Defensive Information Warfare_A Literature Review.pdf

8/14/2019 Defensive Information Warfare_A Literature Review.pdf

1/19

Defensive Information Warfare 1

Running head: Defensive Information Warfare

Defensive Information Warfare: A review of selected literature

James R Francisco

December 2003


2/19


Abstract

Information warfare is a threat not only to military formations but to the civilian population as

well. Private organizations need to understand the context in which information warfare happens

and be able to defend against attacks when they occur. This article reviews the current literature

about defensive information warfare and suggests some avenues for ongoing research.


3/19


Table of Contents

Defensive Information Warfare: A review of selected literature.................................................... 4

Threats to the Information Infrastructure.................................................................................... 4

National Policy, Law and Ethics................................................................................................. 9

Law and Ethics........................................................................................................................ 9

National Policy...................................................................................................................... 11

Defensive Information Warfare Strategies ............................................................................... 13

Deterrence ............................................................................................................................. 13

Protective Measures .............................................................................................................. 14

Conclusions............................................................................................................................... 15

References..................................................................................................................................... 17


4/19


Defensive Information Warfare: A review of selected literature

In 1991, Martin Van Creveld published The Transformation of War.In that volume, he

proposed a new paradigm for analyzing warfare based on the growth of low-intensity conflicts

around the world.(Creveld, 1991) Recently, Van Creveld published a critique of the article where

he reviewed the differences between his 1991 predictions and the present. In that critique, he

comments that he never considered information warfare as a method.(Creveld, 2002) Defensive

information warfare is the practice of protecting an organizations computer systems against

attack by hostile sources. In this review, the literature discussing defensive information warfare

will be reviewed. The existing literature falls into three broad categories; threats to the

information infrastructure, national policy, and defensive strategies.

Threats to the Information Infrastructure

The information security literature is replete with details of differing methods that a

hostile attacker may choose to attempt to harm an organizations information system. However, it

is helpful to understand the nature and the motivations of the actors who are creating the threats

as well. In early discussions about information warfare, Jensen pointed out that the goals of

information warfare are centered on the concept of the precision strike that paralyzes the enemy

without creating large numbers of casualties among either friendly or hostile forces. (Jensen,

1994)

While assessing the potential threats from an attack on the nations information

infrastructure, Berkowitz raised the idea of sending agents into the country covered as computer

science students who, after gaining the needed skills, would attack the nation from within. (B. D.

Berkowitz, 1995) He has also characterized the advent of information warfare as the dark side:

of the information revolution. Berkowitz reasons that the vulnerabilities that have arisen in the


5/19


military and the private sector relate directly to the spread of information technology. (1995)

Another point that he raises relates to the fragmented nature of the threat from information

warfare. There is no guarantee that different hostile nations, terrorist groups, or criminal gangs

will attack the nations information systems in the same way or at the same entities. Nor will

they limit themselves to military or governmental systems. Civilian information systems are also

high profile targets of information warfare.(B. D. Berkowitz, 1995)

Organizationally, the rise of information technology has provided fruitful ground for the

development of networked organizations sometimes at the expense of traditional forms. (Arquilla

& Ronfeldt, 1999) Arquilla and Ronfeldt argue that this increased ability of networked

organizations to compete with traditional hierarchal organizations represents a departure from

the normal organizational structures used in conflict and crime. In this model, organizations take

on topologies that are familiar to network engineers such as chains and stars. The most

challenging type of organization is what Arquilla and Ronfeldt describe as the all-channel

network where all of the actors interconnect with each other with no identifiable central

leadership. (1999)This type of organization also is the hardest to identify and deal with on a

permanent basis because of the manner in which the organization relies on communications in

order to convey its values and conduct operational planning. One attack mode of networked

organizations in the information systems arena is the swarm where attackers approach a target

from a number of perspectives. This does suggest that when an organization is being attacked in

one manner, such as a distributed denial of service attack, network engineers need to be on guard

for other types of attacks against the system.(Arquilla & Ronfeldt, 1999) This concept of

netwar has been expanded and integrated in to a comprehensive model of the threat

environment for a nation that is under attack from terrorist organizations.(Bunker, 2002)


