, smart weapons allow the United States' military to
outdistance entire countries. The soldier trained to program
coordinates and digital mapping software into Tomahawk missiles now
becomes as effective as a jetfighter pilot, without placing American
lives at risk. This is, no doubt, a comforting notion for those policy
makers initiating hostilities.
However, properly administered information warfare can decrease or
nullify the effectiveness of smart weapons technology. Digital mapping
data can be altered to cause random errors or synchronization
satellites can be jammed to reduce accuracy. Therefore, minimal
investment in open source technology utilized with information warfare
tactics can render the United States' technologically advanced weapons
systems practically useless. Information technology changes the
hierarchical characteristics of military strategy by enabling more
autonomy on the battlefield and by further distancing the role of man.
Attacks upon information systems upset that balance, by rendering new
technologies ineffective and forcing technologically advanced nations
to revert to Industrial Age combat.
The duality of information warfare presents itself again. Not only is
it a new method for waging warfare, but it also effects the way
conventional warfare is waged among technologically advanced nations.
The threat posed by information warfare is multiplied when military
leaders focus more upon strategic threats than tactical ones. General
James Clapper, Director of the Defense Intelligence Agency, concedes:
"I think in this context there potentially is great danger here, not
so much in the context of on the battlefield as much as the thing that
concerns me is the potential danger, the potential vulnerabilities to
our commercial systems, our banking. The very dependence that this
nation has on computers - I think there is clearly a vulnerability in
a strategic sense, not so much perhaps in a battlefield combat
situation."(105) In General Clapper's statement, we can see how
concerned the military is with the impact information warfare could
have on the United States' internal infrastructure.
Information Warfare: The Bushnell Turtle of the Information Age
Regarded as the first working submarine, David Bushnell's "Turtle", a
propeller-driven submersible vessel with a single operator, introduced
a new dimension to naval warfare. Utilized during the American
Revolution, the Turtle carried torpedoes loaded with 150 pounds of gun
powder that were covertly attached underneath British ships and
detonated with timed switches.(106) The British ships were vulnerable
because they operated in an environment where threats were based on
optical observations of the horizon. If there was a ship visible in
the horizon then there was a perception of threat, especially if that
ship adorned an enemy flag. Threats from below the ocean's surface
were both inconceivable and unexpected.
In terms of resources required, it was much cheaper to build and man
the Turtle than it was to build and man British fighting ships.
Similar to information warfare, the Turtle yielded high benefits at
relatively little cost, thereby increasing its attraction despite its
unconventional appearance and design. The analogy can be taken one
step further.
Think of the United States as a British ship and the Turtle as any
nation state or organized terrorist group practicing information
warfare. The ocean is the United States information infrastructure
upon which we maintain our buoyancy. The Turtle, itself, derives its
usefulness from the mobility allowed by the existence of the ocean.
However, the Turtle is able to maneuver alongside the ship with
complete undetected anonymity and place a torpedo along our hull. The
torpedo detonates and the ship faces a crisis. Can the ship survive?
Perhaps, but only because its skilled crew has always demonstrated an
enhanced capacity for remedying problems. The damage will be costly
and will affect the operations of the ship, but with a little
ingenuity, the crisis can be overcome. Now, what if the Turtle had not
placed one torpedo but several, programmed to detonate at precisely
the same time? Such a challenge the ship's crew can not overcome.
To the captain of the ship, the very existence of the Turtle is a
threat. He has several ways to increase the security of his ship.
Hulls can be reinforced to reduce the impact of torpedoes, crews can
be educated to recognize shadows in the oceans surface indicating the
presence of the Turtle, and the ship can build Turtles of their own to
patrol its perimeter and neutralize threatening Turtles as they
arrive.
Although this analogy has been oversimplified, its moral is still
poignant. Vulnerabilities in the information infrastructure and
capabilities to exploit them do exist, creating a dire security
threat. The fact that these capabilities have not been exploited yet
does not reduce their potential. Napoleon dismissed the advanced
submarine designs presented to him by Robert Fulton fifty years after
Bushnell's Turtle first saw action.(107) Fulton later approached the
British who utilized his inventions with little success then dismissed
his predictions regarding the future impact of torpedo warfare.(108)
Today, reality has exceeded even Fulton's expectations. Submarines and
torpedo warfare are considered vital instruments for protecting
national security, especially for waterbound nations like Britain.
Likewise, information warfare will have profound national security
implications for nations that rely heavily on information technology.
_________________________________________________________________
Chapter 4
National Security Solutions for the Information Age
Eventually, these issues must be dealt with on a political level. A
threat to the nations security can not be dealt with until it has been
acknowledged by those in power. Dr. J.F. Holden-Rhodes, in his
remarkable book describing the use of open source intelligence for the
war on drugs, describes how President Reagan signed a National
Security Decision Directive that "equated the impact of drug
trafficking as a threat to the national security of the United States
and directed all federal agencies with a role in drug enforcement,
including the DOD, to pursue counter-narcotics efforts more
actively."(109) Although information technology security warrants a
place on the national agenda, it has yet to be incorporated into
United States grand strategy.
In order to better formulate policy prescriptions dealing with the
information warfare threat, it is useful to examine past government
actions in this area and evaluate their effectiveness.
The Computer Security Act of 1987
The United States Congress passed a law titled the Computer Security
Act of 1987 which required federal agencies to identify systems that
contain sensitive information and to develop plans to safeguard them.
Agencies were required to (1) identify all developmental and
operational systems with sensitive information, (2) develop and submit
to NIST and NSA for advice and comment a security and privacy plan for
each system identified, and (3) establish computer security training
programs.
Finally, the United States was taking seriously the threat to national
security posed by computer vulnerabilities. The Computer Security Act
was a step in the right direction, but holes in the infrastructure
still exist. In 1990, the General Accounting Office examined the
response and implementation of the act. The GAO reports, that as of
January 1990, only 38 percent of the 145 planned controls had been
implemented.(110) The GAO report makes the following conclusion:
The government faces new levels of risk in information security
because of increased use of networks and computer literacy and a
greater dependence on information technology overall. As a result,
effective computer security programs are more critical than ever in
safeguarding the systems that provide essential government
services.(111)
With only a 38 percent compliance more needs to be done if the United
States is to fully protect its valuable informational assets. But,
instead of concentrating on making the systems more secure, the
government chose to focus on the intruders of these systems. Time,
energy and money that should have been spent discovering and fixing
security bugs was used to design and implement an attack on the
hackers themselves instead. This was an attack that focused only on
domestic hackers and did little to thwart the threat to United States
national security. The result: Operation Sundevil.
Operation Sundevil
Law enforcement agencies had already begun to focus their attack on
the digital underground when Operation Sundevil was initiated, but it
was by far the largest clamp down on computer crime in the United
States. The focus of Operation Sundevil was the hackers' system of
information distribution which consisted of hundreds of underground
computer systems that housed information on how to break into computer
systems, files stolen from major U.S. corporations, and files that
contained credit card access numbers used to commit credit fraud.
Around forty-two computers were seized along with 23,000 floppy disks
of information during the May 7, 8, and 9, 1990 raids.(112)
Across the United States teenagers and their parents were awakened by
the Secret Service, followed by a search of their house and the
confiscation of anything that looked remotely electronic.
Misinformation led to mistakes. Perhaps the most publicized of these
was the raid on Steve Jackson Games. Jackson owned a small company
that ran a bulletin board system allowing game players to call in and
ask questions, arrange meetings, etc. Jackson unknowingly employed a
computer hacker. The Secret Service tied the two together and as a
result Steve Jackson Games was raided and its computer equipment was
seized, only to be returned several years later. This greatly effected
Jackson's business and he nearly went bankrupt. Jackson recently won a
law suit against the Secret Service in the amount of $52,000 plus
legal fees.(113)
The United States has a vested interest in preventing computer crime
and fraud, and Operation Sundevil was surely a huge attack on such
crimes, but it was greatly misdirected. While teenage hackers were
arrested and tried, U.S. military systems and business systems
remained open to attack. Hackers will always exist. The only true way
to stop them is to plug the holes they use to gain access to systems.
The solution lies not in ignoring domestic computer crime, but in
giving a higher priority to increasing computer security.
