«DEFENSE SCIENCE BOARD SUMMER STUDY TASK FORCE ON INFORMATION ARCHITECTURE FOR THE BATTLEFIELD DTlC OCTOBER 1994 S ELECTE APR I 0 1995' G i 95-01137 I ...»
The Department of Defense has been quick, and in many cases the leader, in adapting electronics, specifically including information technology, to our military establishment. We spend hundreds of milli,,is of dollars trying to "leverage" such technology into "force multipliers." These coincident activities have provided the DoD with very powerful capabilities and simultaneously made us virtually dependent on these same technologies. We have begun to forcefully use information per se as a powerful new weapon. Paradoxically, these same new strengths create some of our most significant vulnerabilities. The tens of thousands of computers connected to other computers have increased the damage that can be inflicted from the vantage point of a single computer, or computer controlled network! This has become especially true in light of the increased use of commercial networks and other communications media by the DoD! Figure B-2 illustrates the overlap of military and civil infospheres and the concomitant spanning by the Information Warfare concept of those two domains. It is important to note that in addition to Information in Warfare, there is Information Warfare. These distinctions often get smeared and we will address in subsequent paragraphs some important definitions.
This ubiquitous nature of global information creates serious issues with respect to the assurability of information when and where we need it. For example, a number of
components of the Gil for support to military operations operate on or in:
"* U.S. public switched networks;
"* Commercial communications satellite systems such as INTELSAT & INMARSAT;
"* Transoceanic cables;
"* Foreign postal, telephone and telegraph systems;
"* Shared navigation systems, including Global Positioning System;
"* DoD military satellite communications systems - MILSTAR, DSCS, UHF FLTSAT;
and "* Supporting systems - power grids and so on.
Figure B-2 Furthermore, our "infosphere" specifically includes users such as logistics, maintenance, medical, personnel administration and commercial support infrastructures in addition to the traditional command and control and intelligence systems. Thus our span of interest, interdependence and potential vulnerability has grown s.gnificantly. This is predominantly the result of a networking of resources driven largely by new technologies. This is a dramatic change from the stovepipes that used to exist for each of these disciplines!
A measure of the magnitude of this issue is contained in the Joint Security
Commission Report - February 1994 which states that:
"The Commission considers the security of information systems and networks to be the major security challenge of this decade and possibly the next century, and believes there is insufficient awareness of the grave risks we face in this arena. We have neither come to grips with the enormity of the problem nor devoted the resources necessary to understand fully, much less rise to the challenge."
Our Information Infospheres are under attack today; in some cases by computer "hackers," in other cases by organized activities by those who would do the U.S.. harm.
There are at least 25 countries with computer underground groups and these international hackers often are very sophisticated - often sharing technologies for breaking into computers and computer controlled systems such as INTERNET. Many of the computer attacks over the INTERNET are known, but based on information generated by its own testing. DISA estimates that only 5% of attacks are detected and, of those, only 5% are reported. Not only that, over 100 countries have intelligence collection capabilities.
B-5 Transnational, multinational and terrorist organizations each have interests in gaining access to our information systems. There is really a continuum of activities about which we need be concerned, ranging from an "accidental" intrusion by a student, to major, focused, deliberate and sophisticated intrusion into our systems at the time of greatest
impact upon us. We need to be aware that:
A large, structured attack with strategic intent against the U.S. could be prepared and executed, for example, under the guise of unstructured "hacker" activities.
All of this indicates that there is a serious and escalating vulnerability of the U.S.
infrastructure. In many respects, our vulnerabilities are of much greater concern than the currently known threats. In the coming years, the number of nations and individuals with the capability to access and damage our systems will grow substantially. Furthermore, the concept of peace-crisis-war is becoming blurred because of the concept of conducting warfare with information. Maintaining information superiority becomes as important as nuclear superiority/deterrence. Information superiority provides enormous political, economic and military opportunities to the United States. This area warrants national focus and policy. It may help with deterrence in a new world order, as more and more we are involved in Operations Other Than War around the globe!
What Is Information Warfare?
2.2 Information Warfare is a term which has come to represent an overarching integrating strategy to recognize the importance and value of information per se in the command, control, and execution of military forces and in the implementation of national policy. IW means different things to different people. Other terms, such as Command and Control Warfare (C2W), which is the military application of IW on the battlefield, are used in related contexts, but they too often are loosely or imprecisely used. These differences are great enough to seriously impair development of coherent policy, strategy, tactics and program plans.
A draft DoD UNCLASSIFIED definition of IW is:
"Actions taken to achieve information superiority in support of national military strategy by affecting adversary information and information systems while leveraging and protecting our own information and information systems."
Some aspects of Information Warfare are very old - for example, what we now call Psychological Operations. Some are relatively new, such as Electronic Warfare.
Better information might equate to earlier victory or fewer forces, or combinations of both. Information can p'ovide dramatic leverage in combat; a virtual form of stealth. It operates in any weather, day or night, and under certain circumstances can be as lethal as many other weapons. Additionally, it pervades all levels of tactical operations.
Information Warfare is a revolutionary strategy - as were advances such as the longbow, gunpowder, armored vehicles, aircraft, code breaking, transistors, nuclear weapons, guided missiles and stealth! Figure B-3 illustrates the concept of Information Warfare and how what previously was called "peace" is now a part of the continuum of conflict.
