Chapter 15: The Information Warfare Arsenal and Tactics of Private Companies

OVERVIEW

Although the military establishment has put in place certain safeguards from IW attacks, the state of preparation of private companies is way behind. And, even though the military has some responsibility in relation to its own affairs, some responsibility must lie on the private sector—in addition to the fact that the private sector has its own interests in reducing vulnerability in cyberspace, the integration of military and private sector interests in the information revolution demand it.

IW of a sort is by no means a new issue for the private sector. Unscrupulous companies have always been delighted to take advantage of new opportunities to sabotage or steal from a dangerous competitor. The development of information networks and vulnerable points of attack merely emphasizes this and increases the opportunities. In addition to industrial espionage activities, internal moles or disaffected employees may destroy information networks, and outside groups such as political activists can also cause significant damage.

Private corporations are just as dependent on the infrastructures that form the basis for modern economy—such as telephony, computer networks, electric power, energy and transportation networks—as are military organizations. Various aspects of society are being transferred to cyberspace:

• Informational activities: For example, educational activities; processes and results of research; engineering designs and industrial processes; and mass information and entertainment media, in addition to private and public records. Often the electronic version is held in preference to and in the absence of paper records.

• Transactional activities: Commercial business, financial transaction, and government activities are now being carried on via computer networks, especially in the absence of paper records.

• Physical and functional infrastructures are increasing being controlled by electronics and software rather than mechanical or electrical means.

Such information is vulnerable to both intentional and unintentional attacks. In addition, the distinctions between warfare, crimes, and accidents are increasingly blurred, yet all may have the same damaging results. There are three general categories of attack, especially applicable to a private enterprise:

• Data destruction

• Penetration of a system to modify its output

• System penetration with the goal of stealing information or sensitive data

The means to mount such an attack are by no means difficult to come by. Programs are available free of charge on the Internet to crack passwords or grab key strokes to recognize them, and there is commercially available software to exploit network file system applications that allow file sharing. An increase or the opening of a too large a number of sessions in a given time can crash or disable a computer.

A user or a system may be disabled by “bombing” it with identical and repeated messages and attached files. There is also a means of attack known as “spamming”—sending numerous e-mails to a large number of users that can overload a system.

Also, the collapse of the former Soviet Union into what could be termed a “transnational kleptocracy” has led to some fundamental changes in the international security environment:

• Large amounts of unemployed, underemployed, or otherwise disaffected security and KGB operators are now available for hire.

• Large amounts of highly trained and professional scientists and computer experts may no longer have jobs.

• Some countries into which the former Soviet Union (FSU) disintegrated have a nuclear capability and/or reserves of highly enriched uranium.

• Some estimates claim that 70% of the Russian economy is under the control of criminal enterprises. These enterprises have spread beyond the borders of any particular state.

• Estimates claim that 86% of Russian banks are under criminal control.

• Certain Russian power “power ministries” may no longer be serving the interests of the State.

• Russian organized crime has been identified in particular in the following transnational areas: money laundering, drug trafficking, and commercial fraud.

It must be stressed that at this stage, Russian organized crime (ROC) is in what could be termed a “nascent state”—although it holds much sway in Russia, ROC is yet to reach a truly transnational existence.

Furthermore, the interplay of corporations and private enterprise with avowed terrorist groups should not be underplayed. Here a problem arises: If a terrorist organization has an identifiable and compassing ideology (or proto-strategy), such an ideology would be general in nature. Also, such an ideology would directly establish broad principles, rather than on issues which would provide analysts with a solid foundation.

New and dangerous players have emerged in the international arena. The level of instability and concomitant violence is further heightened by the rise to international political significance of nonstate actors willing to challenge the primacy of the states. Whether it be the multinational corporation or a terrorist group that targets it, both share a common characteristic. They have each rejected the state-centric system that emerged 175 years ago at the Congress of Vienna.

All these factors have accelerated the erosion of the monopoly of the coercive power of the state as the disintegration of the old order is intensified. And this process in all probability, gains even greater momentum because of the wide-ranging and growing activities of criminal enterprises. These enterprises include everything from arms traders and drug cartels, which will provide and use existing and new weapons in terrorist campaigns as a part of their pursued profit and political power.

In sum, present and future terrorists and their supporters are acquiring the capabilities and freedom of action to operate in the international jungle. They move in what has been called the “grey areas,” those regions where crime control has shifted from legitimate governments to new half political, half criminal powers. In this environment, the line between state and rogue state, and rogue state and criminal enterprise will be increasingly blurred. Each will seek out new and profitable targets through terrorism in an international order that is already under assault.

Although some might argue that multinational corporations and terrorists groups stand at either end of a spectrum, the spectrum would still be that of a movement away from “state-centrism” and the concentration of coercive power in the state—with the danger that they each move so far away from one another and that they meet up again. Any ambivalence in allegiance or identification on the part of a nonstate quasi-criminal or terrorist organization toward a corporation could easily find its way into violent activity directed at the multinational corporation. Such an ambivalence (and an appreciation of the vulnerability of a corporation) would be brought to the fore, were a corporation to hire the same cyberterrorists to undermine its competitors. A corporation willing to use such agents and to expose its insides to them, puts itself at their mercy should the flow of money dry up or should the cyberterrorists then sell their services to another competitor or organization that bids higher. In addition, the multinational corporation, through its existence on many planes of definition at one time, can at any time be seen to be on a similar plane with a substrate or nonstate actor, as well as being on a nation-state plane—thus attracting criticism and violence that would have been directed toward the identifiably “official” organs of the nation-state in previous times.

As potential targets continue to be hardened in urban areas, the visible aspects of multi-national corporations are strengthened and protected. At this point, activities may then move to rural and/or less protected areas.

Many multinational corporations have now “desegregated their operations” (to borrow a term from another context) and have placed various aspects of that operation in different geographical areas (and even different countries). A failure to strengthen and protect a particular part of that operation may cause incalculable damage to a multinational corporation’s network should a weak network node be attacked and disabled.