Regular readers may know that I have a longstanding interest in information warfare. I was reviewing materials that might be useful in a new elective graduate course for the Norwich University MSIA program that my friend and colleague Peter Stephenson is planning for us and ran across a couple of interesting articles that are available on the Web for anyone to read. I’ll review the first in this column and the second in the next.

In _NATO Review_ for Winter 2001/2002, Timothy Shimeall (at that time a senior analyst with the Computer Emergency Response Team - CERT - Analysis Center), Phil Williams (a former NATO Fellow and a professor at the University of Pittsburgh) and Casey Dunleavy (former intelligence analyst and director of the CERT Analysis Center) argued that “defence planning has to incorporate the virtual world to limit physical damage in the real.”

The authors dismiss Web vandalism as “a form of harassment or graffiti and not as cyberwar _per se_.” They distinguish among three major levels of cyberwar: “cyberwar as an adjunct to military operations; limited cyberwar; and unrestricted cyberwar.”

The first category focuses on “achieving information superiority or information dominance in the battle space.” I would put it this way: This form of cyberwar involves physical or cyber attacks directed at military cyber targets and is intended to interfere with C4I (command, control, communications, computing and intelligence).

Limited cyberwar focuses cyberattack tools on cybernetic targets with few real-world modalities but with real-world consequences. Vectors for attacks could include networks, malware, denial-of-service techniques, and data distortions useful in psychological operations, economic warfare and other forms of aggression.

“Unrestricted cyberwar” is, in the view of the three authors, “More serious, and perhaps more likely, than limited cyberwar.” This form of information-based warfare makes “no distinctions between military and civilian targets” and may have distinct physical repercussions “from attacks deliberately intended to create mayhem and destruction.”

Targets could include any part of the critical infrastructure: “energy, transportation, finance, water, communications, emergency services and the information infrastructure itself.” Such attacks could easily result in physical harm and even death to members of the civilian population. For example, the authors suggest, a denial-of-service attack on, say the electrical power grid could cause massive disruption and danger and also potentially lead to destabilization of civil order as the population lost confidence in government structures.

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services. CV online.