Today, five years after Operation Sundevil, most large federal and
state law enforcement agencies have units dedicated to thwarting
computer crime. While, most focus on credit card and phone fraud, the
domestic hacker is still viewed as the primary threat. As noted
earlier, the Computer Security Act has also been relatively
ineffective. Security holes still exist and the government has yet to
design an integrated approach for maintaining security standards on
its computers.
Information Warfare: A Threat Assessment Portfolio
Winn Schwartau, in his breakthrough book on the subject, identified
three levels of information warfare: Class I, Class II, and Class
III.(114) These three classes are similar to the three levels of
information I developed in 1993(115), as described in Chapter Two. In
order to develop a threat assessment portfolio for information
warfare, one must focus on the levels of information warfare that are
currently being waged today.
As exemplified in Chapter Two, both Class I and Class II information
warfare are being waged actively today against individuals and
corporations. Perhaps the best example of Class I information warfare
in recent months was the attack on Michelle Slatalla and Joshua
Quittner after they released their book describing the "hacker wars"
of 1990. A group of technically adept individuals calling themselves
the Internet Liberation Front jammed Quittner and Slatalla's Internet
e-mail accounts rendering them useless, and forwarded incoming phone
calls to an out-of-state number "where friends and relatives heard a
recorded greeting laced with obscenities."(116) This is just one
isolated incident of what has been a recurring problem on the Internet
recently.
Class II information warfare is also currently being waged at the
corporate level. Intellectual property has been stolen and shipped to
foreign nations.(117) Arguably, even the collapse of one of Britain's
oldest financial institutions, the Barings Bank was the result of
Class II information warfare.(118) Without the reliance on information
technology, the financial damage inflicted on Barrings by risky
investments would never have been possible to achieve by one man.
On the Class III level, we have seen where military systems are
targeted up to 300,000 times per year and how those targeted systems
are penetrated 88 percent of the time. Only one infiltration of
military and government systems was traced back to indicate
sponsorship by another nation state. This does not mean, however, that
such infiltration's are not taking place with state backing now. It
only shows that we have not caught them. We know that nations like
France, Germany and Israel have information warfare operations in
place, but they have not used them to wage Class III information
warfare, yet. We have also seen where nations have used offensive
information warfare as a supplement to conventional military tactics,
and how most advanced weapons systems are heavily reliant on
information technology.
In the past six months, information warfare concerns have started to
work their way into public discourse. Aerospace Daily recounts a
recent report by the Defense Science Task Force on Information
Architecture for the Battlefield:
Of utmost concern to the task force is the fact that U.S. information
systems are "highly vulnerable" to information warfare. The task force
was "briefed on activities and capabilities that caused concern over
the integrity of the information systems that are a key enabler of
military superiority..." Creating a strategy to be able to wage
information warfare "may be the most important facet of military
operations since the introduction of stealth," the report said.(119)
The findings of this report indicate that our national security
portfolio is lacking substance where information warfare is concerned.
Speaker of the House, Newt Gingrich asks "What if Saddam Hussein had
hired 20 hackers in August [1990, just before Desert Storm] to disrupt
the American economy...He could have shut down the phone system by
crippling AT&T's network and destroyed the financial network, which
would have changed drastically how the Gulf War was waged."(120) In
order to deal with this problem, the United States, and all
technologically advanced nations, must develop a national security
strategy for information warfare.
National Security Solutions for the Information Age
Several steps must be taken to put the United States' digital house in
order, and begin dealing with the threat to national security posed by
information warfare. Though the following list is not completely
inclusive, it should serve as a useful framework for dealing with the
problem.
Step One: Declassify the Threat
Before dealing with the threat posed by information warfare, we must
acknowledge that it exists. It is wrong to assume that security
through obscurity will work indefinitely. Offensive information
weapons can be developed using open source material and assembled
using readily available electronic components. In fact, some offensive
information warfare weapons, namely a HERF gun, have been assembled
completely by accident.(121)
The existence of offensive information warfare capabilities coupled
with the United States' heavy reliance on information technologies,
has introduced a new threat to our national security. It has been
shown that information warfare, most likely in the form of terrorism,
is probable because the costs, both politically and economically, are
lower than the benefits derived. If an autonomous nation or political
group wishes to inflict damage, chaos and fear on American society
with minimal costs, then its most rational option is to use offensive
information warfare capabilities.
If this threat is acknowledged, the response options available to the
United States increase. Actions to decrease the impact of an
information warfare attack can be undertaken in advance to minimize
the damage incurred. Political scientist James Wyllie argues that
"Deterrence demands that an adversary be made completely aware of the
value of the issue in dispute to the deterrer, and the willingness to
collect a price should the rival not be dissuaded from its unwelcome
course of action."(122) Acknowledging the threat acts as a deterrent
for several reasons. First, it increases the number of responses
available to the United States because the issue has been addressed at
a political level, and it demonstrates to the international community
that this is an important issue. Our capabilities to deal with such an
attack are increased because we are prepared for it. Second, it
motivates the military and private industry to deal with this problem
and create viable security solutions that minimize the vulnerability
of the United States' information infrastructure. Third, it gives the
United States a political catalyst to deal with this issue on a global
level and to enter into treaties and agreements to protect the global
information infrastructure and to avert common worst case scenarios.
Let us examine each of these in greater detail.
Step Two: Increase Security
As technological advancements in information technology continue,
security must be a vital component. Perhaps, easier said than done.
The security of our information systems must be continually increased.
Security experts and hackers agree that encryption will be the
critical component used to secure computer systems and information
transfers of the future.
Increasing security quells realist concerns about information warfare
by decreasing the United States' vulnerability to attack.
Unfortunately, it also contributes to the security dilemma, because
defensive actions might be construed as intentions to attack other
nations. Because of this security dilemma, it is important that the
United States be able to export this technology to allies and enemies
alike. This is similar to Ronald Reagan's suggestion that should his
Strategic Defense Initiative prove successful, the technology would be
given to the Soviet Union in an effort to attenuate their fears of a
U.S. attack.(123) In order for this to occur, the United States
government will have to release its stranglehold on encryption
technology and allow U.S. companies to export this technology without
restriction. Not only does this increase security and stability, but
it will also generate growth in the software industry and allow U.S.
companies to maintain a comparative advantage in this area.
The American people have always displayed an ability to be innovative
and tenacious in the face of adversity. Given the opportunity and
incentive, they will rise to deal with the threat of information
warfare in ways we are not yet capable of predicting. The important
aspect is that the American people at least be given the opportunity.
The rest will follow.
Step Three: Increase Vendor Accountability
Step three is closely linked with step two. In order to increase
security and not just manifest an illusion of having done so, vendors
must be held accountable for the "secure" products they distribute.
Though it is impossible to eliminate all security holes and to find
every bug, more must be done to ensure the reliability of systems and
software before they are shipped. Also, vendors should be required to
create patches and fixes for security holes as they are found and
distribute them to all customers.
Security expert Bob Stratton argues that "if you ask the vendors, they
will say: nobody told us this was important. Nobody told us security
was important."(124) The United States must assure the vendors that
security is important and must be a required component of those
technologies that will constitute our information infrastructure.
On the virus front, more must be done to ensure consumers that
merchandise will be shipped virus-free. Some level of accountability
must be determined for those companies that fail to verify the
integrity of the software or hardware they are shipping. Perhaps, some
sort of criminal or monetary liability for vendors is needed to
stimulate active virus checking at the shipping end of software
distribution. One thing remains certain: we can not allow viruses to
spread within shrink-wrapped software. It ensures too great a
distribution within American society to be taken lightly.
Step Four: Facilitate Private/Public Sector Cooperation
Both the public and private sectors of the United States have a vested
interest in the creation of a secure information infrastructure. The
military is incredibly reliant on private sector communications lines
and does not have the resources to create new secure information
technologies on its own. Robert Steele argues that the relationship
between the private and public sector with regards to new technology
has reversed. Where technology used to migrate from the military into
the private sector, it now migrates in the opposite direction. Steele
argues that the military and civil sector must now cooperate and that
"the military must acknowledge that it cannot dominate information
warfare and that it must completely recast its understanding of
information warfare to enable joint operations with civil sector
organizations including law enforcement, businesses with needed
skills, and universities."(125)
The military must be able to define its security needs and work with
the private sector to meet them. Both sectors will benefit. The
military will get increased security and the private sector will get
funding for research and development and profits from the marketable
products it develops. Not only does this increase the security of
military systems, it also increases the security of the private sector
upon which they are reliant for communications and open source
intelligence gathering and storage. In this way, the United States can
expand the umbrella of security over a larger part of its information
sphere.
Step Five: Conceptualize Our Information Sphere
Using a term borrowed from Air Force information warfare doctrine, an
information sphere is an assessment of those information technologies
that are vital to national security. At the core of the sphere are
those technologies that are of greatest value: classified military
networks and vital financial networks like the Federal Reserve. As you
move away from the core, importance decreases to include
non-classified military sites, communications networks and
intelligence systems, other financial networks and transaction
centers, other communication networks, power grids, private sector
information systems and non-operational military information. The
outer edge of the sphere contains the least important information such
as personal information and communications.
In order to formulate an integrated approach to addressing the threat
of information warfare, the United States must define its information
sphere. Granted, different organizations and branches of the military
are going to have different conceptions of what the information sphere
contains, but all of these conceptions must be drawn into a
centralized sphere in order to address the problem at a national
level. Those information systems at the core of the sphere must be
protected first and foremost. As technological capabilities progress,
the shield of protection must be extended over other parts of the
sphere until the entire information sphere is sheltered.
Under the best case scenario, parallel efforts to protect each
component of the sphere are executed simultaneously with varying
intensity. It is foolish to focus entirely on the core of the sphere
until we feel it has been adequately protected because it is highly
likely that we will never arrive at that conclusion, and in the
meantime we are leaving other vital components of our information
sphere unprotected. In the Information Age, different components or
levels of the information sphere are likely be interconnected as well,
increasing their importance to each other.
It is often argued that in order to protect certain aspects or
sections of the information sphere we must make them autonomous.
Fortunately, this is not a valid proposition, lest we wish to discard
the benefits of the Information Age. A vital component of any
information society is distributed information networks sharing and
storing information. The existence of networks increases the value of
computer technology because one does not have to store every piece of
information he or she needs. Instead it is only necessary to be able
to retrieve it from the collective intelligence of the network. To
disconnect from the network is to decrease the value of your computer
exponentially. Robert Steele, while working in the employ of the
Central Intelligence Agency, found that most of the information stored
on autonomous classified networks was available through open source
networks and could be found in half the time at a lesser cost. Though
there may be security through autonomy, the benefits of that security
do not necessarily exceed the costs of disconnecting from the global
network. In some instances, like in the case of single purpose
financial networks, secure autonomous networks might be desired, but
in general they will hinder the information stream upon which
Information Age nations rely. Al Gore, the Vice President of the
United States puts it succinctly: "To realize the full benefit of the
Information Age, high-speed networks that tie together millions of
computers must be built."(126)
Once we have conceptualized our information sphere, we must develop
methods to asses damage incurred within it. Upon suffering an
information warfare attack, the United States must be able to evaluate
and assess the damage that its information sphere has sustained. Not
only is this essential for repair, but it also allows us to gauge our
possible responses based on the extent of the damage we have suffered.
We must be able to place realistic values on the information that our
networks contain. Bob Stratton notes that "one of the most significant
problems we have right now is that people have not decided how much
their information is worth and because they have not made that
decision they have decided how much it is worth protecting."(127) By
conceptualizing an information sphere we are placing information in a
hierarchical value system based on strategic national security
importance. We must also be able to use alternative measures of value
on information to judge, not only strategic importance, but economic
and social importance. We must be able to judge what sort of damage is
incurred based on the overall significance of the target. Military
systems have a different value than banks, and likewise, banks have a
different value than the computers that house the nation's Social
Security data. We must make sure our measures of value include all the
information contained on the networks.
Similarly, for strategic purposes we must be able to measure the
damage the United States inflicts on other nations should it utilize
offensive information warfare capabilities. What is the strategic
value of destroying an enemy's communications network versus the
strategic value of manipulating it for our own purposes? What sort of
damage is inflicted on the target nation and its allies or trading
partners if its financial system is demolished? Can we trace the links
to ensure that economic aftershocks are not felt by the United States
or any of its trading partners? These are difficult questions, but
each must be examined if we are to take the threat and capabilities of
information warfare seriously.
Step Six: Multi-Level Education
Education can take place at several levels. First, policy makers can
be made aware of the threat and what they can do about it. It is their
public obligation to do so. It was suggested in a Congressional
hearing that Members of Congress rent and watch the movie War Games in
order to understand the threat and techniques used by hackers.(128)
Granted, War Games was a revealing movie, but policy makers must have
a better understanding of the threat to American national security
than this movie provides. The fact that Speaker Gingrich is discussing
the implications of information warfare with the media is a positive
sign, but his is a unique case of having friends interested in the
topic. Most likely, the military will act as educator to the policy
makers where this issue is concerned, but we must balance them with
public sector opinions in order to equalize any parochial interests
the military might put forth in order to gain increased funding.
The policy makers must also be made aware of what they can do to solve
the problem. When discussing HERF Guns at the above mentioned hearing,
one Member of Congress asked if such weapons might fall under the
auspices of the Brady Bill and if they should be outlawed. Luckily,
Mr. Schwartau was able to convince them that to do so "would be
banning the microwave and communications industry from
existence."(129) Though the threat of information warfare is very
real, we should not react with ill-conceived responses, especially if
it means sacrificing individual liberties.
At another level, those who run the systems or are in charge of
security must be educated to understand and deal with the threats. The
largest security hole in computer systems is the human factor. A whole
book has been written devoted to this aspect of computer
intrusion.(130) If you place a computer in a locked room with no
outside connections you have a secure computer, give one person access
and security is reduced. Give another person access and security is
reduced even further. Now the two people can be used against each
other with a little social engineering. Consider the following true
anecdote where a hacker named Susan demonstrates her social
engineering skills:
As Susan later told the story, a team of military brass...from three
services sat at a long conference table with a computer terminal, a
modem, and a telephone. When Susan entered the room, they handed her a
sealed envelope containing the name of computer system and told her to
use any abilities or resources that she had to get into that system.
Without missing a beat, she logged on to an easily accessible military
computer directory to find out where the system was. Once she found
the system in the directory, she could see what operating system it
ran and the name of the officer in charge of that machine. Next, she
called the base and put her knowledge of military terminology to work
to find out who the commanding officer was at the SCIF, a secret
compartmentalized information facility. Oh yes, Major Hastings. She
was chatty, even kittenish. Casually, she told the person she was
talking to that she couldn't think of Major Hasting's secretary's
name. "Oh" came the reply. "You mean Specialist Buchanan." With that,
she called the data center and switching from nonchalant to
authoritative, said, "This is Specialist Buchanan calling on behalf of
Major Hastings. He's been trying to access his account on the system
and hasn't been able to get through and he'd like to know why"
...Within twenty minutes she had what she later claimed was classified
information up on the screen. Susan argued "I don't care how many
millions of dollars you spend on hardware, if you don't have people
trained properly I'm going to get in if I want to get in."(131)
There are fundamental security measures that can be taught to system
users to ensure that the security of the system is not compromised and
scenarios like the one above are not repeated. It might be necessary,
as argued in other papers, to create a centralized agency in charge of
coordinating education and providing support for system administrators
in patching known security holes.(132)
Finally, the public must be educated to understand the threat of
information warfare so that it can endorse the actions taken by the
government to deal with this problem. Mr. Schwartau's book does a
great service in this area, but more effort is needed to bring
information warfare into the public discourse. Citizens have to
understand the reliance they have on information technology and the
purpose it serves within society before we can justify protecting it.