B-6 Information Warfare
Figure B-3 A range of activities contribute to Information Warfare: Perception Management, OPSEC, Electronic Warfare, Deception, Information Influence and many others depending upon the circumstances. It is important to note that 1W comprises the entire range of activities to use information to our advantage, or to our adversary's disadvantage. This raises a number of issues like those cited on the left side of Figure B-3, some of which are definitional, others of which relate to organizational issues or the roles of various organizations in coordinating or executing 1W.
MOP Information Warfare then is a national, strategic concern. OUT economy, nationazl life and military capabilities are very dependent upon information - information oftfer, vulnerable to exploitation or disruption.
Even if there were no possibility of use of Information Warfare in the offensive sense, the use of information in warfare will always be of great value. It is the use of information in warfare that is at the heart of the.current revolution in military information technology, and this is why Information Warfare is both more feasible and more valuable.
B-7 Where Are We in Information Warfare?
2.3 A wide variety of IW activities are underway in DoD. OSD(C31), for example, has established an IW Directorate, requested a special National Intelligence Estimate on Information Warfare and drafted a PRD. The Joint Staff, other DoD Agencies and the Services all have begun to participate in several respects (see Figure B4).
Figure B-4 Doctrine and Studies Assessments underway are shown in Figure B-5.
Clearly, Information Warfare has become, and properly so, a critical issue for the Department of Defense - an issue requiring major attention and resources now! Equally importantly, Information Warfare needs to become a national issue as we begin to really understand the extent to which our government and our way of life depend upon the effective functioning of our national infosphere.
The complex interrelationships imbedded in these concepts and activities raise a number of issues, several of which require urgent, coherent, near term attention.
The functioning of the U.S. economy and our national life in general are becoming increasingly dependent on the use of information in digital, electronic or optical form and on the national infrastructure which handles that information. The same is true of our military posture in peacetime, crisis and war. We use the civil/national information infrastructure for a wide range of defense functions, including wartime operations. And our national information infrastructure is becoming increasingly integrated with the global information infrastructure. The use of information, employing these linked B-8 infrastructures, is increasingly an enabling factor in national and international economic growth, and in the development and use of military capabilities. Protection of essential information and the infrastructures used to support the information is important for military operations.
3.0 ISSUES AND RECOMMENDATIONS This translates into a basic issue at the national level on how to deal with the widespread vulnerabilities in our civil and military information enterprise and the potential severe consequences for our national interest and security.
As pointed out earlier, there is no national policy on Information Warfare (IW), although a PRD has been drafted. In contrast, there is a DoD policy on Information Warfare. Its basic strategy is to seek "dominance" in both the use of information in warfare and in Information Warfare. Below this basic strategy, there are fundamental questions as to how to achieve "dominance" within available resources. The questions and issues for DoD are very similar to the issues at the national level.
This is not surprising, since the prospects for "civil" information warfare in "peacetime" have much in common with DoD concerns. Alternatives or building blocks for both national and DoD strategy all have cost and effectiveness issues, and some, especially in regards to the civil infrastructure, have legal and/or other policy implications.
Three factors illustrate common issues between the national and the DoD problems:
" Widespread protection of the civil and military information enterprise, or making it more robust against degradation. would be a lengthy and extremely costly process, and there is a fundamental technical question as to their effectiveness. Substantial protection of the civil information enterprise would entail a "cultural change" in the private sector side of the enterprise. The development of the information infrastructure has been based on ease of use and access. Software has stressed "friendliness" and a trend toward openness. These increase vulnerabilities. System intrusions by hackers and the growing incidence of industrial software espionage and fraud are beginning to cause change, but there will continue to be a tension between utility and security, Further, to have high confidence that the vulnerabilities would be reduced below the level of strategic concern, the Government would have to insert itself more and in new ways;
"* In both the civil and DoD cases, potential adversaries' strategies and capabilities need to be taken into account. So also does the evolution of the global technology base as it shapes both U.S. and adversaries' capabilities, especially because generation changes in information technology happen so fast; and "* The interplay between offensive and defensive information warfare, both ours and potential adversaries, must be addressed.
This situation leads to two interrelated recommendations:
"* The Secretary of Defense should direct a Net Assessment of Information Warfare;
and "* The Secretary of Defense should review the draft PRD and related issues.
The Net Assessment should examine:
"* Both DoD and national systems;
"* The nature, extent and implications of both U.S. and adversary vulnerabilities;
"* Evolving U.S. and adversary offensive and defensive IW capabilities; and "* The cost and effectiveness of a variety of U.S.. strategy options, in light of possible adversary strategies.
The Net Assessment should be accelerated so that it can serve as one of DoD's inputs to the national policy review. It should involve the BITF recommended earlier in this report.
A key problem mentioned above is the vulnerability of national and DoD infrastructures and the defensive aspects of dealing with those vulnerabilities. A POM issue paper on a defensive IW alternative exists. Also, the Joint Security Commission recommended spending 5-10% of the infrastructure costs to protect the civil infrastructure.
These estimates not withstanding, the Task Force's judgment is that no comprehensive analysis has been completed of the cost and effectiveness of defensive weapons for DoD systems to establish where the knee of the cost/benefit curve is, nor how far beyond the knee DoD should be willing to spend, considering the gravity of the vulnerabilities for defense activities in both peace and war.
B-10 Despite the absence of such an analysis, the members of this Task Force are also persuaded that DoD is currently spending too little on defensive IW, and that the gravity
and potential urgency of the problem deserves redress. We therefore recommend that: