INFOSEC and INFOWAR:
Considerations for Military Intelligence
by
Daniel J. Ryan
Corporate Vice President
Science Applications International Corporation
The Relevance of Information Security to Military Operations and Geopolitics
The importance of information security to military operations cannot be overstated. The Russian failure at Tannenberg in August of 1914 saw the complete destruction of two Russian armies by a single German army half their combined size. This decisive victory was the direct result of the intercept and exploitation of Russian communications, which were broadcast totally in the clear as the battle progressed. The German commanders knew exactly what the Russian plans and orders were, often before the Russian officers received them from their own command. The Russians had failed to distribute military ciphers and the associated keys so that neighboring units within each army could not communicate securely, much less could the two armies coordinate a complex pincher attack unheard. In the end, 30,000 Russians were killed or missing, 100,000 were captured, one of the two Russian armies was devastated and one simply ceased to exist, all at the guns of the smaller but more mobile German army with its infinitely more secure communications. David Kahn says, "The case was clear-cut. Interception of unenciphered communications had awarded the Germans their triumph." The message of Tannenberg to military commanders could not be more clear, "Be sure of your information security or you lose!"
Commanders and military theoreticians had, in fact, understood the importance of information security for centuries. Aeneas the Tactician of Greece described in one of the earliest books on military science, On the Defense of Fortified Places, a system of cryptography. The Spartans used military cryptography as early as the Fifth Century B.C. Later, Julius Caesar tells in his Gallic Wars of using enciphered messages, and Suetonius implies that secret messages were routinely exchanged by the Caesars. Military history between the Gallic wars and the World Wars cites thousands of examples of the use of cryptography and many, many cases that illustrate the power of cryptanalysis in resolving battles, crises and even the course of wars. Consider the fall of Rčalmont to Henry II of Bourbon, Prince of Condč. When, during his siege, Condč had a secret message from the town intercepted and decrypted that reported the town's desperate need for munitions, he simply returned the deciphered message and the town surrendered. The incident captured the attention of Cardinal Richelieu, who found cryptology to be admirably suited to the political and diplomatic games in which he engaged on behalf of the French Court. This led to the hiring of Rossignol by the King and the renaissance of modern cryptography as an enabling technology for geopolitical intrigues well as military victories.
As the history of World War II has been declassified in the fifty years since its conclusion, it has become increasingly clear that information security failures of the Axis powers and cryptanalytic successes of the Allies provided an overwhelming advantage to the latter and contributed significantly, if not decisively, to the outcome. For example, Japanese policy stressed the importance of communications security, but their practices and procedures implementing that security were slipshod. Consequently, Admiral Nimitz knew as much about the plans for the battle of Midway as did many of the captains of the Japanese warships that were to participate in what could have been the completing victory for the Japanese in the drive begun at Pearl Harbor to control the Western Pacific. Nimitz was able to use the advantage of surprise that Yamamoto depended upon but lost to American cryptanalysts, which cost the Japanese the battle, forced them to shift from an offensive to a defensive strategy, and turned the tide of the war. John Keegan says that Midway "restored a Naval equilibrium in the Pacific in 1942." RADM Edwin Layton says, " Midway proved to mark the beginning of the ebb tide for Japanese naval power in the Pacific." Kahn calls Midway a cryptologic victory "more crucial to the course of history than any other [cipher] solution except that of the Zimmermann telegram."
Apologizing in advance for the oversimplification, we can see in these examples the broad outline of the influence of information security on modern world history. The Russians lost at Tannenberg, starting them on a downward path that led ultimately to the fall of the Tsars, the ascent of the Evil Empire and its subjugation of half the world, and fifty years of Cold War. Conversely, the American win at Midway stopped the Japanese juggernaut, turned the Allied strategic position in the Pacific theater from defensive to offensive and led eventually to victory there and in the War, and positioned the United States to protect the freedoms of half of the world in the ensuing Cold War and ultimately to win the Cold War. And in each case a key element was the information security failure of one side and the successful exploitation of that failure by the other. Little wonder that information security is deemed so important to military operations, or that codes and ciphers, cryptographic keys, and information security technologies occupy such a central place in the Essential Elements of Information that comprise the highest-value targets for military intelligence. Nor that the technologies that support information security play so often in the nightmares of military counterintelligence officers.