Step Seven: Use Hackers as a National Resource
The digital underground should be viewed as an asset to the United
States. They use illegal means to satisfy their curiosity about the
workings of computer technology because the system has denied them
other means of accessing the digital realm they love. Harvard Law
professor Laurence H. Tribe even suggests that access to technology
may be a required goal of democratic society. He states:
It's true that certain technologies may become socially indispensable
-- so that equal or at least minimal access to basic computer power,
for example, might be as significant a constitutional goal as equal or
minimal access to the franchise, or to dispute resolution through the
judicial system, or to elementary and secondary education. But all
this means (or should mean) is that the Constitution's constraints on
government must at times take the form of imposing "affirmative
duties": to assure access rather than merely enforcing "negative
prohibitions" against designated sorts of invasion or intrusion.(133)
Some hackers are loyal to the ideals of their nation. For example,
when news of Stoll's German hacker selling U.S. secrets to the KGB hit
the underground many hackers responded with hatred towards the guy who
had associated their movement with national espionage and threats to
national security. They were willing to use their abilities to combat
this problem, and were even willing to target Soviet computers for the
Central Intelligence Agency. One case of a hacker making a
contribution to society is the story of Michael Synergy and his quest
for presidential credit information. Synergy decided one day that it
would be interesting to look at the credit history of then President
Ronald Reagan. He easily found the information he was looking for and
noticed that 63 other people had requested the same information that
day. In his explorations he also noticed that a group of about 700
Americans all appeared to hold one credit card, even though they had
no personal credit history. Synergy soon realized that he had stumbled
upon the names and addresses of people in the U.S. government's
Witness Protection Program. A good citizen, he informed the FBI of his
discoveries and the breach of security in the Witness Protection
Program.(134)
One of the basic benefits to United States national security is the
lack of a coherent movement among the members of the digital
underground. Hackers are by nature individualistic. They lack a common
bond that allows them to focus their energies on one target. If there
is a common target among hackers, it is corporate America, especially
the telephone companies. These corporations have become targets
because hackers rely on their service to access cyberspace, which can
be a very expensive proposition. The United States government has a
vested interest in not providing them with another target, especially
if that target is the government itself. The United States should
utilize hackers, and give them recognition in exchange for the service
they provide by finding security holes in computer systems.
The United States should not discontinue efforts to stop credit fraud
and other computer activities that are unquestionably criminal. But,
the United States should allow the hackers to conditionally roam the
realm of cyberspace. These conditions would include the following: (1)
If computer access is gained, the security hole should be immediately
reported to the government or centralized agency and should not be
given to anyone else, and (2) information files should not be
examined, modified or stolen from the site. In return the United
States acknowledges the hackers' accomplishments, thus feeding their
competitive egos.
Why should the United States government trust hackers? No trust is
necessary. The United States is not offering the hackers anything that
they don't already have, except recognition for their ability to
discover security flaws. The hackers will remain on the networks
regardless of what policy the United States follows concerning their
activity. It is simply giving them the forum they need to meet people
with similar interests on a legitimate basis, rather than a secret
one. Robert Steele argues, "If someone gets into a system, that is not
a violation of law, it is poor engineering. When we catch a hacker,
rather than learn from him, we kick him in the teeth. When the
Israelis catch a hacker, they give him a job working for the
Mossad."(135)
Many U.S. corporations already allow the hackers to identify security
weaknesses in their computer systems. The Legion of Doom, the most
notorious group of hackers in the U.S., briefly entered the computer
security business with the formation of their company called Comsec
Security. Bruce Sterling reports, "The Legion boys are now digital
guns for hire. If you're a well-heeled company, and you can cough up
enough per diem and air-fare, the most notorious computer hackers in
America will show up right on your doorstep and put your digital house
in order - guaranteed."(136) Some argue that this is simply extortion,
but individuals are not saying "pay up or else we will enter your
system." They are offering their skills to secure vulnerable computer
systems from possible electronic intrusion.
Hackers can be used to secure the United States' digital interests.
Every effort should be made not to alienate them from the newly
emerging digital infrastructure. In the same Congressional hearing
where his publication was branded as manual for computer crime,
Emmanuel Goldstein made the following remarks about access to
technology and computer crime:
This represents a fundamental change in our society's outlook.
Technology as a way of life, not just another way to make money. After
all, we encourage people to read books even if they can't pay for them
because to our society literacy is a very important goal. I believe
technological literacy is becoming increasingly important. But you
cannot have literacy of any kind without having access.... If we
continue to make access to technology difficult, bureaucratic, and
illogical, then there will also be more computer crime. The reason
being that if you treat someone like a criminal they will begin to act
like one.(137)
It is ridiculous to assume that the entire hacker subculture is
motivated by criminal intentions. Hackers, like all other groups or
subcultures, contain a diverse array of individuals. Every group has a
criminal element and the hackers' criminal element is no different
than the criminal element that exists within the law enforcement
community. A General Accounting Office report on threats to the
nations National Crime Information Center, found that the greatest
threat to this centralized criminal database was not from outside
hackers but from corrupt insiders.(138)
Most hackers are still young and have not formulated complete
ideologies regarding right and wrong behavior. Bob Stratton, a former
hacker who now works as a highly trusted security expert, argues that
"These people (hackers) haven't decided in some cases, to be good or
evil yet and it is up to us to decide which way we want to point
them."(139) Mr. Stratton argues that we can mentor these individuals
and thereby utilize their technological skills.
Mitch Kapor, founder of one of America's most successful software
companies notes that "the image of hackers as malevolent is purchased
at the price of ignoring the underlying reality - the typical teenage
hacker is simply tempted by the prospect of exploring forbidden
territory...A system in which an exploratory hacker receives more time
in jail than a defendant convicted of assault violates our sense of
justice."(140)
There does seem to be a trend in the past year to utilize hacker
capabilities, both in the public and private sectors. This needs to
increase, and perhaps some evaluation of our own laws might be
necessary if we wish to continue knowing where the holes in the United
States' information infrastructure are.
Step Eight: Global Institutions and International Agreements
Just as this issue has domestic political implications, it also has
international political implications that need to be addressed. Once
the United States acknowledges the potential threat of information
warfare it must be prepared to deal with nations expressing similar
concerns. Political deterrents like economic interdependence and fear
of escalation must be backed by global institutions and international
agreements that set standards and pacts for varying levels of
information warfare.
High levels of interdependence will cause technologically advanced
trading partners to seek out security agreements in order to guarantee
some level of stability in the international financial system. The
United States should take the initiative to lead such efforts and
place these issues on the international agenda. There are worst case
scenarios to be averted and cooperation in this area should be
achievable.
Though these institutions do nothing to deter the threat of
information terrorism, they may provide justifiable avenues to pursue
in seeking retribution. Regimes do not deter terrorists and
information warfare is an attractive weapon. However, defining our
information sphere and increasing security help to minimize the damage
that information terrorism can inflict on the United States. Global
agreements would help determine the consensus of the international
community where these new technologies are concerned and terrorist
violations of this consensus is inevitable. Terrorists do not play by
rules, but that does not mean the international community should
forestall the development of those rules.
Conclusion: National Security in the Information Age
This thesis has put forth some apocalyptic scenarios regarding the
future of information warfare and national security. This was not its
ultimate intent. Realistically, there are a number of scenarios, each
of varying degree, in which information warfare might be utilized in
the future.
In the most apocalyptic scenario, information warfare will be waged in
conjunction with conventional warfare, to determine the hegemon of the
Information Age. Many scholars have put forth arguments concerning the
formation and survivability of hegemonic powers.(141) It is possible,
that in this point in time, the instability of information technology
requires the constancy only a hegemon can provide. Under this
scenario, realist concerns run rampant, as the United States has a
vested interest in becoming the hegemon for the next power cycle.
However, a full-scale information war will be very costly, and it is
highly unlikely that the hegemon will be able to salvage any value
from the rubble of battle. A scenario where stability and consistency
for information technologies are derived from cooperative
international
endeavors to promote and facilitate global prosperity is more likely.
In the Information Age, Third Wave nations have legitimate aspirations
to create a global information system that adds value to their
existing information infrastructures. Information technology is
cooperative by nature and tremendous benefits can be derived from
greater interconnectivity. Therefore, nations will seek out ways to
integrate their networks with the international network. Once that
integration takes place, each connected nation will have an interest
in maintaining the stability and survivability of the overall network.
Each nation has a vested interesting in preventing global information
warfare.
Despite collective interests, information terrorism will continue to
be a viable national security concern for all Third Wave nations.
Unfortunately, our options concerning terrorism are extremely limited.
By increasing security and gathering intelligence regarding any plans
that might be in consideration, we can ensure that the threat of
terrorism is contained to isolated incidents from which the United
States can recover. Unfortunately, the environment under which we
currently operate can make no such promise, therefore it is essential
that we address this issue now.
