Notes from the book Information Warfare Principles and Operations by Edward Waltz

***

This ubiquitous and preeminent demand for information has shaped the current recognition that war fighters must be information warriors—capable of understanding the value of information in all of its roles: as knowledge, as target, as weapon.

• Data—Individual observations, measurements, and primitive messages form the lowest level. Human communication, text messages, electronic queries, or scientific instruments that sense phenomena are the major sources of data.

• Information—Organized sets of data are referred to as information. The organizational process may include sorting, classifying, or indexing and linking data to place data elements in relational context for subsequent searching and analysis.

• Knowledge—Information, once analyzed and understood, is knowledge. Understanding of information provides a degree of comprehension of both the static and dynamic relationships of the objects of data and the ability to model structure and past (and future) behavior of those objects. Knowledge includes both static content and dynamic processes. In the military context, this level of understanding is referred to as intelligence.

Information is critical for the processes of surveillance, situation assessment, strategy development, and assessment of alternatives and risks for decision making.

Information in the form of intelligence and the ability to forecast possible future outcomes distinguishes the best warriors.

The control of some information communicated to opponents, by deception (seduction and surprise) and denial (stealth), is a contribution that may provide transitory misperception to an adversary.

The supreme form of warfare uses information to influence the adversary’s perception to subdue the will rather than using physical force.

 

The objective of A is to influence and coerce B to act in a manner favorable to A’s objective. This is the ultimate objective of any warring party—to cause the opponent to act in a desired manner: to surrender, to err or fail, to withdraw forces, to cease from hostilities, and so forth. The attacker may use force or other available influences to achieve this objective. The defender may make a decision known to be in favor of A (e.g., to acknowledge defeat and surrender) or may fall victim to seduction or deception and unwittingly make decisions in favor of A.

Three major factors influence B’s decisions and resulting actions (or reactions) to A’s attack.

The capacity of B to act

The will of B to act

The perception of B

 

 

 

Information warfare operations concepts are new because of the increasing potential (or threat) to affect capacity and perception in the information and perception domains as well as the physical domain. These information operations are also new because these domains are vulnerable to attacks that do not require physical force alone. Information technology has not changed the human element of war. It has, however, become the preeminent means by which military and political decision makers perceive the world, develop beliefs about the conflict, and command their forces.

Information targets and weapons can include the entire civil and commercial infrastructure of a nation. The military has traditionally attacked military targets with military weapons, but IW introduces the notion that all national information sources and processes are potential weapons and targets.

Col. Richard Szafranski has articulated such a view, in which the epistemology (knowledge and belief systems) of an adversary is the central strategic target and physical force is secondary to perceptual force [6].

Economic and psychological wars waged over global networks may indeed be successfully conducted by information operations alone.

Information superiority is the end (objective) of information operations (in the same sense that air superiority is an objective), while the operations are the means of conduct (in the sense that tactical air power is but one tool of conflict).

Since the Second World War, the steady increase in the electronic means of collecting, processing, and communicating information has accelerated the importance of information in warfare in at least three ways.

First, intelligence surveillance and reconnaissance (ISR) technologies have extended the breadth of scope and range at which adversaries can be observed and targeted, extending the range at which forces engage. Second, computation and communication technologies supporting the command and control function have increased the rate at which information reaches commanders and the tempo at which engagements can be conducted. The third area of accelerated change is the integration of information technology into weapons, increasing the precision of their delivery and their effective lethality.

The shift is significant because the transition moves the object of warfare from the tangible realm to the abstract realm, from material objects to nonmaterial information objects. The shift also moves the realm of warfare from overt physical acts against military targets in “wartime” to covert information operations conducted throughout “peacetime” against even nonmilitary targets. This transition toward the dominant use of information (information-based warfare) and even the targeting of information itself (information warfare, proper) [8] has been chronicled by numerous writers.

 

 

According to the Tofflers, the information age shift is bringing about analogous changes in the conduct of business and warfare in ten areas.

1. Production—The key core competency in both business and warfare is information production.

In business, the process knowledge and automation of control, manufacturing, and distribution is critical to remain competitive in a global market; in warfare, the production of intelligence and dissemination of information is critical to maneuvering, supplying, and precision targeting.

2. Intangible values—The central resource for business and warfare has shifted from material values (property resources) to intangible information. The ability to apply this information discriminates between success and failure.
3. Demassification—As information is efficiently applied to both business and warfare, production processes are shifting from mass production (and mass destruction) to precision and custom manufacturing (and intelligence collection, processing, and targeting).
4. Worker specialization—The workforce of workers and warriors that performs the tangible activities of business and war is becoming increasingly specialized, requiring increased training and commitment to specialized skills.
5. Continuous change—Continuous learning and innovation characterize the business and workforces of information-based organizations because the information pool on which the enterprise is based provides broad opportunity for understanding and improvement. Peter Senge has described the imperative for these learning organizations in the new information-intensive world [12].
6. Scale of operations—As organizations move from mass to custom production, the teams of workers who accomplish tangible activities within organizations will become smaller, more complex teams with integrated capabilities. Business units will apply integrated process teams, and military forces will move toward integrated force units.
7. Organization—Organizations with information networks will transition from hierarchical structure (information flows up and down) toward networks where information flows throughout the organization. Military units will gain flexibility and field autonomy.

8.Management—Integrated, interdisciplinary units and management teams will replace “stovepiped” leadership structures of hierarchical management organizations.

9. Infrastructure—Physical infrastructures (geographic locations of units, physical placement of materials, physical allocation of resources) will give way to infrastructures that are based upon the utility of information rather than physical location, capability, or vulnerability.
10. Acceleration of processes—The process loops will become tighter and tighter as information is applied to deliver products and weapons with increasing speed. Operational concurrence, “just-in-time” delivery, and near-real-time control will characterize business and military processes.

 

 

 

an information-based age in which:

• Information is the central resource for wealth production and power.
• Wealth production will be based on ownership of information—the creation of knowledge and delivery of custom products based on that knowledge.
• Conflicts will be based on geoinformation competitions over ideologies and economies.
• The world is trisected into nations still with premodern agricultural capabilities (first wave), others with modern industrial age capabilities (second wave), and a few with postmodern information age capabilities (third wave).

 

The ultimate consequences, for not only wealth and warfare, will be the result of technology’s impact on infrastructure, which influences the social and political structure of nations, and finally, that impact on the global collection of nations and individuals.

Table 1.2 illustrates one cause-and-effect cascade that is envisioned. The table provides the representative sequence of influences, according to some futurists, that has the potential even to modify our current structure of nation states, which are defined by physical boundaries to protect real property.

 

“Cyberwar is Coming!” by RAND authors John Arquilla and David Ronfeldt distinguished four basic categories of information warfare based on the expanded global development of information infrastructures (Table 1.3) [16].

Net warfare (or netwar)—This form is information-related conflict waged against nation states or societies at the highest level, with the objective of disrupting, damaging, or modifying what the target population knows about itself or the world around it.

The weapons of netwar include diplomacy, propaganda and psychological campaigns, political and cultural subversion, deception or interference with the local media, infiltration of computer databases, and efforts to promote dissident or opposition movements across computer networks [17].