6/19


The civil information infrastructure has taken on a greater significance in an environment

where an increasing amount of the information that passes between civilian entities is dependent

on that infrastructure. In this environment, attacks on critical points in the economy can be more

harmful to the nation than attacks on military units.(Cobb, 1999) Cobb has identified some areas

of vulnerability that hostile actors could use to attack a nation. The energy industry is a

significant target for hostile attackers. The impact of events like the 2003 regional power grid

failure in the northeast United States point out the potential disruptions to society that a

successful attack could cause. The energy distribution network is increasingly computerized and

Cobb uses examples from Australia to illustrate the ways that attacking a single choke point can

have a devastating impact on the ability of an organization, community, or nation to be able to

respond to attacks against it. (Cobb, 1999) Other industries that are at risk in Cobbs examples

are the telecommunications and finance industries. In each case, Cobb gives examples of

chokepoints in the Australian economy that could be the source of major disruptions to society if

successfully disabled or destroyed.(1999)

The ranks of potential attackers are long and the list seems to grow on a regular basis.

Schwartau describes the situation as being a case of asymmetry between the opposing sides.

(Schwartau, 2000) Nations and other entities, knowing that attempting to compete with the

United States on the physical battlefield have expressly stated their intentions to attack civilian

organizations and infrastructure. Chinese military officers have specifically stated their intent to

attack the financial services industry, transportation, communications systems, and the national

power grid in the case of a major conflict with the United States.(Schwartau, 2000) The Russian

military also takes the threat of information warfare seriously. Schwartau relates that the

Russians consider information warfare as second only to the use of nuclear weapons. The losses


7/19


from information warfare are not limited to damage caused by attacks that shut down systems.

There are ongoing economic losses from theft of information as well. In 2000, the FBI estimated

that the losses to U. S. businesses from online industrial and economic espionage exceeded $300

billion.(Schwartau, 2000)

The threat to businesses from information warfare is not reduced by the dilatory

responses of the United State government to the potential risks. Schwartau describes several laws

that put businesses in the United States at a disadvantage to the rest of the world in the effort to

protect intellectual assets.(Schwartau, 2000) Berkowitz discusses issues with the original

placement of the National Infrastructure Protection Center under the management of the FBI. (B.

Berkowitz, 2000)The core of Berkowitzs argument is based on the difference in traits between

the FBI, which is structured to find and arrest criminals, and the military, which has the purpose

of defeating the nations enemies.(2000) Although several programs have been initiated by the

government to help identify and contain information systems attacks, Berkowitz points out that

they do not have good communications channels with the military commands that have the

capability to respond to the attacks in a forceful manner. He also discusses the ways in which the

government has mishandled relationships with the very information technology companies that

would be the greatest help in creating solutions and systems that would protect both business and

government from hostile cyberattacks. (B. Berkowitz, 2000) Berkowitz does also point out some

of the actions of the software industry that have made information systems vulnerable to attack.

He particularly identifies the conflict between designing systems for ease of use and the need for

secure systems that are secure. (2000)

Other writers have given some attention to what types of strategies hostile organizations

may use against businesses and society. Erbschloe and Vacca write that, the types of


8/19


information warfare that will be most likely waged against large industrial computer-dependent

countries are sustained terrorist information warfare, random terrorist information warfare,

sustained rogue information warfare, random rogue information warfare, and amateur rogue

information warfare.(Erbschloe & Vacca, 2001) These authors categorize rogue attacks as those

mounted by criminal organization as opposed to the terrorist attacks, which may or may not have

state sponsorship and the amateur rogue attacks carried out by individuals.

Perhaps the largest threat to businesses and society is not from the economic damage that

comes from a single large-scale attack that succeeds but from a few small, well-publicized

attacks that undermine the confidence of the public in the systems that are attacked. (B.

Berkowitz & Hahn, 2003) This strategy would not require major destruction, just little

inconveniences for the public from time to time until they became convinced that the systems

were unreliable.