Information Security and Military Intelligence
Information security and military intelligence can be viewed, in some ways, as two sides of the same coin. This is not a matter of logical necessity, but of historical consequence. Notwithstanding the commonly held view among the natural fiber espiocrats at CIA and INR that "Military intelligence is to intelligence as military music is to music," the soldier's and sailor's deep understanding of the value of signals intelligence and communications security has led to significant investments by the military in information security technologies, including the mathematical disciplines of cryptography and cryptanalysis and the love affairs of those arts with computers. As modern communications systems have evolved, they have increasingly become computer-based networks and the existing infrastructure of computer expertise and technology in the military cryptologic community provided a natural forum for the evolution of information security to its modern form comprised of both communications security and computer security, with associated related disciplines. Information security has consequently found a comfortable home in the military and especially, since shortly after the end of the Second World War, at the National Security Agency, within the defense establishment.
But just as military intelligence is not congruent with intelligence, information security writ large is not synonymous with protection of the secrecy of military and diplomatic information. In its modern form, information security encompasses integrity and availability protections as well as privacy protections. Loss of the integrity of data bases, software, and systems can have profound consequences. Consider that the air traffic control system, stock transactions, financial records, currency exchanges, Internet communications, telephone switching, credit records, credit card transactions, management information systems, office automation systems, the space program, the railroad system, hospital systems that monitor patients and dispense drugs, manufacturing process control systems, newspapers and publishing, the insurance industry, power distribution and utilities all depend on computers. The law enforcement community also relies heavily on the integrity of information and information processing systems. These are strategic issues. For the military, calling up the reserves to respond to crises or war requires complete and accurate data on personnel, equipment, plans, contingencies and logistics, just as calling up the reserves depends upon the public switched telephone network and the nation's transportation system, both directly and completely dependent on computers.
The integrity of information can be threatened by the physical destruction of the systems that create, process and communicate information, or by the destruction or erasure of the media containing the information. Destructive programs called "logic bombs" may be introduced into systems and networks where they lie in wait for either a specified set of conditions or the passage of a specified length of time. Then they destroy the information in the computer and wreck havoc on the processes that depend upon that information for successful execution.
Computer virii may also destroy data. Thousands of viruses are known, many of which destroy data, and more are appearing at the estimated rate of twelve per day. Malicious programs which corrupt or destroy information may not simply delete files or erase disks. Some corruptions of data are especially hard to detect and counter. One datum might be changed more or less at random every few days. Such changes may be slight, not nearly as obvious as missing files or mangled data, yet enormous amounts of money and time may be required to recreate a compromised data base, if it is possible to repair the damage at all. If alterations occur over long periods of time, even routine backup processes may not avoid their effects.
Similarly, information which is not available when required is of no use, even if its confidentiality is secure and its integrity intact. Systems and networks which are not there when we need them not only represent a waste of the money they cost, the organizations which depend on them may be irreparably damaged by operational shutdowns or loss of revenue. In the case of military organizations the cost may extend beyond the organization to the country the military is charged with defending. These additional dimensions of integrity and availability are not as well-understood today as is protection of confidentiality, but they take on deep significance in the context of protecting the National Information Infrastructure against infoterrorism and information warfare, subjects to which we now turn.
Information Warfare
Information warfare is much discussed but as yet not well-understood. In its defensive form, it is essentially congruent with the discipline of information security. Defensive information warfare is about the protection of confidentiality, integrity and availability of information assets on the battlefield, throughout the theater of operations and "back in the world". Its tools, informed by intelligence and counterintelligence, are comprised of a similar mix of cryptography and trusted computer science to that used to protect in peacetime from hackers and criminals the national information infrastructure, the computer and network resources of the private sector and academia, and the personal computers of the citizens. Although the field is evolving rapidly due to increased reliance on computers to create, store process and communicate information, and to increased connectivity among computers being so used, the basic outlines of the technical discipline have been thoroughly explored, and so the problems are problems of speed and scale rather than of fundamental definitions and applications.