Political warfare—Political power, exerted by institution of national policy, diplomacy, and threats to move to more intense war forms, is the basis of political warfare between national governments.

Economic warfare—Conflict that targets economic performance through actions to influence economic factors (trade, technology, trust) of a nation intensifies political warfare from the political level to a more tangible level

Command and control warfare (C2W)—The most intense level is conflict by military operations that target opponent’s military command and control.

 

The relationships between these forms of conflict may be viewed as sequential and overlapping when mapped on the conventional conflict time line that escalates from peace to war before de-escalation to return to peace

Many describe netwar as an ongoing process of offensive, exploitation, and defensive information operations, with degrees of intensity moving from daily unstructured attacks to focused net warfare of increasing intensity until militaries engage in C2W.

Martin Libicki, has proposed seven categories of information warfare that identify specific type of operations [21].

1. Command and control warfare—Attacks on command and control systems to separate command from forces;
2. Intelligence-based warfare—The collection, exploitation, and protection of information by systems to support attacks in other warfare forms;
3. Electronic warfare—Communications combat in the realms of the physical transfer of information (radioelectronic) and the abstract formats of information (cryptographic);
4. Psychological warfare—Combat against the human mind;
5. Hacker warfare—Combat at all levels over the global information infrastructure;
6. Economic information warfare—Control of economics via control of information by blockade or imperialistic controls;
7. Cyber warfare—Futuristic abstract forms of terrorism, fully simulated combat, and reality control are combined in this warfare category and are considered by Libicki to be relevant to national security only in the far term.

 

Author Robert Steele has used two dimensions to distinguish four types of warfare.

Steele’s taxonomy is organized by dividing the means of conducting warfare into two dimensions.

• The means of applying technology to conduct the conflict is the first dimension. High-technology means includes the use of electronic information-based networks, computers, and data communications, while low-technology means includes telephone voice, newsprint, and paper-based information.
• The type of conflict is the second dimension, either abstract conflict (influencing knowledge and perception) or physical combat.

the principles of information operations apply to criminal activities at the corporate and personal levels (Table 1.5). Notice that these are simply domains of reference, not mutually exclusive domains of conflict; an individual (domain 3), for example, may attack a nation (domain 1) or a corporation (domain 2).

Numerous taxonomies of information warfare and its components may be formed, although no single taxonomy has been widely adopted.

1.5.1 A Functional Taxonomy of Information Warfare

A taxonomy may be constructed on the basis of information warfare objectives, functions (countermeasure tactics), and effects on targeted information infrastructures [29]. The structure of such a taxonomy (Figure 1.3) has three main branches formed by the three essential security properties of an information infrastructure and the objectives of the countermeasures for each.

Availability of information services (processes) or information (content) may be attacked to achieve disruption or denial objectives.

Integrity of information services or content may be attacked to achieve corruption objectives (e.g., deception, manipulation of data, enhancement of selective data over others).

Confidentiality (or privacy) of services or information may be attacked to achieve exploitation objectives.

• Detection—The countermeasure may be (1) undetected by the target, (2) detected on occurrence, or (3) detected at some time after the after occurrence.
• Response—The targeted system, upon detection, may respond to the countermeasure in several degrees: (1) no response (unprepared), (2) initiate audit activities, (3) mitigate further damage, (4) initiate protective actions, or (5) recover and reconstitute.

One type of attack, even undetected, may have minor consequences, for example, while another attack may bring immediate and cascading consequences, even if it is detected with response. For any given attack or defense plan, this taxonomy may be used to develop and categorize the countermeasures, their respective counter-countermeasures, and the effects to target systems.

the air force defines information warfare as any action to deny, exploit, corrupt, or destroy the enemy’s information and its functions; protecting ourselves against those actions; and exploiting our own military information functions.

 1.6 Expanse of the Information Warfare Battlespace

As indicated in the definitions, the IW battlespace extends beyond the information realm, dealing with information content and processes in all three realms introduced earlier in our basic functional model of warfare.

• The physical realm—Physical items may be attacked (e.g., destruction or theft of computers; destruction of facilities, communication nodes or lines, or databases) as a means to influence information. These are often referred to as “hard” attacks.
• The information infrastructure realm—Information content or processes may be attacked electronically (through electromagnetic transmission or over accessible networks, by breaching information security protections) to directly influence the information process or content without a physical impact on the target. These approaches have been distinguished as indirect or “soft” attacks.
• The perceptual realm—Finally, attacks may be directly targeted on the human mind through electronic, printed, or oral transmission paths. Propaganda, brainwashing, and misinformation techniques are examples of attacks in this realm.

 

Viewed from an operational perspective, information warfare may be applied across all phases of operations (competition, conflict, to warfare) as illustrated in Figure 1.5.

(Some lament the nomenclature “information warfare” because its operations are performed throughout all of the phases of traditional “peace.” Indeed, net warfare is not at all peaceful, but it does not have the traditional outward characteristics of war.)

Because information attacks are occurring in times of peace, the public and private sectors must develop a new relationship to perform the functions of indication and warning (I&W), security, and response.

1.7 The U.S. Transition to Information Warfare

The U.S. Joint Chiefs of Staff “Joint Vision 2010,” published in 1996, established “information superiority” as the critical enabling element that integrates and amplifies four essential operational components of twenty-first century warfare.

1. Dominant maneuver to apply speed, precision, and mobility to engage targets from widely dispersed units;
2. Precision engagement of targets by high-fidelity acquisition, prioritization of targets, and joint force command and control;
3. Focused logistics to achieve efficient support of forces by integrating information about needs, available transportation, and resources;
4. Full-dimension protection of systems processes and forces through awareness and assessment of threats in all dimensions (physical, information, perception).

Nuclear and information war are both technology-based concepts of warfare, but they are quite different. Consider first several similarities. Both war forms are conceptually feasible and amenable to simulation with limited scope testing, yet both are complex to implement, and it is difficult to accurately predict outcomes. They both need effective indications and warnings, targeting, attack tasking, and battle damage assessment. Nevertheless, the contrasts in the war forms are significant. Information warfare faces at least four new challenges beyond those faced by nuclear warfare.

The first contrast in nuclear and information war is the obvious difference in the physical effects and outward results of attacks. A nuclear attack on a city and an information warfare attack on the city’s economy and infrastructure may have a similar functionaleffect on its ability to resist an occupying force, but the physical effects are vastly different.

 

Second, the attacker may be difficult to identify, making the threat of retaliatory targeting challenging. Retaliation in kind and in proportion may be difficult to implement because the attacker’s information dependence may be entirely different than the defender’s.

The third challenge is that the targets of information retaliation may include private sector information infrastructures that may incur complex (difficult to predict) collateral damages.

Finally, the differences between conventional and nuclear attacks are distinct. This is not so with information operations that may begin as competition, escalate to conflict, and finally erupt in to large-scale attacks that may have the same functional effects as some nuclear attacks.

In the future, the IW continuum may be able to smoothly and precisely escalate in the dimensions of targeting breadth, functional coverage, and impact intensity. (This does not imply that accurate effects models exist today and that the cascading effects of information warfare are as well understood as nuclear effects, which have been thoroughly tested for over three decades.)

1.8 Information Warfare and the Military Disciplines

Organized information conflict encompasses many traditional military disciplines, requiring a new structure to orchestrate offensive and defensive operations at the physical, information, and perceptual levels of conflict.