There is some dispute about the nature of the threats facing the nation from information

warfare. Smith points out that with the exception of some large scale virus releases, the scenarios

for attacks outlined by scholars and other writers concerned about information warfare remain

scenarios for discussion.(Smith, 1998) From time to time, the government has been less than

helpful in dealing with building the organizations, systems, and credibility needed to deal with

these threats. In fact, government statements have inflated the number of systems attacked over

the years by a significant margin.(Smith, 1998) Skibell discusses the ways that a mythological

framework has arisen around the hacker and how that has diverted resources away from other

issues of corporate security such as protecting the organizations information system from internal

theft and sabotage.(Skibell, 2002) Having examined the nature of the threats to society from


9/19


information warfare, it is necessary to understand the legal and ethical positions that drive public

policy and constrain the range of possible actions that a firm might take to defend itself.

National Policy, Law and Ethics

The range of responses to external information security threats that are acceptable for

information systems organizations are bounded by law, ethics, and national policy. At a

fundamental level, law and ethics drive national policy.

Law and Ethics

There are ethical issues to consider when developing a strategy to respond to information

warfare attacks against business and private information systems. Arquilla (1998) initiates a

discussion about the nature of information warfare and the application of the principles of just

war in cyberspace. He argues for an interpretation of the use of information warfare that is

similar to the no first use doctrine that the United States adheres to for of weapons of mass

destruction. This philosophical position restricts the range of responses that are available to

lawfully constituted governments even though the author recognizes that the actors in an

information warfare attack may be a terrorist organization or a criminal enterprise not connected

to any established government. (Arquilla, 1998)

Information systems professionals in western nations are also often personally

constrained by the ethical codes of the professional societies to which they belong. Several

elements of the Code of Ethics for the Association for Computing Machinery have an impact on

the responses of ACM members to information warfare. The general moral imperatives of the

code suggest that while participation in offensive information warfare would be unethical,

element 1.2, that says, Avoid harm to others, and section 1.5, respect property rights,

suggests that members may be come involved in protecting the information assets of an


10/19


organization. ("ACM Code of Ethics and Professional Conduct," 1991) Although an ethical

approach may seem to put the organization at a disadvantage with respect to the hostile attackers,

the ethical approach is crucial to maintaining the legitimacy of the organization in the eyes of

third-party observers. The law is also a constraining factor when considering the range of

available responses to an attack.

International law has some specific criteria for an armed response by a nation to a

provocation. This test is known as the Caroline Test based on an incident in New York State in

1837 where British forces crossed from Canada to New York to seize Caroline, a ship that had

been engaged in smuggling weapons into Canada.

The Caroline test calls for three critical elements to coexist in any lawful statesforcible act of self defense: (1) the act in question must be necessary; (2) the use of forceinvolved must be proportionate and not excessive in terms of the means employed; and (3)the timing of the forcible defensive act must leave absolutely no doubt that the given actwas the very last option at hand.(Delibasis, 2002)

Delibasis also suggests that this classic interpretation of international law is supported by Article

51 of the United Nations charter. (2002) However, the language of Article 51 leaves open the

question whether an information warfare attack is an armed attack within the spirit of the article.

This conflict is resolved in article 2(4) of the U. N. Charter which further defines an attack as

both the use of arms and a violation of international law, which involves an exercise of power in

the territorial domain but no use of arms. (Delibasis, 2002) Although the U. N. charter clearly

grants nations the right to assertively defend themselves from electronic attacks through

information systems. There are national laws that influence the ability of organizations to

respond to information warfare attacks.

