Introduction to Global Information Warfare

In the early 1990s several people in the U.S. Department of Defense (DoD) articulated a unique form of warfare termed Information Warfare, or IW. The Chinese say they were developing IW concepts in the late 1980s. Who's correct? Does it matter? As the areas embraced by IW have been developed over the centuries and millennia, these have been a normal part of human activities from mankind's beginning. What's unique about IW is that it's the first instantiation of trying to tie together all the areas that make up the information environment (IE). The IE runs through every part of your country, organization, and personal life. At the present time there is no cookbook recipe to do the extremely complex task of bringing together all the areas. IW is both art and science. ^[1]

What is IW? IW basically is a coherent and synchronized blending of physical and virtual actions to have countries, organizations, and individuals perform, or not perform, actions so that your goals and objectives are attained and maintained, while simultaneously preventing competitors from doing the same to you. Clearly this embraces much more than attacking computers with malicious code. The litmus test is this: If information is used to perpetrate an act that was done to influence another to take or not take actions beneficial to the attacker, then it can be considered IW.

The definition is intentionally broad, embracing organizational levels, people, and capabilities. There are also many areas of IW (See Figure 13.1). It allows room for governments, cartels, corporate, hacktivists, terrorists, other groups, and individuals to have a part. It is up to each enlightened enterprise to tailor the definition to fit its needs. This should not be a definition of convenience, to "check the box."

Figure 13.1: Many information warfare areas.

You are asked, and many times forced by government and businesses, to depend on the Internet. The Internet that is home to hackers, crackers, phreakers, hacktivists, script kiddies, industrial espionage, and information warriors. The Internet that is home to worms, Trojan horses, software bugs, hardware glitches, distributed denial of service (DDOS) attacks, and viruses. All this, and the Internet is only a portion of the areas that IW addresses. Although the Internet touches many critical infrastructures, and these in turn affect the many information environments (IE) with which you interface, most of the IW areas were around before the Internet.

As "competition" is analogous to "enemy" or "adversary," other business-military analogies can be made with profit, shareholder value, competitive edge, and industry rank to achieve brand recognition, customer loyalty, exerting power, influence, and market share. A business leader or military leader must train and equip forces; gather intelligence; assemble, deploy, and employ forces at decisive places and times; sustain them; form coalitions with other businesses and nation-states; and be successful. There are many physical and virtual world parallels, as can be seen in this news item: "Cisco to use SNA as weapon against competition. . . . Cisco believes its experience in melding SNA and IP internetworks can be used as a weapon in the company's battle with Lucent and Nortel for leadership in converging voice, video, and data over IP networks."^[2]

Purists will focus on warfare as a state of affairs that must be declared by a government and can only be conducted by a government. Microsoft attacking Netscape, guerrilla warfare, economic warfare (one country forcing another country to spend itself into bankruptcy, as the United States did to the Soviet Union), or a company adjusting prices to damage its competition (e.g., taking a long time horizon to use volume and time to adjust prices downward). "Conflict" or "that's business" doesn't carry the same sound of ultimate struggle as referring to business as "war." Clausewitz stated, "War is an extension of politics." By analogy, since business is the implementation of a country's laws, economic policy, and values, business is an extension of politics.

In a free market economy, competition is central to business strategy to win customers and market share. Competition, like war, is a struggle for a winning position. The marketplace can then be referred to analogously as a battlefield with winners and losers. It follows that business is analogous to war. Therefore, using military phraseology in a business context is appropriate. In fact, one just has to remember September 11, 2001, and New York's World Trade Centers to see that in today's world, warfare is waged on many levels by various adversaries against various targets. These targets may be nation-states, their governments, groups, businesses, or individuals. The tools will be any that can be applied for attackers to successfully attain their goals.

Information moves across information infrastructures in support of information-based processes. Information infrastructure is the media within which we store, process, display, and transmit information. Examples are people, computers, fiber optic cable, lasers, telephones, and satellites. Examples of information-based processes are the established ways to obtain and exchange information. This includes people to people (e.g., telephone conversations and office meetings), electronic commerce/electronic data interchange (EC/EDI), data mining, batch processing, and surfing the Web. Attacking (i.e., denying, altering, or destroying) one or more of the IE's components can result in the loss of tens of millions of dollars in profit and degraded national security, and can be more effective than physical destruction. Degrade or destroy any one of the components and, like a three-legged stool, the IE will eventually collapse. ^[3] The combination of military coalition partners, and a nation-state's industrial base may be such a stool. (See Figure 13.2.)

Figure 13.2: The major components of an information environment (IE).

For every minute information systems are not up and fully running, revenues, profits, and shareholder value are being lost. The last thing a general counsel needs is a lawsuit from unhappy shareholders who are suing for millions because the corporation did not follow best practices to protect information. One problem is that commercial off-the-shelf (COTS) hardware and software is very difficult to protect. Another concern is that firewalls, intrusion detection devices, and passwords are not enough. The state of the art in IA is against script kiddies and moderately skilled hackers. What about the competition, drug cartels, and hostile nation-states who are significantly better funded? There isn't a firewall or intrusion detection device on the market that cannot be penetrated or bypassed. Password dictionaries can cover almost any entire language, and there are very specific dictionaries (e.g., sports, Star Trek, or historic dates and events).

IEs exist internal and external to an organization. An IE is tailorable so it can support many actors. The example below involves a corporation, its customers, and the government. Another IE may be a military, its allies and coalition partners, and the government (see Figure 13.3). Whatever makes up a specific IE, the important fact remains that if its elements aren't protected and secured, the consequences can range from irritants to catastrophes.

Figure 13.3: An enterprise IE.

All organizations have employees. These employees deliver products, services, and processes to customers. To keep the organization running, suppliers deliver products, services, and processes. Financial stakeholders—venture capitalists, banks, stockholders, and others—provide capital. The public has a positive, neutral, or negative view of the organization. Strategic teaming partners provide physical, financial, cerebral, and other capabilities. Every entity with which the organization is linked has its own IE. IEs are connected to, and interdependent upon, other IEs. (See Figure 13.4.)

Figure 13.4: An extended IE.

^[1]The majority of the information provided in this chapter was excerpted from Chapter 1 of the book Global Information Warfare: How Businesses, Governments and Others Achieve Objectives and Attain Competitive Advantages; published by Auerbach Publications, a CRC Press Company, 2002; co-authored by Gerald L. Kovacich, Perry Luzwick, and Andy Jones, and reprinted with permission of the publisher.

^[2]Network World, August 10, 1998.

^[3]"What's a Pound of Your Information Worth? Constructs for Collaboration and Consistency," Perry Luzwick, American Bar Association, Standing Committee on Law and National Security, National Security Law Report, August 1999.