1.9 Information and Peace

Information technology not only provides new avenues for conflict and warfare, but it also provides new opportunities for defense, deterrence, deescalation, and peace.

In War and Anti-War, the Tofflers argue that while the third-wave war form is information warfare, the third-wave peace form is also driven by the widespread availability of information to minimize misunderstanding of intentions, actions, and goals of competing parties. Even as information is exploited for intelligence purposes, the increasing availability of this information has the potential to reduce uncertainty in nation states’ understanding of each other. Notice, however, that information technology is a two-edged sword, offering the potential for cooperation and peace, or its use as an instrument of conflict and war. As with nuclear technology, humankind must choose the application of the technology.

information resources provide powerful tools to engage nations in security dialogue and to foster emerging democracies by the power to communicate directly to those living under hostile, undemocratic regimes. The authors recommended four peace-form activities that may be tasked to information peacemakers.

1. Engage undemocratic states and aid democratic traditions—Information tools, telecommunications, and broadcast and computer networks provide a means to supply accurate news and unbiased editorials to the public in foreign countries, even where information is suppressed by the leadership.
2. Protect new democracies—Ideological training in areas such as democratic civil/military relationships can support the transfer from military rule to democratic societies.
3. Prevent and resolve regional conflicts—Telecommunication and network information campaigns provide a means of suppressing ethnonationalist propaganda while offering an avenue to provide accurate, unbiased reports that will abate rather than incite violence and escalation.
4. Deter crime, terrorism, and proliferation, and protect the environment—Information resources that supply intelligence, indications and warnings, and cooperation between nations can be used to counter transnational threats in each of these areas.

1.10 The Current State of Information Warfare

At the writing of this book, it has been well over a decade since the concept of information warfare was introduced as a critical component of the current revolution in military affairs (RMA).

1.10.1 State of the Military Art

The U.S. National Defense University has established a School of Information Warfare and Strategy curriculum for senior officers to study IW strategy and policy and to conduct directed research at the strategic level.

The United States is investigating transitional and future legal bases for the conduct of information warfare because the character of some information attacks (anonymity, lack of geospatial focus, ability to execute without a “regulated force” of conventional “combatants,” and use of unconventional information weapons) are not consistent with current accepted second-wave definitions in the laws of armed conflict.

1.10.2 State of Operational Implementation

The doctrine of information dominance (providing dominant battlespace awareness and battlespace visualization) has been established as the basis for structuring all command and control architectures and operations. The services are committed to a doctrine of joint operations, using interoperable communication links and exchange of intelligence, surveillance, and reconnaissance (ISR) in a global command and control system (GCCS) with a common software operating environment (COE).

1.10.3 State of Relevant Information Warfare Technology

The technology of information warfare, unlike previous war forms, is driven by commercial development rather than classified military research and development.

Key technology areas now in development include the following:

• Intelligence, surveillance, and reconnaissance (ISR) and command and control (C2) technologies provide rapid, accurate fusion of all-source data and mining of critical knowledge to present high-level intelligence to information warfare planners. These technologies are applied to understand geographic space (terrain, road networks, physical features) as well cyberspace (computer networks, nodes, and link features).
• Information security technologies include survivable networks, multilevel security, network and communication security, and digital signature and advanced authentication technologies.
• Information technologies, being developed in the commercial sector and applicable to information-based warfare, include all areas of network computing, intelligent mobile agents to autonomously operate across networks, multimedia data warehousing and mining, and push-pull information dissemination.
• Electromagnetic weapon technologies, capable of nonlethal attack of information systems for insertion of information or denial of service.
• Information creation technologies, capable of creating synthetic and deceptive virtual information (e.g., morphed video, synthetic imagery, duplicated virtual realities).

1.11 Summary

Information warfare is real. Information operations are being conducted by both military and non-state-sponsored organizations today. While the world has not yet witnessed nor fully comprehended the implications of a global information war, it is now enduring an ongoing information competition with sporadic conflicts in the information domain.

 

Szafranski, R., (Col. USAF), “A Theory of Information Warfare: Preparing for 2020,” Airpower Journal, Vol. 9, No. 1, Spring 1995.

Part I
Information-Based Warfare

Information, as a resource, is not like the land or material resources that were central to the first and second waves.

Consider several characteristics of the information resource that make it unique, and difficult to quantify.

• Information is abstract—It is an intangible asset; it can take the form of an entity (a noun—e.g., a location, description, or measurement) or a process (a verb—e.g., a lock combination, an encryption process, a patented chemical process, or a relationship).
• Information has multiple, even simultaneous uses—The same unit of information (e.g., the precise location and frequency of a radio transmitter) can be used to exploit the transmissions, to selectively disrupt communications, or to precisely target and destroy the transmitter. Information about the weather can be used simultaneously by opposing forces, to the benefit of both sides.
• Information is inexhaustible, but its value may perish with time—Information is limitless; it can be discovered, created, transformed, and repeated, but its value is temporal: recent information has actionable value, old information may have only historical value.
• Information’s relationship to utility is complex and nonlinear—The utility or value of information is not a function simply of its volume or magnitude. Like iron ore, the utility is a function of content, or purity; it is a function of the potential of data, the content of information, and the impact of knowledge in the real world. This functional relationship from data to the impact of knowledge is complex and unique to each application of information technology.

2.1 The Meaning of Information

The observation process acquires data about some physical process (e.g., combatants on the battlefield, a criminal organization, a chemical plant, an industry market) by the measurement and quantification of observed variables. The observations are generally formatted into reports that contain items such as time of observation, location, collector (or sensor or source) and measurements, and the statistics describing the level of confidence in those measurements. An organization process converts the data to information by indexing the data and organizing it in context (e.g., by spatial, temporal, source, content, or other organizing dimensions) in an information base for subsequent retrieval and analysis. The understanding process creates knowledge by detecting or discovering relationships in the information that allow the data to be explained, modeled, and even used to predict future behavior of the process being observed. At the highest (and uniquely human) level, wisdom is the ability to effectively apply knowledge to implement a plan or action to achieve a desired goal or end state.

We also use the terminology creation or discovery to refer to the effect of transforming data into useful knowledge. Several examples of discovering previously unknown knowledge by the processes of analyzing raw data include the detection or location of a battlefield target, the identification of a purchasing pattern in the marketplace, distinguishing a subtle and threatening economic action, the cataloging of the relationships between terrorist cells, or the classification of a new virus on a computer network.

The authors of the Measurement of Meaning have summed up the issue:

[Meaning] certainly refers to some implicit process or state which must be inferred from observables, and therefore it is a sort of variable that contemporary psychologists would avoid dealing with as long as possible. And there is also, undoubtedly, the matter of complexity—there is an implication in the philosophical tradition that meanings are uniquely and infinitely variable, and phenomena of this kind do not submit readily to measurement [2].

In the business classic on the use of information, The Virtual Corporation, Davidow and Malone [3] distinguish four categories of information (Table 2.2).