For the United States government and organizations subject to the laws of the United

States the issue is clearly stated in 18 USC 1030 (a)(5) where most of the activities short of


11/19


actual physical counterstrikes are prohibited by law not only to the civilian population, but the

government as well. One possible offensive response that has been discussed is the idea of a

logic bomb that counterattacks the computer system of the attacker. There is a risk that this kind

of attack may come from the computer of an innocent bystander.(DiCenso, 1999) DiCenso has

expressed a position held in the legal community of the United States Air Force that in at least

the initial phases of the investigation of an attack against an organizational information system,

criminal law procedures should be followed. (1999)

National Policy

The discussion about national policy with respect to information security has grown in

importance with the growth of the internet. Schwartau identified some if the threats and potential

targets for information warfare at an early point in the life of the commercial internet.(Schwartau,

1995) At that time, he also started advocating the development of a national information policy

to structure the activities of organizations defending against information systems attacks. In an

effort to impress the significance of the need for a strong policy, Schwartau portrays several

worst-case scenarios including the wrong hands could extract the most personal information

about the "digital you," not the least of which could be medical, financial, business, legal, and

criminal documentation. An individual could alter his/her own records to eradicate nefarious

histories. Or an individual could alter anyone's electronic documentation for any

reason.(Schwartau, 1995)

The interest of the United States government in defending against penetration attacks of

information systems is a recent development. In 1995, the Department of Defense (DOD) was

discounting the threat posed by the nearly 160,000 successful penetrations of DOD computer


12/19


systems because no highly classified information had been compromised. (Davies, 1999) In

recent years, there has been a change in the thought within DOD on information systems and

security. In 1996 the U. S. Justice department initiated a commission to study the issues and

requirements for a national information security policy.(Munro, 1996) Munro points out that

there is not unanimity in society about the need for or the desirable nature of and information

security policy. There are a number of concerns that are raised in the public debate about

information security. The software development industry is opposed to restrictions on the sale of

encryption software on grounds of lost profit and harm to the international competitive standing

of U.S. software publishers. There are elements of the civil liberties community that are

concerned about intrusions affecting individual privacy. (Munro, 1996) In this environment,

there is a need for the active cooperation of private industry that has been lacking in the past so

that protective efforts in the future can be successful.

The RAND corporation has developed a decision making framework to assist policy

makers properly evaluate the impact of their decisions. (Molander, Wilson, & Mesic, 1998) In

order to provide a common infrastructure and enhance security; the Defense department has

proposed a project Backbone to create a common internet protocol infrastructure and set of

networking strategies for the defense community. (Grasso & DeMarines, 2003)

A number of writers have challenged the policies of the government concerning the

defensive environment. Schwartau questions the legal policies that prohibit businesses from

assertively protecting their assets. (Schwartau, 2000) Welch and other officers at West Point

have observed that defensive warfare does not usually win the day. They have advocated a

change in the policy and the law to allow organizations to engage in active countermeasures

against their attackers. From the law and the published ethical standards of the professional


13/19


computer societies, we will be able to develop strategies and tools to defend against information

systems attacks.

Defensive Information Warfare Strategies

Given the constraints of 18 USC 1030 (a) (5) which prohibits the use of counterstrikes

against entities that attack an organizations computer systems, it is necessary to consider purely

defensive strategies for protecting the information infrastructure. These defensive strategies can

be characterized into two categories; deterrence and protective measures.

Deterrence

The objective of deterrence is to discourage potential hostile attackers from launching an

attack in the first place. At the international level, there are serious discussions about how to

prevent information warfare. Worden and France have proposed a deterrence strategy that

integrates information warfare deterrence with the general strategy of the United States regarding

deterring the use of weapons of mass destruction.(Worden & France, 2001) The prime minister

of Russia has been in discussions with the United Nations to discuss ways to ban information

warfare.(Blank, 2001) This should be taken as an example of how seriously other powers

consider the potential threat to their national infrastructure. Blank discusses how information

warfare is a risk to the concept of deterrence of the use of weapons of mass destruction. He goes

on to suggest that it may not be possible to deter information warfare attacks at the national

policy level because the attacks themselves are oriented at and disable the very monitoring

systems that are critical for that kind of approach to be viable.(Blank, 2001)

Given the problematic nature of attempting to prevent information warfare attacks using

national policy, we can consider systems and software engineering approaches that either stop an

attack from occurring or mitigate any potential damage. One deterrence approach that has been