Other likely scenarios include the use of information warfare for
blackmail or for limited short-term gains. These scenarios present
other difficult political dilemmas that must be addressed at a global
level. Will nations allow information warfare threats to be used as
blackmail? Will we allow limited information warfare in order to
pursue strategic or comparative political and economic gains? Or is
the fear of escalation an adequate deterrent to such ambitions? These
questions must also be addressed.
The Information Age promises to change many aspects of our society.
Mitchell Kapor writes:
Life in cyberspace is more egalitarian than elitist, more
decentralized than hierarchical...it serves individuals and
communities, not mass audiences. We might think of cyberspace as
shaping up exactly like Thomas Jefferson would have wanted: founded on
the primacy of individual liberty and commitment to pluralism,
diversity, and community.(142)
As a society we have much to learn about ourselves through this new
medium of communication. As a nation the United States must make sure
that the structure it is building has a strong foundation and that
weaknesses in that structure are not used to destroy it. It is a
difficult task, because the constitutionally guaranteed rights of
United States citizens must be upheld in the process. However, it is a
task we must undertake. These are issues we must address. If we do not
address these issues now the future of our country will be
jeopardized. A handful of concerned citizens attempt to bring issues
surrounding cyberspace to our attention everyday. Some of these issues
concern national security, others concern individual privacy.
Cyberspace has empowered the average person to explore and question
the structure of our society and those that benefit from the way it is
operated. Fundamental issues arise from hacker explorations. We must
decide how, as a nation, how we wish to deal with these issues. Recent
efforts in cloning produced a human fetus. The scientists that
achieved this remarkable feat, immediately halted research arguing
that a public debate must arise to deal with the ethical and moral
issues surrounding this technology. They argued that before
experimentation in cloning continued, we must decide as a society
which direction that the new technology will go, what ends we hope to
achieve, and what the limits on its use should be. A similar debate on
the issues of cyberspace must take place. There is no need to stop the
technology, but we must decide what direction we want the technology
to take, and what rules will govern its use. We must do this now,
before the technology starts dictating the rules to us, before it is
too late to make changes in the basic structure of cyberspace without
destroying the whole concept.
We certainly are, as Al Gore noted, in the midst of an Information
Revolution. Methods of warfare will continue to evolve as the
revolution progresses. Conceptions of national security will have to
evolve as well. Information warfare and information security must be
incorporated into the national security agenda of any nation that is
making the transition into the Information Age. Isaac Asimov notes
that "Waiting for a crisis to force us to act globally runs the risk
of making us wait too long."(143) We can not allow this to be the case
where information technologies are concerned, because they are the
foundation for that which we aspire to become. Similarly, John
Petersen argues that a "philosophy comes bundled with every new
technology; when one is embraced, the other is there at well."(144)
The United States has already embraced the technology of the
Information Age, it must prepare itself to deal with the philosophy
that comes with it. The United States must be prepared to deal with a
philosophy that changes the distribution of power, changes political
relationships, and challenges the essence of nation states. Only then
can we rightfully justify a leading role in the Information Age.
_________________________________________________________________
Footnotes
(1) Skolnikoff, Eugene B. The Elusive Transformation: Science
Technology and the Evolution of International Politics. (New Jersey:
Princeton University Press, 1993), 169.
(2) Skolnikoff, Elusive Transformation; Arquilla, John & Ronfeldt,
David. "Cyberwar and Netwar: Warfare Between Networks." Comparative
Strategy. vol. 12, no. 2, 1993, 141-165.; Petersen, John L. The Road
to 2015: Profiles of the Future. (California, Waite Group Press,
1994.)
(3) Ronfeldt, David. "Cyberocracy is Coming," The Information Society
Journal, vol. 8, num. 4 (1992), 243-296.
(4) Qualifying this new pattern of societal development as the "third"
wave, Toffler naively accepts the fact the Agrarian Age was the first
developmental stage of modern society, a view not held by many
scholars. However, the sequential allocation of numbers is not
important for the purposes of this thesis, but rather the premonition
that a new wave of development is occurring.
(5)Toffler, Alvin The Third Wave (New York, William Morrow and
Company, Inc., 1980)
(6)Ibid, 26.
(7)Gore, Al "Remarks at the Federal-State-Local Telecomm Summit,
[Online]. (1994, January 9). Available WWW: http://www.whitehouse.gov.
(8) Examples include the National Telecommunications and Information
Administration and the Information Infrastructure Task Force. Other
government agencies involved with these issues include the General
Accounting Office, the Federal Communications Commission, the National
Institute of Standards and Technology, and the Advanced Research
Projects Agency.
(9)Petersen, Road to 2015, 39-70.
(10)Ibid, 4.
(11) Kelly, Kevin. Out of Control: The Rise of Neo-Biological
Civilization. (New York, Addison-Wesley Publishing, 1994), 359.
(12) Solnick, Steven L. "Revolution, Reform and the Soviet Telephone
System, 1917-1927." Soviet Studies. vol. 43, no. 1, 1991, 157-176.;
Sreberny-Mohammadi, Annabelle. "Small Media for a Big Revolution."
(13)Big Dummies Guide to the Internet [Online]. Available FTP:
ftp.eff.org Directory: pub File: bigdummy.txt.
(14)Petersen, Road to 2015, 37.
(15)Carroll, Bonnie. "Harsh Realities: S&T Acquisition Costs,
Obstacles, and Results." Remarks at the Third International Symposium
on National Security and National Competitiveness: Open Source
Solutions, Washington DC, November 10, 1994.
(16)Drucker, Peter. Post-Capitalist Society (New York, Harper
Business, 1993), 8.
(17)Ronfeldt, "Cyberocracy", 243-296.
(18)Ibid.
(19)"Introduction." Wired. Premiere Issue, 1993.
(20)I have drawn from and expanded on the definition put forth by
Ronfeldt, "Cyberocracy is Coming."
(21)Steele, Robert D. "Hackers and Crackers: Using and Abusing the
Networks." Presentation at the Fourth Annual Conference on Computers,
Freedom and Privacy, Chicago, IL., March 1994.
(22) United States General Accounting Office. Information
Superhighway: An Overview of Technology Challenges. Report to
Congress. January, 1995.
(23)Arquilla & Ronfeldt, "Cyberwar is Coming!", 141-165.
(24) Sun Tzu. The Art of War. Translated by Samuel B. Griffith. (New
York, Oxford University Press, 1971), 95.
(25) See U.S. Army Field Manual 100-5: Fighting Future Wars.
(Washington, Brassey's Press, 1994); Sullivan, General Gordon R. &
Dubik, Colonel James M. "War in the Information Age." U.S. Army War
College, Strategic Studies Institute, 6 June 1994.
(26) Steele, Robert D. "The Military Perspective on Information
Warfare: Apocalypse Now." Keynote address at the Second International
Conference on Information Warfare: Chaos on the Electronic
Superhighway, Montreal, 19 January 1995.
(27)Schwartau, Information Warfare, 291.
(28)Brodie, Bernard & Fawn. From Crossbow to H-Bomb. (London, Indiana
University Press, 1973)
(29)Headrick, Daniel R. The Invisible Weapon: Telecommunications and
International Politics 1851-1945. (New York, Oxford University Press,
1991), 141.
(30)Bramford, James. The Puzzle Palace. (Boston, Houghton Mifflin
Company, 1982), 1-56.
(31) Sullivan & Dubik. "War in the Information Age," 12.
(32)Schwartau, Information Warfare, 179.
(33)Schwartau, Information Warfare, 180.
(34)Federal Emergency Management Agency. EMP Threat and Protective
Measures. Report for public distribution. April 1980, 11.
(35) National Institute for Standards and Technology Computer Security
Division. Threat Assessment of Malicious Code and Human Threats.
Report to the U.S. Army Computer Vulnerability/Survivability Study
Team. October 1992, 10.
(36) Goldstein, Emmanuel. "Opening Doors." 2600: The Hacker Quarterly.
vol. 11, no. 3, Autumn 1994, 4-6.; Platt, Charles. "Hackers: Threat or
Menace?" Wired. November 1994, 82-90.