• Content information—This describes the state of physical or abstract items. Inventories and accounts maintain this kind of information; the military electronic order of battle (EOB) is content information.
• Form information—This describes the characteristics of the physical or abstract items; the description of a specific weapon system in the EOB is a form.
• Behavior information—In the form of process models this describes the behavior of objects or systems (of objects); the logistics process supporting a division on the battlefield, for example, may be modeled as behavior information describing supply rate, capacity, and volume.
• Action information—This is the most complex form, which describes reasoning processes that convert information to knowledge, upon which actions can be taken. The processes within command and control decision support tools are examples of Davidow’s action information category.

In a classic text on strategic management of information for business, Managing Information Strategically, the authors emphasized the importance of understanding its role in a particular business to develop business strategy first, then to develop information architectures.

• Information leverage—In this strategy, IT enables process innovation, amplifying competitive dimensions. An IBW example of this strategy is the application of data links to deliver real-time targeting to weapons (sensor-to-shooter applications) to significantly enhance precision and effectiveness.

Information product—This strategy captures data in existing processes to deliver information or knowledge (a by-product) that has a benefit (market value) in addition to the original process. Intelligence processes in IBW that collect vast amounts of data may apply this strategy to utilize the inherent information by-products more effectively. These by-products may support civil and environmental applications (markets) or support national economic competitive processes [6].

• Information business—The third strategy “sells” excess IT capacity, or information products and services. The ability to share networked computing across military services or applications will allow this strategy to be applied to IBW applications, within common security boundaries.

2.2 Information Science

We find useful approaches to quantifying data, information, and knowledge in at least six areas: the epistemology and logic branches of philosophy, the engineering disciplines of information theory and decision theory, the semiotic theory, and knowledge management. Each discipline deals with concepts of information and knowledge from a different perspective, and each contributes to our understanding of these abstract resources. In the following sections, we summarize the approach to define and study information or knowledge in each area.

2.2.1 Philosophy (Epistemology)

The study of philosophy, concerned with the issues of meaning and significance of human experience, presumes the existence of knowledge and focuses on the interpretation and application of knowledge. Because of this, we briefly consider the contribution of epistemology, the branch of philosophy dealing with the scope and extent of human knowledge, to information science.

Representative of current approaches in epistemology, philosopher Immanuel Kant [7] distinguished knowledge about things in space and time (phenomena) and knowledge related to faith about things that transcend space and time (noumena). Kant defined the processes of sensation, judgment, and reasoning that are applied to derive knowledge about the phenomena. He defined three categories of knowledge derived by judgment:

(1) analytic a priori knowledge is analytic, exact, and certain (such as purely theoretical, imaginary constructs like infinite straight lines), but often uninformative about the world in which we live;

(2) synthetic a priori knowledge is purely intuitive knowledge derived by abstract synthesis (such as purely mathematical statements and systems like geometry, calculus, and logic), which is exact and certain; and

(3) synthetic a posteriori knowledge about the world, which is subject to human sense and perception errors.

2.2.2 Philosophy (Logic)

Philosophy has also contributed the body of logic that has developed the formal methods to describe reasoning. Logic uses inductive and deductive processes that move from premises to conclusions through the application of logical arguments.

The general characteristics of these forms of reasoning can be summarized.

1. Inductive arguments can be characterized by a “degree of strength” or “likelihood of validity,” while deductive arguments are either valid (the premises are true and the conclusion must always be true) or invalid (as with the non sequitur, in which the conclusion does not follow from the premises). There is no measure of degree or uncertainty in deductive arguments; they are valid or invalid—they provide information or nothing at all.
2. The conclusions of inductive arguments are probably, but not necessarily, true if all of the premises are true because all possible cases can never be observed. The conclusions of a deductive argument must be true if all of the premises are true (and the argument logic is correct).
3. Inductive conclusions contain information (knowledge) that was not implicitly contained in the premises. Deductive conclusions contain information that was implicitly contained in the premises. The deductive conclusion makes that information (knowledge) explicit.

To the logician, deduction cannot provide “new knowledge” in the sense that the conclusion is implicit in the premises.

2.2.3 Information Theory

The engineering science of information theory provides a statistical method for quantifying information for the purpose of analyzing the transmission, formatting, storage, and processing of information.

 

2.2.4 Decision Theory

Decision theory provides analytical means to make decisions in the presence of uncertainty and risk by choosing among alternatives. The basis of this choice is determined by quantifying the relative consequences of each alternative and choosing the best alternative to optimize some objective function.

Decision theory distinguishes two categories of utility functions that provide decision preferences on the basis of value or risk [12].

• Value—These utility functions determine a preferred decision on the basis of value metrics where no uncertainty is present.
• Risk—These functions provide a preferred decision in the presence of uncertainty (and therefore a risk that the decision may not deliver the highest utility).

While not offering a direct means of measuring information per se, utility functions provide a means of measuring the effect of information on the application in which it is used. The functions provide an intuitive means of measuring effectiveness of information systems.

2.2.5 Semiotic Theory

1. S. Peirce (1839–1914) introduced philosophical notions, including a “semiotic” logic system that attempts to provide a “critical thinking” method for conceptual understanding of observations (data) using methods of exploratory data analysis [13]. This system introduced the notion of abduction as a means of analyzing and providing a “best explanation” for a set of data. Expanding on the inductive and deductive processes of classical logic, Peirce viewed four stages of scientific inquiry [14].

• Abduction explores a specific set of data and creates plausible hypotheses to explain the data.
• Deduction is then applied to refine the hypothesis and develops a testable means of verifying the hypothesis using other premises and sets of data.
• Induction then develops the general explanation that is believed to apply to all sets of data viewed together in common. This means the explanation should apply to future sets of data.
• Deduction is finally applied, using the induced template to detect the presence of validated explanations to future data sets.

2.2.6 Knowledge Management

The management of information, in all of its forms, is a recognized imperative in third-wave business as well as warfare. The discipline of “knowledge management” developed in the business domain emphasizes both information exploitation (identified in Table 2.5) and information security as critical for businesses to compete in the third-wave marketplace.

Information Value (I v ) = [Assets − Liabilities] − Total Cost of Ownership

Where, assets include
At = The assets derived from the information at time of arrival

An = The assets if the information did not arrive;
Lt = The liabilities derived from the information at time of arrival;

Ln = The liabilities if the information did not arrive;
In = Total cost associated with the information;
I1 = The cost to generate the information;
I2 = The cost to format the information;
I3 = The cost to reformat the information;
I4 = The cost to duplicate the information;
I5 = The cost to transmit or transport the information (distribute);

I6 = The cost to store the information;
I7 = The cost to use the information, including retrieval.

 

The objective of knowledge management is ultimately to understand the monetary value of information. These measures of the utility of information in the discipline of business knowledge management are based on capital values.

 

2.4 Measuring the Utility of Information in Warfare

The relative value of information can be described in terms of the information performance within the information system, or in terms of the effectiveness (which relates the utility), or the ultimate impact of information on the user.

Utility is a function of both the accuracy and timeliness of information delivered to the user. The utility of estimates of the state of objects, complex situations, or processes is dependent upon accuracies of locations of objects, behavioral states, identities, relationships, and many other factors. Utility is also a function of the timeliness of information, which is often perishable and valueless after a given period. The relationships between utility and many accuracy and timeliness variables are often nonlinear and always highly dependent upon both the data collection means and user application.

The means by which the utility of information and derived knowledge is enhanced in practical systems usually includes one (or all) of four categories of actions.