14/19


suggested is to develop software that prevents computers from being used as the source of an

attack.(Bruschi & Rosti, 2000) This approach envisions the creations of filters that are installed

on computers that will monitor outgoing packets for characteristic types of activity and then

disable the ability to send that traffic. This approach is one that could be implemented by

operating system vendors as a part of a service update or a new release. Bruschi and Rosti have

developed a demonstration system for this concept. It applies packet filtering rules to the

outgoing packets when they are ready to be passed on to the data link layer. The packet flow is

checked against attack signatures of known attacks and blocked when an attack attempt is

detected.(Bruschi & Rosti, 2000) The appeal of this approach is found in the simplicity of the

implementation. The preventive measure is installed with the operating system and potential

attackers have to reconfigure the computer in order to make it useful as a means of attack.(2000)

Protective Measures

Protective measures are things that an organization can do to either block an attack or

recover quickly from an attack. One proposal for protecting database systems is to develop a way

to recover damaged data.(Panda & Giordano, 1998) This approach uses a modified transaction

log to store the record of transactions in a form that can be analyzed and used to recover the data

compromised in the attack. Panda and Giordano have developed paradigm for structuring

defensive activities. Their goals are stated very simply; protect, detect, and react.(Panda &

Giordano, 1999) Panda and Tripathy have taken the recovery of databases a step further by

developing a method for segmenting the transaction logs of a database server to reduce the

amount of time that is needed for detecting and repairing damaged sections of data.(Panda &

Tripathy, 2000) Continuing this work, Panda and Yalmanchili have developed another approach


15/19


to recovery that fuses bad transactions together in the log and facilitates their rapid removal and

the recovery of the data that was damaged in the process.(Panda & Yalamanchili, 2001)

Another approach to defense is to make the individual applications as durable as possible

and rely on the concept of "survival by defense."(Pal, Webber, & Schantz, 2001) The objective

of this approach in the words of the authors is We make a distinction between survival by

protection, which seeks to prevent the attacker from gaining privileges, and survival by defense,

which includes protection but also seeks to frustrate an attacker in case protection falls and the

attacker gains some privileges anyway.(Pal et al., 2001) In this strategy, it is possible to run

applications on untrustworthy systems because the application is secure in and of itself.

The United States Army has taken an interest in defensive strategies due to the

constraints of the law on counter actions against the hostile entity in the information attack. West

Point has developed The Information Analysis and Research (IWAR) laboratory as a tool for

training cadets and other in the techniques of defensive information warfare.(Lathrop, Conti, &

Ragsdale, 2003) This program has been a significant factor in instruction in both information

warfare and information assurance education at the academy. Liu and Zang have developed a

model for analyzing the attacker intent. From a defensive stand point, this type of modeling

allows defenders to tailor their responses to the level of the threat.(Liu & Zang, 2003)

Conclusions

The study of defensive information warfare is s relatively new area for information

technology management scholars. Despite the significant similarities and the reliance on the

body of information security literature for much of the understanding about the specific tasks that

must be done in defending an information system, this is an area that merits ongoing research.

When information managers can place their defensive measures in a context that is supportive of


16/19


national level desires to preserve the technological balance between this nation and its

adversaries, they then can leverage the efforts of others in order to improve their organizations

security.

Opportunities for further research include developing a costing model to quantify the true

costs of security to an organization and further development of defensive measures that can be

installed into the computer at the time of manufacture and protect that that system and older

systems without the upgraded systems.


17/19


References

ACM Code of Ethics and Professional Conduct. (1991). Recovered on 12/10/2003 from

http://www.acm.org.

Arquilla, J. (1998). Can information warfare ever be just?Ethics and Information Technology,

1(3), 203 - 212.

Arquilla, J., & Ronfeldt, D. (1999). The Advent of Netwar: Analytic Background. Studies in

Conflict & Terrorism, 22(3), 193-207.

Berkowitz, B. (2000). Information Warfare: Time to Prepare.Issues in Science & Technology,

17(2), 38-46.