(37) Levy, Steven. Hackers: Heroes of the Computer Revolution. (New
York, Dell Publishing, 1984)
(38) Schwartau, Information Warfare, 137-148. The threats of
electromagnetic emissions capture was first outlined by Wim Van Eck in
his paper "Electromagnetic Radiation from Video Display Units: An
Eavesdropping Risk?" (PTT Dr. Neher Laboratories, Leidschendam,
Netherlands, 16 April 1985). Though this paper is classified within
the United States, Van Eck's concepts have been accepted and proven by
many security experts.
(39) The Transient Electromagnetic Pulse Emanation Standard
established by the United States government is used to label all
electronic equipment whose level of electromagnetic emissions is low
enough as to prevent their capture by eavesdropping devices.
(40) Seline, Christopher J. "Eavesdropping on the Electromagnetic
Emanations of Digital Equipment: The Laws of Canada, England and the
United States," (Unpublished draft, 1990).
(41) Schwartau, Information Warfare, 114-137.
(42)Mungo, Paul and Clough, Bryan. Approaching Zero: The
Extra-ordinary Underworld of Hackers, Phreakers, Virus Writers &
Keyboard Criminals. (New York, Random House, 1992), 107.
(43)Ibid, 107-110.
(44)Ibid, 108.
(45)Ibid, 98.
(46)Hafner, Katie, and Markoff, John. Cyberpunk: Outlaws & Hackers on
the Computer Frontier. (New York, Simon & Schuster, 1991), 345.
(47)Perrow, Charles. Normal Accidents: Living with High-Risk
Technologies. (New York, Basic Books, 1984).
(48) Knowles, Francine. "Technology Glitches Can Take Big Toll,"
Chicago Sun-Times, 16 Sept. 1994, 47.
(49) Kelsey, Tim. "Teen Hacks Top-secret U.S. Computer; British Boy
Posted Military Information on Internet," The Ottawa Citizen, 3 Jan.
1995, A1.
(50) Ibid, A1.
(51)Stoll, Clifford. The Cuckoo's Egg: Tracking a Spy Through the Maze
of Computer Espionage. (New York, Doubleday, 1989).
(52)Hafner & Markoff, Cyberpunk, 172.
(53)Denning, Peter J. Computers Under Attack: Intruders, Worms &
Viruses. (New York, ACM Press, 1991), 183.
(54)Brock, Jack L. (1991). Testimony in Hackers Penetrate D.O.D.
Computer Systems: Hearings before the Subcommittee on Government
Information & Regulation, Committee on Governmental Affairs, United
States Senate, 20 November 1991.
(55)Ibid.
(56)Ibid.
(57) Private VHS Video, supplied by Emmanuel Goldstein.
(58) Sterling, Bruce. The Hacker Crackdown: Law and Disorder on the
Electronic Frontier. (New York, Bantam Books, 1992), 1.
(59) Quittner, Joshua and Slatalla, Michelle. Masters of Deception:
The Gang that Ruled Cyberspace. (New York, Harper Collins, 1995),
6-21.
(60) Sterling, Hacker Crackdown, 1-43.
(61) Bowman, Stephen. When the Eagle Screams: America's Vulnerability
to Terrorism. (New York, Carol Publishing Group, 1994), 155.
(62) Markoff, John. "A Most-Wanted Cyberthief is Caught in his Own
Web." The New York Times, 16 Feb. 1995. A1.
(63) Bowman, Eagle Screams, 125.
(64) As quoted in Bowman, Eagle Screams, 124.
(65) Schwartau, Winn. Terminal Compromise: Computer Terrorism: When
Privacy and Freedom are Victims. (United State, Inter.Pact Press,
1991), 1. This is a work of fiction.
(66) Steele, Robert. "War and Peace in the Age of Information.
Superintendent's Guest Lecture, Naval Post Graduate School, 17 August
1993.
(67) Schwartau, Information Warfare, 293.
(68) Steele, "Military Perspective on Information Warfare", 9.
(69) Ayers, Robert. "Defensive Information Warfare: A Maginot Line in
Hyperspace." Presentation given at the First TMSA Conference on the
Revolutionary New Paradigm for Modern Warfare, Washington, DC, 8-9
December 1994. As reported in OSS Notices, vol. 2, issue 10, 30
December 1994, 10.
(70) Ayers, as paraphrased in OSS Notices, vol. 2, Is. 10, 10.
(71) Steele, "Military Perspective on Information Warfare", 11.
(72) Jervis, Robert. The Meaning of the Nuclear Revolution. (Ithaca,
Cornell University Press, 1989), 10.
(73) Peterson, John, as cited by Steele, "War and Peace in the Age of
Information."
(74) Weltman, John J., Nacht, Michael and Quester, George H.
Challenges to American National Security in the 1990's. (New York,
Plenum Press, 1991), xi.
(75) Steele, "Military Perspective on Information Warfare", 5.; Gertz,
Bill. "Electronic Crime Threatens Integrity of Long Distance Phone
System," The Washington Times, 24 Oct. 1994, A3.
(76) Steele, "War and Peace in the Age of Information."
(77) Schwartau, Winn. "Technical Discussion of High Energy Radio
Frequency Guns, and Video Demonstration of Van Eck Emissions Capture:
How to Obtain Insider Information from 200 Meters Away Without
Physical Connection." Presentation at the Third International
Symposium on National Security and National Competitiveness: Open
Source Solutions. Washington, DC, 9 November 1994.
(78) Luttwak, Edward. The Endangered American Dream: How to Stop the
United States from Becoming a Third World Country and How to Win the
Geo-Economic Struggle for Industrial Supremacy. (New York, Simon &
Schuster, 1993); Thurow, Lester. Head to Head: The Coming Economic
Battle Among Japan, Europe, and America. (New York, Warner Books,
1992); Prestowitz, Clyde V. Jr. Trading Places: How We Are Giving Our
Future to Japan and How to Reclaim It. (New York, Basic Books, 1988).
(79) Ganley, Elaine. "French Oust Five as Spies," The Burlington Free
Press. 23 February 1995, A6.
(80) Bowman, Eagle Screams, 7.
(81) Schwartau, Information Warfare, 65-82.
(82) Legro, Jeffrey W. "Military Culture and Inadvertent Escalation in
World War II," International Security, vol. 18, no. 4, Spring 1994,
108.
(83) Mann, Paul. "Dialing for 'Info War'," Aviation Week and Space
Technology, vol. 142, no. 4, 23 Jan. 1995, 31.; Holzner, Robert. "U.S.
Navy to Tie Requirements, Acquisition," Defense News, 23 Jan. 1995,
6.; "Services Gear Up for Information War," Defense Daily, vol. 184,
no. 48, 8 Sept. 1994, 377.
(84) "USAF Doctrine to Include 'Virtual Battle Space'," Aerospace
Daily, vol. 173, no. 12, 19 Jan. 1995, 85B.
(85) Cooper, Richard N. "Economic Interdependence and Foreign Policy
in the Seventies," World Politics, Jan. 1972, 159.
(86) Rosecrance, Richard and Stein, Arthur. "Interdependence: Myth or
Reality?" World Politics, vol. 26, no. 1, 1973, 1-27.
(87) Nye, Joseph S. Understanding International Conflicts. (New York,
Harper Collins, 1993), 166.
(88) See Snyder, Jack. Myths of Empire: Domestic Politics and
International Ambition. (Ithaca: Cornell University Press, 1991).
(89) See Schweizer, Peter. Friendly Spies: How America's Allies are
Using Economic Espionage to Steal out Secrets. (New York, Atlantic
Monthly Press, 1993).
(90) Sterling, Bruce. "Speaking for the Unspeakable," Presentation at
the Second Conference on Computers, Freedom and Privacy. Washington
DC, March 1992.
(91) Anonymous. Interview with author. Chicago, IL. March 1994.
The countries interested in this hacker's services were France and
Israel.
(92) Those interested in the case can find further information on-line
via the Internet's World Wide Web at: http://www.eff.org/.
(93) Chipping of hardware is used to describe a process in which
design flaws or timed failures are programmed into computer chips
during production.
(94) Stein, Arthur A. "Coordination and Collaboration: Regimes in an
Anarchic World," International Organization, vol. 36, Spring 1982,
299-324.
(95) Class II information warfare is targetted at industries for
espionage or competitive purposes. See Schwartau, Information Warfare,
271-291.
