Regular readers may know that I have a longstanding interest in information warfare. I was reviewing materials that might be useful in a new elective graduate course for the Norwich University MSIA program that my friend and colleague Peter Stephenson is planning for us and ran across a couple of interesting articles that are available on the Web for anyone to read. I’ll review the first in this column and the second in the next.
In _NATO Review_ for Winter 2001/2002, Timothy Shimeall (at that time a senior analyst with the Computer Emergency Response Team - CERT - Analysis Center), Phil Williams (a former NATO Fellow and a professor at the University of Pittsburgh) and Casey Dunleavy (former intelligence analyst and director of the CERT Analysis Center) argued that “defence planning has to incorporate the virtual world to limit physical damage in the real.”
The authors dismiss Web vandalism as “a form of harassment or graffiti and not as cyberwar _per se_.” They distinguish among three major levels of cyberwar: “cyberwar as an adjunct to military operations; limited cyberwar; and unrestricted cyberwar.”
The first category focuses on “achieving information superiority or information dominance in the battle space.” I would put it this way: This form of cyberwar involves physical or cyber attacks directed at military cyber targets and is intended to interfere with C4I (command, control, communications, computing and intelligence).
Limited cyberwar focuses cyberattack tools on cybernetic targets with few real-world modalities but with real-world consequences. Vectors for attacks could include networks, malware, denial-of-service techniques, and data distortions useful in psychological operations, economic warfare and other forms of aggression.
“Unrestricted cyberwar” is, in the view of the three authors, “More serious, and perhaps more likely, than limited cyberwar.” This form of information-based warfare makes “no distinctions between military and civilian targets” and may have distinct physical repercussions “from attacks deliberately intended to create mayhem and destruction.”
Targets could include any part of the critical infrastructure: “energy, transportation, finance, water, communications, emergency services and the information infrastructure itself.” Such attacks could easily result in physical harm and even death to members of the civilian population. For example, the authors suggest, a denial-of-service attack on, say the electrical power grid could cause massive disruption and danger and also potentially lead to destabilization of civil order as the population lost confidence in government structures.
The authors make the following recommendations (with much detail that I am not presenting):
1. Improve “anticipation and assessment”;
2. Improve “preventive or deterrent measures”;
3. Improve “defensive measures”;
4. Improve “measures for damage mitigation and reconstitution.”
In light of this perspective, security and network administrators and all who are responsible for ensuring corporate and national information assurance (IA) must realize that our work is far more significant than simply protecting our own local assets for the benefit of our own stakeholders; we are engaged in nothing less than a critical component of national security.
I think that this excellent article by some very intelligent and highly qualified experts will be useful in educating senior management about the importance of IA. I hope you enjoy reading it.