• Acquire the right data—The type, quality, accuracy, timeliness, and rate of data collected have a significant impact on knowledge delivered.
• Optimize the extraction of knowledge—The processes of transforming data to knowledge may be enhanced or refined to improve efficiency, throughput, end-to-end speed, or knowledge yield.
• Distribute and apply the knowledge—The products of information processes must be delivered to users on time, in understandable formats, and in sufficient quantity to provide useful comprehension to permit actions to be taken.
• Ensure the protection of information—In the competitive and conflict environments, information and the collection, processing, and distribution channels must be protected from all forms of attack. Information utility is a function of both reliability for and availability to the user.

Metrics in a typical military command and control system that may be used to measure information performance, effectiveness, and military utility, respectively.

• Sensor detection performance at the data level influences the correlation performance that links sensor data, and therefore the inference process that detects an opponent’s hostile action (event).
• Event detection performance (timeliness and accuracy) influences the effectiveness of reasoning processes to assess the implications of the event.
• Effectiveness of the assessment of the impact on military objectives influences the decisions made by commanders and, in turn, the outcome of those responses. This is a measure of the utility of the entire information process. It is at this last step that knowledge is coupled to military decisions and ultimately to military utility.

2.5 Translating Science to Technology

information, as process and content, is neither static nor inorganic. To view information as the static organized numbers in a “database” is a limited view of this resource. Information can be dynamic process models, capable of describing complex future behavior based on current measurements. Information also resides in humans as experience, “intuitive” knowledge, and other perceptive traits that will always make the human the valuable organic element of information architectures.

3

The Role of Technology in Information-Based Warfare

We now apply the information science principles developed in the last chapter to describe the core informationprocessing methods of information-based warfare: acquisition of data and creation of “actionable” knowledge.

The knowledge-creating process is often called exploitation—the extraction of military intelligence (knowledge) from collected data. These are the processes at the heart of intelligence, surveillance, and reconnaissance (ISR) systems and are components of most command and control (C2) systems. These processes must be understood because they are, in effect, the weapon factories of information-based warfare and the most lucrative targets of information warfare [1].

3.1 Knowledge-Creation Processes

Knowledge, as described in the last chapter, is the result of transforming raw data to organized information, and then to explanations that model the process from which the data was observed. The basic reasoning processes that were introduced to transform data into understandable knowledge apply the fundamental functions of logical inference.

In each reasoning case, collected data is used to make more general or more specific inferences about patterns in the data to detect the presence of entities, events, or relationships that can be used to direct the actions of the user to achieve some objective.

In the military or information warfare domain, these methods are used in two ways. First, both abduction (dealing with specific cases) and induction (extending to general application) are used to learn templates that describe discernible patterns of behavior or structure (of an opponent). Because both are often used, we will call this stage abduction-induction [2].

Second, deductive processes are used in the exploitation or intelligence analysis to detect and understand situations and threats based on the previously learned patterns. This second phase often occurs in a hierarchy of knowledge elements.

3.2 Knowledge Detection and Discovery

Two primary categories of knowledge-creation processes can be distinguished, based on their approach to inference. Each is essential to information-based warfare exploitation processes that seek to create knowledge from volumes of data described.

The abductive-inductive process, data mining, discovers previously unrecognized patterns in data (new knowledge about characteristics of an unknown pattern class) by searching for patterns (relationships in data) that are in some sense “interesting.” The discovered candidates are usually presented to human users for analysis and validation before being adopted as general cases.

The deductive exploitation process, data fusion, detects the presence of previously known patterns in many sources of data (new knowledge about the existence of a known pattern in the data) by searching for specific templates in sensor data streams to understand a local environment.

datasets used by these processes for knowledge creation are incomplete and dynamic and contain data contaminated by noise. These factors make the following process characteristics apply:

• Pattern descriptions—Data mining seeks to induce general pattern descriptions (reference patterns, templates, or matched filters) to characterize data understood, while data fusion applies those descriptions to detect the presence of patterns in new data.
• Uncertainty in inferred knowledge—The data and reference patterns are uncertain, leading to uncertain beliefs or knowledge.
• Dynamic state of inferred knowledge—The process is sequential and inferred knowledge is dynamic, being refined as new data arrives.
• Use of domain knowledge—Knowledge about the domain (e.g., constraints or context) may be used in addition to observed data.

 

3.3 Knowledge Creation in the OODA Loop

The observe-orient-decide-act (OODA) model of command and control introduced earlier in Chapter 1 may now be expanded to show the role of the knowledge-creation processes in the OOD stages of the loop. Figure 3.3 details these information functions in the context of the loop.

Observe functions include technical and human collection of data. Sensing of signals, pixels, and words (signals, imagery, and human intelligence) forms the core of information-based warfare observation.

Orient functions include data mining to discover or learn previously unknown characteristics in the data that can be used as templates for detection and future prediction in data fusion processes.

Decide functions include both automated and human processes. Simple, rapid responses can be automated upon the detection of preset conditions, while the judgment of human commanders is required for more complex, critical decisions that allow time for human intervention.

3.4 Deductive Data Fusion

Data fusion is an adaptive knowledge-creation process in which diverse elements of similar or dissimilar observations (data) are aligned, correlated, and combined into organized and indexed sets (information), which are further assessed to model, understand, and explain (knowledge) the makeup and behavior of a domain under observation

The process is performed cognitively by humans in daily life (e.g., combining sight, sound, and smells to detect a threat) and has long been applied for manual investigations in the military, intelligence, and law enforcement. In recent decades, the automation of this process has been the subject of intense research and development within the military, particularly to support intelligence and command and control

Deduction is performed at the data, information, and knowledge levels.

The U.S. DoD Joint Directors of Laboratories (JDL) have established a reference process model of data fusion that decomposes the process into four basic levels of information-refining processes (based upon the concept of levels of information abstraction).

• Level 1: object refinement—Correlation of all data to refine individual objects within the domain of observation. (The JDL model uses the term object to refer to real-world entities; however, the subject of interest may be a transient event in time as well.)
• Level 2: situation refinement—Correlation of all objects (information) within the domain to assess the current situation.
• Level 3: meaning refinement—Correlation of the current situation with environmental and other constraints to project the meaning of the situation (knowledge). (The meaning of the situation refers to its implications to the user, such as threat, opportunity, or change. The JDL adopted the terminology threat refinement for this level; however, we adopt meaning refinement as a more general term encompassing broader applications than military threats.)
• Level 4: process refinement—Continual adaptation of the fusion process to optimize the delivery of knowledge against a defined knowledge objective.

The technology development in data fusion has integrated disciplines such as the computer sciences, signal processing, pattern recognition, statistical analysis, and artificial intelligence to develop R&D and operational systems.

3.5 Abductive-Inductive Data Mining

Data mining is a knowledge-creation process in which large sets of data (in data warehouses) are cleansed and transformed into organized and indexed sets (information), which are then analyzed to discover hidden and implicit but previously undefined patterns that reveal new understanding of general structure and relationships (knowledge) in the data of a domain under observation.

The object of discovery is a “pattern,” which is defined as a statement in some language, L, that describes relationships in subset Fs of a set of data F such that:

1. The statement holds with some certainty, c;
2. The statement is simpler (in some sense) than the enumeration of all facts in Fs [11].