(96) Class III information warfare is waged with political intentions
by state or terrorist entities. See Schwartau, Information Warfare,
291-312.
(97) Stein, "Coordination and Collaboration," 43.
(98) Ibid, 25.
(99) Keohane, Robert O. After Hegemony: Cooperation and Discord in the
World Political Economy. (New Jersey, Princeton University Press,
1984), 135.
(100) Hughes, Eric. (20 Nov. 1994). Re: Clipper Questions. [e-mail to
Matthew G. Devost], [On-line]. Available e-mail:
mdevost@moose.uvm.edu.
(101) Though there has been a lot of discussion regarding this
operation, there is no evidence to ensure that it actually will take
place.
(102) Bloodaxe, Eric. "Phrack Editorial," Phrack Magazine, vol. 5, Is.
46, file 2a. [On-line] Available FTP: freeside.com /pub/phrack/.
(103) Currently, the exportation of encryption technology is regulated
in the United States under the State Department's International
Traffic in Arms Regulations. (ITAR)
(104) De Landa, Manuel. War in the Age of Intelligent Machines. (New
York, MIT Press, 1991), 45.
(105) U.S. Congress. Senate. Armed Services Committee. Threats to
National Security: Hearing. Testimony of General James R. Clapper,
Director, Defense Intelligence Agency. 17 January 1995.
(106) Brodie, Crossbow to H-Bomb, 115-118.
(107) It should also be noted that the Turtle was never utilized
successfully, but this was do more to chance than flaws in design.
(108) Brodie, Crossbow to H-Bomb, 117-118.
(109) Holden-Rhodes, J.F. Sharing the Secrets: Open Source
Intelligence and the War on Drugs. (USA, The University of New Mexico
Printing Services, 1994), 32.
(110)United States General Accounting Office. Report on Implementation
of Computer Security Act. (Washington, D.C. , U.S. Government Printing
Office, 1990).
(111)Ibid.
(112)Sterling, Hacker Crackdown, 158.
(113)Nathan, Paco Xander. "Jackson Wins, Feds Lose." Wired. May 1993,
20.
(114) Schwartau, Information Warfare, 258-312.
(115) Devost, Matthew G. "The Digital Threat: United States National
Security and Computers." Presentation at the Annual Meeting of the New
England Political Science Association, Salem MA, 22 April 1994.
(116) Elmer-Dewitt, Philip. "Terror on the Internet: A Pair of
Electronic Mail Bombings Underscores the Fragility of the World's
Largest Computer Network." Time. 4 December 1994, 15.
(117) Carley, William M. "Of High-Tech Spying: Did the French Steal
Secrets from Texas Instruments, or is the Story Just Bull." The Wall
Street Journal. 19 January 1995, A1.; Schweizer, Friendly Spies.
(118) Powell, Bill. "The Boy Who Lost Billions." Newsweek. 13 March
1995, 37-52.
(119) "Defense Science Board Calls for Improvements in Information
Systems." Aerospace Daily. vol. 173, no. 2, 4 Jan. 1995, 10.
(120) Cooper, Pat. "In Cyberspace, U.S. Confronts and Illusive Foe."
Defense News. 19 Feb. 1995, 1.
(121) Schwartau, Winn. "Class II Information Warfare: Corporate
Espionage and Sabotage." Presentation at the Second International
Conference on Information Warfare. Montreal PQ, 18 January 1995.
(122) Wyllie, James H. "The Deterrence Condition." In Carey, Roger &
Salmon, Trevor C. International Security in the Modern World. (New
York, St. Martin's Press, 1992), 63.
(123) Skolnikoff, Elusive Transformation, 66.
(124) Stratton, Bob. "Hackers and Crackers: Using and Abusing the
Networks." Presentation at the Fourth Conference on Computers, Freedom
and Privacy: Cyberspace Superhighways: Access, Ethics and Control.
Chicago IL, 23 March 1995.
(125) Steele, "Military Perspective on Information Warfare", 11.
(126) Gore, Al. "Infrastructure for the Global Village." Scientific
American, Special Issue, 1995, 156-159.
(127) Stratton, "Hackers and Crackers."
(128) U.S. Congress. House. Committee on Science, Space, and
Technology. Subcommittee on Technology and Competitiveness. Hearings
on Computer Security. 102nd Cong., 1991.
(129) U.S. Congress. House. Committee on Science, Space, and
Technology. Subcommittee on Technology and Competitiveness. Hearings
on Computer Security. 102nd Cong., 1991.
(130)Van Duyn, J. The Human Factor in Computer Crime. (Princeton,
Petrocelli Books, 1985).
(131)Hafner and Markoff, Cyberpunk, 60-61.
(132) Devost, "Digital Threat", 12-18.
(133)Tribe, Laurence H. "The Constitution in Cyberspace." Paper
presented at the First Annual Conference on Computers, Freedom and
Privacy Conference, Burlingame, CA. 1991.
(134)Mungo & Clough, Approaching Zero, 57.
(135)Steele, " Hackers and Crackers."
(136)Sterling, Bruce. "Cyberview." Phrack, vol. 3, is. 33, phile 10,
1991.
(137)Goldstein, Emmanuel. Testimony before House Subcommittee on
Telecommunications and Finance. Washington D.C., 9 June 1993.
Goldstein, Emmanuel. "Congress Takes a Holiday." 2600: The Hacker
Quarterly. vol. 10, no. 3, Autumn 1993, 14-15.
(138) General Accounting Office. "NCIC Criminal Misuse." Washington
DC, GPO, 1993.
(139) Stratton, "Hackers and Crackers."
(140) Kapor, Mitchell. "Civil Liberties in Cyberspace." Scientific
American, Special Issue, 1995, 174-178.
(141) See Keohane, Robert O. After Hegemony: Cooperation and Discord
in the World Political Economy. (Princeton, Princeton University
Press, 1984); Gilpin, Robert. War and Change in World Politics.
(Cambridge, Cambridge University Press, 1981); Russet, Bruce M. "The
Mysterious Case of Vanishing Hegemony: or, is Mark Twain Really Dead?"
International Organization. vol. 39, no. 2, Spring 1985, 207-232.;
Cowhey, Peter F. and Long, Edward. "Testing Theories of Regime Change:
Hegemonic Decline or Surplus Capacity?" International Organization.
vol. 37, no. 2, Spring 1983, 157-188.
(142)Kapor, Mitchell. "Where is the Digital Highway Really Heading?
The Case for a Jeffersonian Information Policy." Wired Magazine . July
1993, 53-59.
(143) Asimov, Isaac. As cited in Petersen, Road to 2015, xix.
(144) Petersen, Road to 2015, 68.
_________________________________________________________________
SELECTED BIBLIOGRAPHY
Allison, Graham & Treverton, Gregory F. Rethinking America's Security:
Beyond the Cold War to New World Order. New York: W.W. Norton &
Company, 1992.
Andelman, David A. & Count de Marenches. The Fourth World War:
Diplomacy and Espionage in the Age of Terrorism. New York: William
Morrow & Company, 1992.
Anthes, Gary H. "Info-terrorist Threat Growing." Computer World, vol.
29, no. 5, 30 January 1995, 1.
Arquilla, John & Ronfeldt, David. "Cyberwar and Netwar: Warfare
Between Networks." Comparative Strategy. vol. 12, no. 2, 1993,
141-165.
Barlow, John Perry. "Crime and Puzzlement." Whole Earth Review. Fall
1990, 44- 57.
Beniger, James R. The Control Revolution: Technological and Economic
Origins of the Information Society. Cambridge: Harvard University
Press, 1986.
Bequai, August. Technocrimes. Lexington: Heath and Company, 1987.
BloomBecker, Buck. Spectacular Computer Crimes: What They Are and How
They Cost American Business Half a Billion Dollars a Year. Illinois:
Dow Jones- Irwin, 1990.
Bowman, Stephen. When the Eagle Screams: America's Vulnerability to
Terrorism. New York: Birch Lane Press, 1994.
Brodie, Bernard & Fawn, M. From Crossbow to H-Bomb. Bloomington:
Indiana University Press, 1973.
Carey, Roger & Salmon, Trevor C. International Security in the Modern
World. New York: St. Martin's Press, 1992.