Berkowitz, B., & Hahn, R. W. (2003). Cybersecurity: Who's Watching the Store?Issues in

Science & Technology, 19(3), 55-53.

Berkowitz, B. D. (1995). Warfare in the information age.Issues in Science & Technology, 11(1),

59-67.

Blank, S. (2001). Can Information Warfare Be Deterred?Defense Analysis, 17(2), 121-149.

Bruschi, D., & Rosti, E. (2000).Disarming offense to facilitate defense.Paper presented at the

2000 workshop on New security paradigms, Ballycotton, County Cork, Ireland.

Bunker, R. J. (2002). Battlespace Dynamics, Information Warfare to Netwar, and Bond-

Relationship Targeting. Small Wars & Insurgencies, 13(2), 97-108.

Cobb, A. (1999). Electronic Gallipoli?Australian Journal of International Affairs, 53(2), 133-

150.

Creveld, M. V. (1991). The Transformation of War. New York: Free Press.

Creveld, M. V. (2002). The Transformation of War Revisited. Small Wars & Insurgencies, 13(2),

3-16.


18/19


Davies, P. H. J. (1999). Information Warfare and the Future of the Spy.Information

Communication & Society, 2(2), 115-133.

Delibasis, D. (2002). The Right of States to Use Force in Cyberspace: Defining the Rules of

Engagement.Information & Communications Technology Law, 11(3), 255-269.

DiCenso, D. J. (1999). IW Cyberlaw.Airpower Journal, 13(2), 85-102.

Erbschloe, M., & Vacca, J. R. (2001).Information Warfare: How to Survive Cyber Attacks. New

York, NY: McGraw-Hill.

Grasso, A., & DeMarines, V. A. (2003). From dot-mil to dot-com.Armed Forces Journal

International, 140(5), 32-34.

Jensen, O. E. (1994). Information warfare: Principles of third-wave war.Airpower Journal, 6(4).

Lathrop, S. D., Conti, G. J., & Ragsdale, D. J. (2003). Information warfare in the trenches. In

Security education and critical infrastructures. Norwell, MA: Kluwer Academic

Publishers.

Liu, P., & Zang, W. (2003).Incentive-based modeling and inference of attacker intent, objectives,

and strategies.Paper presented at the 10th ACM conference on Computer and

communication security, Washington D.C., USA.

Molander, R. C., Wilson, P., & Mesic, R. F. (1998). Strategic Information Warfare Rising:

RAND Corporation.

Munro, N. (1996). Sketching a national information warfare defense plan. Communications of

the ACM, 39(11), 15-17.

Pal, P., Webber, F., & Schantz, R. (2001). Survival by defense-enabling.Paper presented at the

Workshop on New security paradigms, Cloudcroft, New Mexico.


19/19


Panda, B., & Giordano, J. (1998).An overview of post information warfare data recovery.Paper

presented at the ACM symposium on Applied Computing, Atlanta, Georgia.

Panda, B., & Giordano, J. (1999). Defensive information warfare. Communications of the ACM,

42(7), 30-32.

Panda, B., & Tripathy, S. (2000).Data dependency based logging for defensive information

warfare.Paper presented at the Symposium on Applied Computing, Como, Italy.

Panda, B., & Yalamanchili, R. (2001). Transaction Fusion in the Wake of Information Warfare.

Paper presented at the ACM symposium on Applied computing, Las Vegas, Nevada.

Schwartau, W. (1995).Information Warfare: Chaos on the Electronic Superhighway: Avalon

Publishing Group.

Schwartau, W. (2000). Asymmetrical Adversaries. Orbis, 44(2), 197-206.

Skibell, R. (2002). The Myth of the Computer Hacker.Information Communication & Society,

5(3), 336-356.

Smith, G. (1998). An electronic Pearl Harbor? Not likely.Issues in Science & Technology, 15(1),

68-73.

Worden, S. P., & France, M. E. B. (2001). Towards an Evolving Deterrence Strategy: Space and

Information Dominance. Comparative Strategy, 20(5), 453-466.

Documents

Defensive Information Warfare_A Literature Review.pdf