Mined knowledge, then, is formally defined as a pattern that is (1) interesting, according to some user-defined criterion, and (2) certain to a userdefined measure of degree.

Data mining (also called knowledge discovery) is distinguished from data fusion by two key characteristics.

• Inference method—Data fusion employs known patterns and deductive reasoning, while data mining searches for hidden patterns using abductive-inductive reasoning.
• Temporal perspective—The focus of data fusion is retrospective (determining current state based on past data), while data mining is both retrospective and prospective, focused on locating hidden patterns that may reveal predictive knowledge.

While there is no standard reference model for fusion, the general stages of the process as shown in Figure 3.5 illustrate a similarity to the data fusion process [14–16]. Beginning with sensors and sources, the data warehouse is populated with data, and successive functions move the data toward learned knowledge at the top. The sources, queries, and mining processes may be refined, similar to data fusion. The functional stages in the figure are described in the sections that follow.

Data Warehouse

Data from many sources are collected and indexed in the warehouse, initially in the native format of the source. One of the chief issues facing many mining operations is the reconciliation of diverse databases that have different formats (e.g., field and record sizes or parameter scales), incompatible data definitions, and other differences. The warehouse collection process (flow-in) may mediate between these input sources to transform the data before storing in common form [17].

Data Cleansing

The warehoused data must be inspected and cleansed to identify and correct or remove conflicts, incomplete sets, and incompatibilities common to combined databases. Cleansing may include several categories of checks.

• Uniformity checks verify the ranges of data, determine if sets exceed limits, and verify that formats versions are compatible.
• Completeness checks evaluate the internal consistency of datasets to make sure , for example, that aggregate values are consistent with individual data components (e.g., “verify that total sales is equal to sum of all regional sales, and that data for all sales regions is present”).
• Conformity checks exhaustively verify that each index and reference exists.
• Genealogy checks generate and check audit trails to primitive data to permit analysts to “drill down” from high-level information.

Data Selection and Transformation

The types of data that will be used for mining are selected on the basis of relevance. For large operations, initial mining may be performed on a small set, then extended to larger sets to check for the validity of abducted patterns. The selected data may then be transformed to organize all data into common dimensions and to add derived dimensions as necessary for analysis.

Data Mining Operations

Mining operations may be performed in a supervised manner in which the analyst presents the operator with a selected set of “training” data in which the analyst has manually determined the existence of pattern classes.

Discovery Modeling

Prediction or classification models are synthesized to fit the data patterns detected. This is the proscriptive aspect of mining: modeling the historical data in the database (the past) to provide a model to predict the future.

Visualization

The human analyst uses visualization tools that allow discovery of interesting patterns in the data. The automated mining operations “cue” the operator to

discovered patterns of interest (candidates), and the analyst then visualizes the pattern and verifies if, indeed, it contains new and useful knowledge.

On-line analytic processing (OLAP) refers to the manual visualization process in which a data manipulation engine allows the analyst to create data views from the human perspective, and to perform the following categories of functions:

1. Multidimensional analysis of the data across dimensions, through relationships (e.g., hierarchies), and in perspectives natural to the analyst (rather than inherent in the data);
2. Transformation of the viewing dimensions or slicing of the multidimensional array to view a subset of interest;
3. Drill down into the data from high levels of aggregation, downward into successively deeper levels of information;
4. Reach through from information levels to the underlying raw data, including reaching beyond the information base back to raw data by the audit trail generated in genealogy checking;
5. Modeling of hypothetical explanations of the data, in terms of trend analysis and extrapolations.

Refinement Feedback

The analyst may refine the process by adjusting the parameters that control the lower level processes, as well as requesting more or different data on which to focus the mining operations.

3.6 Integrating Information Technologies

On-line analytic processing (OLAP) refers to the manual visualization process in which a data manipulation engine allows the analyst to create data views from the human perspective, and to perform the following categories of functions:

1. Multidimensional analysis of the data across dimensions, through relationships (e.g., hierarchies), and in perspectives natural to the analyst (rather than inherent in the data);
2. Transformation of the viewing dimensions or slicing of the multidimensional array to view a subset of interest;
3. Drill down into the data from high levels of aggregation, downward into successively deeper levels of information;
4. Reach through from information levels to the underlying raw data, including reaching beyond the information base back to raw data by the audit trail generated in genealogy checking;
5. Modeling of hypothetical explanations of the data, in terms of trend analysis and extrapolations.

 

3.6 Integrating Information Technologies

It is natural that a full reasoning process would integrate the discovery processes of data mining with the detection processes of data fusion to coordinate learning and application activities.

(Nonliteral target signatures refer to those signatures that extend across many diverse observation domains and are not intuitive or apparent to analysts, but may be discovered only by deeper analysis of multidimensional data.)

3.7 Summary

The automation of the reasoning processes of abduction, induction, and deduction provides the ability to create actionable knowledge (military intelligence) from large volumes of data collected in IBW. As the value of information increases in all forms of information warfare, even more so is the importance of developing these reasoning technologies. While the scope of the global information infrastructure (and global sensing) increases, these technologies are required to extract meaning (and commercial value) from the boundless volumes of data available.

Data fusion and mining processes are yet on the initial slope of the technology development curve, and development is fueled by significant commercial R&D investments. Integrated reasoning tools will ultimately provide robust discovery and detection of knowledge for both business competition and information warfare.

4

Achieving Information Superiority Through Dominant Battlespace Awareness and Knowledge

The objective of information-based warfare is ultimately to achieve military goals with the most efficient application of information resources. Fullspectrum dominance is the term used to describe this effective application of military power by information-based planning and execution of military opera-tions. The central objective is the achievement of information superiority or dominance. Information superiority is the capability to collect, process, and disseminate an uninterrupted flow of information while exploiting or denying an adversary’s ability to do the same. It is that degree of dominance in the information domain that permits the conduct of operations without effective opposition

Dominant battlespace awareness (DBA)—The understanding of the current situation based, primarily, on sensor observations and human sources;

Dominant battlespace knowledge (DBK)—The understanding of the meaning of the current situation, gained from analysis (e.g., data fusion or simulation).

DBK is dependent upon DBA, and DBA is dependent on the sources of data that observe the battlespace. Both are necessary for information superiority.

4.1 Principles of Information Superiority

Information superiority is a component of an overall strategy for application of military power and must be understood in that context.

Massed effects are achieved by four operating concepts that provide a high degree of synergy from widely dispersed forces that perform precision targeting of high-lethality weapons at longer ranges.

1. Dominant maneuver—Information superiority will allow agile organizations with high-mobility weapon systems to attack rapidly at an aggressor’s centers of gravity across the full depth of the battlefield. Synchronized and sustained attacks will be achieved by dispersed forces, integrated by an information grid.
2. Precision engagement—Near-real-time information on targets will permit responsive command and control, and the ability to engage and reengage targets with spatial and temporal precision (“at the right place, just at the right time”).
3. Focused logistics—Information superiority will also enable efficient delivery of sustainment packages throughout the battlefield, optimizing the logistic process.
4. Full-dimension protection—Protection of forces during deployment, maneuver, and engagement will provide freedom of offensive actions and can be achieved only if superior information provides continuous threat vigilance.