Clough, Bryan & Mungo, Paul. Aproaching Zero: The Extra-ordinary
Underworld of Hackers, Phreakers, Virus Writers & Keyboard Criminals.
New York: Random House, 1992.
Cooper, Richard. "Economic Interdependence and Foreign Policy in the
Seventies." World Politics. January 1972, 159-181.
De Landa, Manuel. War in the Age of Intelligent Machines. New York:
Swerve Editions, 1991.
Denning, Peter J. Computers Under Attack: Intruders, Worms and
Viruses. New York: ACM Press, 1991.
Der Derian, James. "Cyber-Deterrence." Wired, September 1994, 116-122.
Dubik, Colonel James M. & Sullivan, General Gordon R. "War in the
Information Age." Stategic Studies Institute, U.S. Army War College, 6
June 1994.
Forester, Tom & Morrison, Perry. Computer Ethics: Cautionary Tales and
Ethical Dilemmas in Computing. Cambridge: The MIT Press, 1994.
Gore, Al. "Infrastructure for the Global Village." Scientific
American, Special Issue, 1995, 156-159.
Hafner, Katie & Markoff, John. Cyberpunk: Outlaws and Hackers on the
Computer Frontier. New York: Simon & Schuster, 1991.
Headrick, Daniel R. The Invisible Weapon: Telecommunications and
International Politics 1851-1945. New York: Oxford University Press,
1991.
Jervis, Robert. "Deterrence Theory Revisted." World Politics. January
1979, 289- 324.
Jervis, Robert. Cooperation under the Security Dilemma." World
Politics. January 1978, 167-214.
Jervis, Robert. The Meaning of the Nuclear Revolution: Statecraft and
the Prospect of Armageddon. Ithaca: Cornell University Press, 1989.
Kapor, Mitchell. "Civil Liberties in Cyberspace." Scientific American,
Special Issue, 1995, 174-178.
Kapor, Mitchell. "Where is the Digital Highway Really Heading?" Wired,
July 1993, 53-60.
Kelly, Kevin. Out of Control: The Rise of Neo-Biological Civilization.
New York: Addison Wesley Publishing, 1994.
Kennedy, Paul. The Rise and Fall of the Great Powers: Economic Change
and Military Conflict from 1500-2000. New York: Vintage Books, 1987.
Keohane, Robert O. After Hegemony: Cooperation and Discord in the
World Political Economy. Princeton: Princeton University Press, 1984.
Kroker, Arthur & Weinstein, Michael A. Data Trash: The Theory of the
Virtual Class. New York: St. Martin's Press, 1994.
Levy, Jack. "The Offensive/Defensive Balance in War." International
Studies Quarterly. June 1984.
Levy, Jack. "Theories of General War." World Politics. vol. 37, no. 3,
April 1985, 344-374.
Levy, Steven. Hackers: Heroes of the Computer Revolution. New York:
Dell Publishing, 1984.
Luttwak, Edward N. The Endangered American Dream: How to Stop the
United States from Becoming a Third World Country and How to Win the
Geo- Economic Struggle for Industrial Supremacy. New York: Simon &
Schuster, 1993.
May, Timothy C. "Crypto Anarchy and Virtual Communities." Extended
abstract. Available Online: Email: tcmay@netcom.com.
Nacht, Michael, Quester, George H. & Weltman, John J. Challenges to
American National Security in the 1990s. New York: Plenum Press, 1991.
National Institute of Standards and Technology Computer Security
Division. 1992. Threat Assessment of Malicious Code and Human Threats.
Washington: GPO.
Nye, Joseph S. Jr. Understanding International Conflicts. New York:
HarperCollins, 1993.
Parker, Donn B. Crime by Computer. New York: Charles Scribner's Sons,
1976.
Petersen, John L. The Road to 2015: Profiles of the Future.
California: Waite Group Press, 1994.
Porteous, Samuel D. "Economic Espionage: Issues Arising from Increased
Government Involvement with the Private Sector." Intelligence and
National Security. vol. 9, no. 4, October 1994, 735-752.
Quittner, Joshua & Slatalla, Michelle. Masters of Deception: The Gang
That Ruled Cyberspace. New York: HarperCollins, 1995.
Rheingold, Howard. The Virtual Community: Homesteading on the
Electronic Frontier. New York: Addison-Wesley Publishing Company,
1993.
Ronfeldt, David. "Cyberocracy is Coming." The Information Society
Journal. vol. 8, no. 4, 1992, 243-296.
Rosecrance, Richard & Stein, Arthur. "Interdependence: Myth or
Reality." World Politics. vol 26, Oct. 1973, 1-27.
Rushkoff, Douglas. Cyberia: Life in the Trenches of Hyperspace. New
York: HarperCollins, 1994.
Schwartau, Winn. Information Warfare: Chaos on the Electronic
Superhighway. New York: Thunder's Mouth Press, 1994.
Schwartau, Winn. Terminal Compromise. USA: Inter.Pact Press, 1991.
Schwartz, Peter. "Post-Capitalist: Conversation with Peter Drucker."
Wired, July 1993, 80-84.
Schwartz, Peter. "Warrior in the Age of Intelligent Machines." Wired,
April 1995, 138.
Schweizer, Peter. Friendly Spies: How America's Allies Are Using
Economic Espionage to Steal Our Secrets. New York: Atlantic Monthly
Press, 1993.
Skolnikoff, Eugene B. The Elusive Transformation: Science, Technology,
and the Evolution of International Politics. Princeton: Princeton
University Press, 1993.
Snyder, Jack. Myths of Empire: Domestic Politics and International
Ambition. Ithaca: Cornell University Press, 1991.
Steele, Robert D. "The Military Perspective on Information Warfare:
Apocalypse Now." Keynote Address, Second International Conference on
Information Warfare: Chaos on the Electronic Superhighway, Montreal,
19 January 1995.
Steele, Robert D. "War and Peace in the Age of Information."
Superintendent's Guest Lecture, Naval Postgraduate School, 17 August
1993.
Stein, Arthur A. "Coordination and Collaboration: Regimes in an
Anarchic World." International Organization. Spring 1982, 299-324.
Sterling, Bruce. "War is Virtual Hell." Wired, Premiere 1993, 46-52.
Sterling, Bruce. The Hacker Crackdown: Law and Disorder on the
Electronic Frontier. New York: Bantam Books, 1992.
Stockton, Paul N. & Tritten, James J. Reconstituting America's
Defense: The New U.S. National Security Strategy. New York: Praeger
Publishers, 1992.
Stoll, Clifford. The Cuckoo's Egg: Tracking a Spy Through the Maze of
Computer Espionage. New York: Doubleday, 1989.
Thurow, Lester. Head to Head: The Coming Economic Battle Among Japan,
Europe, and America. New York: Warner Books, 1992.
Toffler, Alvin & Heidi. War and Anti-War: Survival at the Dawn of the
21st Century. Boston: Little, Brown & Company, 1993.
Toffler, Alvin. The Third Wave. New York: William Morrow & Company,
1980.
U.S. Congress. House. Committee on Science, Space, and Technology.
Subcommittee on Technology and Competitiveness. Hearings on Computer
Security. 102nd Cong., 1991.
U.S. Congress. Senate. Committee on Governmental Affairs. Subcommittee
on Government Information and Regulation. Hearings on Hackers
Penetrate Department of Defense Computer Systems. 102nd Cong., 1991.
U.S. Congress. Senate. Committee on Governmental Affairs. Subcommittee
on Government Information and Regulation. Hearings on Regarding the
Computer Security Act. 102nd Cong., 1991.
United States General Accounting Office. 1989. Report on Instances of
Unauthorized Access to Space Physics Analysis Networks. Washington:
GPO.
United States General Accounting Office. 1990. Report on
Implementation of Computer Security Act. Washington: GPO.
United States General Accounting Office. 1995. Information
Superhighway: An Overview of Technology Challenges. Washington: GPO.
Van Duyn, J. The Human Factor in Computer Crime. Princeton: Petrocelli
Books, 1985.
Wallich, Paul. "Wire Pirates." Scientific American. March 1994,
90-102.
Wilson, Kevin G. Technologies of Control: The New Interactive Media
for the Home. Madison: The University of Wisconsin Press, 1988.
_________________________________________________________________
[2](c) Copyright Terrorism Research Center, Inc. 1997