The offensive form of information warfare, on the other hand, is something truly new. Information warfare – or INFOWAR – is, first of all, warfare. It is part of military operations, not of military intelligence or counterintelligence. It is related to, but not part of, other types of military operations characterized by information exchange and manipulation, such as psychological operation (PSYOPS) or electronic warfare. It is certainly not espionage using networks for access to desirable information, nor is it information terrorism, nor computer crime, and it is surely not hacking. These are all interesting and dangerous phenomena that individuals, corporations and governments face today, but they are not INFOWAR. There is danger in defining INFOWAR too broadly, resulting in ambiguity, confusion, and squabbles for control of missions and budgets. In INFOWAR, the computers and networks are the battlefield, computer programs are the weapons, and information assets are the targets. The Joint Security Commission said, "Networks are already recognized as a battlefield of the future. Information weapons will attack and defend at electronic speeds using strategies and tactics yet to be perfected. This technology is capable of deciding the outcome of geopolitical crises without the firing of a single weapon."
INFOWAR is, then, the application of destructive force on a large scale against information assets and systems for geopolitical purposes. This distinction is vital and determines the appropriate response options and responding agencies in an information crisis. Without that distinction, one quickly finds oneself mired in the prospect of sending the Department of Defense against a single teenage hacker. Remember that when Aldrich Ames was discovered to be spying for the Russians, the United States did not respond with armed retaliation by the Defense Department, but with criminal proceedings under the auspices of the Department of Justice. When the World Trade Center was bombed, the FBI responded, not the military services. Make no mistake, there are real issues here, including the problems of knowing that an INFOWAR attack is underway, of ascertaining the scope of that attack, and of quickly bringing to bear effective responses. These are, however, questions that can only be resolved after an appropriate framework of policies, practices and procedures has been established, a framework which is only just beginning to evolve. Computers and information assets were destroyed when the World Trade Center was bombed, but defining the World Trade Center attack as INFOWAR merely because information assets were attacked as a secondary consequence serves no management purpose and detracts from the systematic protection of assets and prosecution of those who would commit such acts of terror.
It should not be surprising that INFOWAR, being a new type of warfare, should not yet have a full complement of strategies, tactics and doctrines, supported by appropriate logistics and exercised routinely in preparation for crises and the outbreak of hostilities. After all, from the days of runners carrying news of battles and their outcomes over the plains of Greece, through the eras of signal fires, semaphores and carrier pigeons, to today's use of encrypted satellites transmissions, information has always been a crucial component of military decision making. Information is vital to the formulation and execution of effective battle plans. All other things being equal, more timely, accurate and complete information essential to winning in battle. This is so thoroughly understood by our military that it is fundamental a part of our strategic and tactical planning processes. This is, however, "information-based warfare", not INFOWAR as we have defined it. It is warfare informed and enhanced by critical information, but the weapons are guns, tanks, ships and planes, not computer virii and logic bombs, and the battlefields are silicon in the form of sand rather than in the form of computer chips.
The concept of information-based warfare recognizes the dependence of armed forces on information and systems that can rapidly and securely provide that information to decision makers, and understands the need to maintain and enhance one's own information while denying that advantage to the enemy. In information-based warfare, better, faster and more complete information provides an advantage in applying conventional or strategic forces. In INFOWAR, the information networks become the battlefield and information itself becomes both the weapon and the target. The notion of information-based warfare would be easily recognized by Sun Tzu, Alexander the Great, Genghis Kahn, Von Clausewitz or Dwight David Eisenhower. What would be an innovation to these masters of strategy would be the notion of information as a separate area of warfare independent of guns, ships, tanks and bombs.
This concept of information warfare as opposed to information-based warfare is being examined, studied and explored by many of the world's strategic thinkers from Moscow to Tehran, and from Beijing to Chiapas. We have ample examples of innovations and fundamental changes to warfare. In World War I, the new paradigm of air warfare began to be explored – at first planes were only observation platforms, then someone decided that things could be dropped from them, and eventually (after a number of pilots shot down their own planes by disintegrating their propellers) synchronized guns made air-to-air combat possible. Later, as World War II progressed, a new battlefield – the electromagnetic spectrum -- was discovered, and the "Wizard War" was born, what is now called electronic warfare. If it seemed like sorcery to the scientists and engineers who invented it, imagine how incomprehensible it was to the cavalry and infantry soldiers whose training and experience centered on more tactile dimensions of combat. Two decades ago the need to incorporate the role of space into warfare became apparent. (A burning question still unanswered is will it be Admiral James T. Kirk or General James T. Kirk?) INFOWAR is facing and must stand up to the same sorts of challenges faced by air, electronic and space warfare as they evolved, and we will see and participate in the consideration, consolidation, and eventual mastery of this new dimension of warfare.