Information superiority must create an operational advantage to benefit the applied military power and can be viewed as a precondition for these military operations in the same sense that air superiority is viewed as a precondition to certain strategic targeting operations.

DBA provides a synoptic view, in time and space, of the conflict and supplies the commander with a clear perception of the situation and the consequences of potential actions. It dispels the “fog of war” described by Clausewitz.

To be effective, DBA/DBK also must provide a consistent view of the battlespace, distributed to all forces—although each force may choose its own perspective of the view. At the tactical level, a continuous dynamic struggle occurs between sides, and the information state of a side may continuously change from dominance, to parity, to disadvantage.

The information advantage delivered by DBA/DBK has the potential to deliver four categories of operational benefits:

Battlespace preparation—Intelligence preparation of the battlespace (IPB) includes all activities to acquire an understanding of the physical, political, electronic, cyber, and other dimensions of the battlespace. Dimensions such as terrain, government, infrastructure, electronic warfare, and telecommunication/computer networks are mapped to define the structure and constraints of the battlespace [10]. IPB includes both passive analysis and active probing of specific targets to detail their characteristics. Orders of battle and decision-making processes are modeled, vulnerabilities and constraints on adversaries’ operations are identified, and potential offensive responses are predicted. The product of this function is comprehension of the battlespace environment.

Battlespace surveillance and analysis—Continuous observation of the battlespace and analysis of the collective observations provide a detailed understanding of the dynamic states of individual components, events, and behaviors from which courses of action and intents can be inferred. The product is comprehensive state information.

Battlespace visualization—This is the process by which the commander (1) develops a clear understanding of the current state with relation to the enemy and environment, (2) envisions a desired end state that represents mission accomplishment, and then (3) subsequently visualizes the sequence of activities that moves the commander’s force from its current state to the end state. The product of this visualization is human comprehension and a comprehensive plan.

Battlespace awareness dissemination—Finally, the components of awareness and knowledge are distributed to appropriate participants at appropriate times and in formats compatible with their own mission. The product here is available and “actionable” knowledge.

4.1.1 Intelligence, Surveillance, and Reconnaissance (ISR)

Intelligence, the information and knowledge about an adversary obtained through observation, investigation, analysis, or understanding, is the product that provides battlespace awareness.

The process that delivers strategic and operational intelligence products is generally depicted in cyclic form (Figure 4.3), with six distinct phases :

• Collection planning—Government and military decision makers define, at a high level of information abstraction, the knowledge that is required to make policy, strategy, or operational decisions. The requests are parsed into information required to deduce the required answers. This list of information is further parsed into the individual elements of data that must be collected to form that required information base. The required data is used to establish a plan of collection, which details the elements of data needed and the targets (people, places, and things) from which the data may be obtained.
• Collection—Following the plan, human and technical sources of data are tasked to perform the collection. Table 4.4 summarizes the major collection sources, which include both open and closed access sources and human and technical means of acquisition.
• Processing—The collected data is indexed and organized in an information base, and progress on meeting the requirements of the collection plan is monitored. As a result of collection, this organized data may adjust the plan on the basis of received data.
• Analysis—The organized information base is processed using deductive inference techniques (described earlier in Chapter 3) that fuse all source data in an attempt to answer the requester’s questions.
• Production—Intelligence may be produced in the format of dynamic visualizations on a war fighter’s weapon system or in formal reports to policymakers. Three categories of formal strategic and tactical intelligence reports are distinguished by their past, present, and future focus: (1) current intelligence reports are news-like reports that describe recent events or indications and warnings; (2) basic intelligence reports provide complete descriptions of a specific situation (order of battle or political situation, for example); and (3) intelligence estimates attempt to predict feasible future outcomes as a result of current situations, constraints, and possible influences [16].
• Application—The intelligence product is disseminated to the user, providing answers to queries and estimates of accuracy of the product delivered. Products range from strategic intelligence estimates in the form of large hardcopy or softcopy documents for policy makers, to real-time displays that visualize battlespace conditions for a war fighter.

 

4.1.1.1 Sources of Intelligence Data

A taxonomy of intelligence data sources (Table 4.4) includes sources that are openly accessible or closed

two HUMINT sources are required to guide the technical intelligence sources. HUMINT source A provides insight into trucking routes to be used, allowing video surveillance to be focused on most likely traffic points. HUMINT source B, closely related to crop workers, monitors the movements of harvesting crews, providing valuable cueing for airborne sensors to locate crops and processing facilities. The technical sources also complement the HUMINT sources by providing verification of uncertain cues and hypotheses for the HUMINT sources to focus attention.

4.1.1.3 Automated Intelligence Processing

The intelligence process must deal with large volumes of source data, converting a wide range of text, imagery, video, and other media types into processed products. Information technology is providing increased automation of the information indexing, discovery, and retrieval (IIDR) functions for intelligence, especially the exponentially increasing volumes of global OSINT

The information flow in an automated or semiautomated facility (depicted in Figure 4.5) requires digital archiving and analysis to ingest continuous streams of data and manage large volumes of analyzed data. The flow can be broken into three phases: capture and compile, preanalysis, and exploitation (analysis).

The preanalysis phase indexes each data item (e.g., article, message, news segment, image, or book chapter) by (1) assigning a reference for storage; (2) generating an abstract that summarizes the content of the item and metadata describing the source, time, reliability-confidence, and relation to other items (“abstracting”); and (3) extracting critical descriptors that characterize the contents (e.g., keywords) or meaning (“deep indexing”) of the item for subsequent analysis. Spatial data (e.g., maps, static imagery, video imagery) must be indexed by spatial context (spatial location) and content (imagery content). The indexing process applies standard subjects and relationships, maintained in a lexicon and thesaurus that is extracted from the analysis information base. Following indexing, data items are clustered and linked before entry into the analysis base. As new items are entered, statistical analyses are performed to monitor trends or events against predefined templates that may alert analysts or cue their focus of attention in the next phase of processing. For example, if analysts are interested in relationships between nations A and B, all reports may be scored for a “tension factor” between those nations, and alerts may be generated on the basis of frequency, score intensity, and sources of incoming data items.

The third, exploitation, phase of processing presents data to the human intelligence analyst for examination using visualization tools to bring to focus the most meaningful and relevant data items and their interrelationships.

The categories of automated tools that are applied to the analysis information base include the following [25]:

• Interactive search and retrieval tools permit analysts to search by topic, content, or related topics using the lexicon and thesaurus subjects.
• Structured judgment analysis tools provide visual methods to link data, synthesize deductive logic structures, and visualize complex relationships between datasets. These tools enable the analyst to hypothesize, explore, and discover subtle patterns and relationships in large data volumes—knowledge that can be discerned only when all sources are viewed in a common context.
• Modeling and simulation tools model hypothetical activities, allowing modeled (expected) behavior to be compared to evidence for validation or projection of operations under scrutiny.
• Collaborative analysis tools permit multiple analysts in related subject areas, for example, to collaborate on the analysis of a common subject.
• Data visualization tools present synthetic views of data and information to the analyst to permit patterns to be examined and discovered. Table 4.6 illustrates several examples of visualization methods applied to the analysis of large-volume multimedia data.