Decision Making and the Control of Information Operations
Since information warfare is warfare, it is properly in the domain of operations rather than that of intelligence. Unfortunately for information warfare, the skills and technologies needed to conduct information operations have been developed primarily by the intelligence community to support espionage using computers and networks to gain access to important intelligence information. The intelligence community thus justly claims that its intelligence officers are ideally suited to initiate and conduct attacks in cyberspace since they are already positioned to do so by virtue of their military intelligence activities. Moreover, revealing to the operational community the vulnerabilities being exploited for espionage purposes would increase the risk of disclosure and would jeopardize not only the intelligence activities but also the access required to conduct a successful offensive information warfare operation. Best leave the planning and execution of information warfare operations in the hands of the intelligence community, they argue.
But history has shown that it is not a good idea to have control of operations in the hands of the intelligence community. Consider for example, the situation that faced Adm. Nimitz in April of 1943 when American cryptanalysts intercepted and decoded a Japanese message detailing the itenerary of Adm. Isoroku Yamamoto. Yamamoto was the dominant officer in the World War II Japanese Navy and the opportunity provided by the message to shoot down Yamamoto's plane would both demoralize the Japanese and revenge the United States for the attack on Pearl Harbor that Yamamoto had conceived. Yamamoto's death would be a major victory for the Americans.
There was, however, a serious problem. If the Americans were successful in shooting down Yamamoto, there was a danger that the Japanese would become suspicious that the Allies were reading their messages and that their codes were compromised, as in fact they were. If the Japanese changed their codes, the Allies might not be able to break the new codes quickly and valuable intelligence information would be lost. Nimitz, the operational commander, elected to take the risk, although he minimized the danger by creating a cover story that coastwatchers had detected the flight.
Would the decision have been the same if the intelligence community were making it? Their logic is straightforward: if you lose access, you lose intelligence information, and without that information, operations must be conducted blindly. The result is increased losses of lives and equipment. Believing fervently in the value of their products, and having no direct responsibility for the success or failure of operations but ultimate responsibility for continuing to provide intelligence information, intelligence officers would be hard-pressed to risk access. Their imperatives, even when acting in the best of faith, make weighing possible loss of access against operational gains difficult or impossible.
It is also vital that information warfare be fully integrated into the battle plans created, practiced, and executed by operational commanders. Unity of command and control is essential to the successful execution of modern military operations with air, land, sea, space, electromagnetic, and cyberspace dimensions. All things considered, it is probably best that information warfare should be left in the province of warriors, not intelligence officers.
Conclusions
Information security is in opposition to military intelligence. The first seeks to protect the confidentiality, integrity and availability of information assets while the second seeks to gain access to and steal such of those information assets as may be valuable for military purposes. History teaches us that there is a clear imperative in information security, or equivalently in defensive information warfare: "Be sure of your information security or you lose!" In the extreme case of warfare in the new dimension of information systems and networks, defensive information warfare seeks to protect both military secrets and the information infrastructure both in the theater of operations and back at home. Offensive INFOWAR attacks the information assets and systems of the enemy, using logic weapons across networks as part of a coherent battle plan that incorporates operation in the information dimension with operations on land and sea, in the air, and across the electromagnetic spectrum. Our warriors are beginning to develop the strategies and tactics to successfully exploit this new dimension of warfare.
Dan Ryan
September, 1997
Bibliography
Codevilla, Angelo, Informing Statecraft: Intelligence for a New Century, Maxwell Millian International, New York, 1992.
Kahn, David, The Codebreakers: The Story of Secret Writing, Weidenfield and Nicholson, London, 1967.
Keegan, John, A History of Warfare, Alfred A. Knopf, New York, 1993.
Layton, RADM Edwin T., "And I Was There", Quill, William Morrow, New York, 1985.
Redefining Security: A Report by the Joint Security Commission to the Secretary of Defense and the Director of Central Intelligence, February 28, 1994.