 

4.2 Battlespace Information Architecture

We have shown that dominant battlespace awareness is achieved by the effective integration of the sensing, processing, and response functions to provide a comprehensive understanding of the battlespace, and possible futures and consequences.

At the lowest tier is the information grid, an infrastructure that allows the flow of information from precision sensors, through processing, to precision forces.

This tier is the forward path observe function of the OODA loop, and the feedback path distribution channel to control the act function of the loop and collaborative exchange paths. The grid provides for secure, robust transfer of four categories of information (Table 4.8) across the battlespace: (1) information access, (2) messaging, (3) interpersonal communications, and (4) publishing or broadcasting.

Precision information direction tailors the flow of information on the grid, responding dynamically to the environment to allocate resources (e.g., bandwidth and content) to meet mission objectives. The tier includes the data fusion and mining processes that perform the intelligence-processing functions described in previous sections. These processes operate over the information grid, performing collaborative assessment of the situation and negotiation of resource allocations across distributed physical locations

The highest tier is effective force management, which interacts with human judgment to provide the following:

• Predictive planning and preemption—Commanders are provided predictions and assessments of likely enemy and planned friendly COAs with expected outcomes and uncertainties. Projections are based upon the information regarding state of forces and environmental constraints (e.g., terrain and weather). This function also provides continuous monitoring of the effectiveness of actions and degree of mission accomplishment. The objective of this capability is to provide immediate response and preemption rather than delayed reaction.

• Integrated force management—Because of the information grid and comprehensive understanding of the battlespace, force operations can be dynamically synchronized across echelons, missions, components, and coalitions. Both defense and offense can be coordinated, as well as the supporting functions of deployment, refueling, airlift, and logistics.

• Execution of time-critical missions—Time-critical targets can be prosecuted by automatic mission-to-target and weapon-to-target pairings, due to the availability (via the information grid) of immediate sensorderived targeting information. Detection and cueing of these targets permit rapid targeting and attack by passing targeting data (e.g., coordinates, target data, imagery) to appropriate shooters.

Force management is performed throughout the network, with long-term, high-volume joint force management occurring on one scale, and time-critical, low-volume, precision sensor-toshooter management on another. Figure 4.7 illustrates the distinction between the OODA loop processes of the time-critical sensor-to-shooter mission and the longer term theater battle management mission.

4.3 Summary

Dominant battlespace awareness and knowledge is dependent upon the ability to both acquire and analyze the appropriate data to comprehend the meaning of the current situation, the ability to project possible future courses of action, and the wisdom to know when sufficient awareness is achieved to act.

Part II
Information Operations for Information Warfare

5

Information Warfare Policy, Strategy, and Operations

Preparation for information warfare and the conducting of all phases of information operations at a national level requires an overarching policy, an implementing strategy developed by responsible organizations, and the operational doctrine and personnel to carry out the policy.

Information warfare is conducted by technical means, but the set of those means does not define the military science of C2W or netwar. Like any form of competition, conflict, or warfare, there is a policy that forms the basis for strategy, and an implementing strategy that governs the tactical application of the technical methods. While this is a technical book describing the methods, the system implementations of information warfare must be understood in the context of their guiding implementation.

Because of the uncertainty of consequences and the potential impact of information operations on civilian populations, policy and strategy must be carefully developed to govern the use of information operations technologies—technologies that may even provide capabilities before consequences are understood and policies for their use are fully developed.

5.1 Information Warfare Policy and Strategy

The technical methods of information warfare are the means at the bottom of a classical hierarchy that leads from the ends (objectives) of national security policy. The hierarchy proceeds from the policy to an implementing strategy, then to operational doctrine (procedures) and a structure (organization) that applies at the final tactical level the technical operations of IW. The hierarchy “flows down” the security policy, with each successive layer in the hierarchy implementing the security objectives of the policy.

Security Policy

Policy is the authoritative articulation of the position of a nation, defining its interests (the objects being secured), the security objectives for those interests, and its intent and willingness to apply resources to protect those interests. The interests to be secured and the means of security are defined by policy. The policy may be publicly declared or held private, and the written format must be concise and clear to permit the implementing strategy to be traceable to the policy.

Any security policy addressing the potential of information warfare must consider the following premises:

1. National interest—The national information infrastructure (NII), the object of the information security policy, is a complex structure comprised of public (military and nonmilitary) and private elements. This infrastructure includes the information, processes, and structure, all of which may be attacked. The structure, contents, owners, and security responsibilities must be defined to clearly identify the object being

protected. The NII includes abstract and physical property; it does not include human life, although human suffering may be brought on by collateral effects.

2. New vulnerabilities—Past security due to geographic and political positions of a nation no longer applies to information threats, in which geography and political advantages are eliminated. New vulnerabilities and threats must be assessed because traditional defenses may not be applicable.
3. Security objective—The desired levels of information security must be defined in terms of integrity, authenticity, confidentiality, nonrepudiation, and availability.
4. Intent and willingness—The nation must define its intent to use information operations and its willingness to apply those weapons. Questions that must be answered include the following:

1. • What actions against the nation will constitute sufficient justification to launch information strikes?
   • What levels of information operations are within the Just War Doctrine? What levels fall outside?
   • What scales of operations are allowable, and what levels of direct and collateral damage resulting from information strikes are permissible?
   • How do information operations reinforce conventional operations?
   • What are the objectives of information strikes?
   • What are the stages of offensive information escalation, and how

are information operations to be used to de-escalate crises?

5. Authority—The security of highly networked infrastructures like the NII requires shared authorities and responsibilities for comprehensive protection; security cannot be assured by the military alone. The authority and roles of public and private sectors must be defined. The national command authority and executing military agencies for offensive, covert, and deceptive information operations must be defined. As in nuclear warfare, the controls for this warfare must provide assurance that only proper authorities can launch offensive actions.
6. Limitations of means—The ranges and limitations of methods to carry out the policy may be defined. The lethality of information operations, collateral damage, and moral/ethical considerations of conducting information operations as a component of a just war must be defined.
7. Information weapons conventions and treaties—As international treaties and conventions on the use (first use or unilateral use) of information operations are established, the national commitments to such treaties must be made in harmony with strategy, operations, and weapons development.

essential elements of security policy… that may now be applied to information warfare by analogy include the following:

Defense or protection—This element includes all defensive means to protect the NII from attack: intelligence to assess threats, indications and warning to alert of impending attacks, protection measures to mitigate the effects of attack, and provisions for recovery and restoration. Defense is essentially passive—the only response to attack is internal.

Deterrence—This element is the threat that the nation has the will and capability to conduct an active external response to attack (or a preemptive response to an impending threat), with the intent that that the threat alone will deter an attack. A credible deterrence requires (1) the ability to identify the attacker, (2) the will and capability to respond, and (3) a valued interest that may be attacked [5]. Deterrence includes an offensive component and a dominance (intelligence) component to provide intelligence for targeting and battle damage assessment (BDA) support.

Security Strategy

National strategy is the art and science of developing and using the political, economic, and psychological powers of a nation, together with its armed forces, during peace and war, to secure national objectives.

The strategic process (Figure 5.2) includes both strategy developing activities and a complementary assessment process that continuously monitors the effectiveness of the strategy.

 

The components of a strategic plan will include, as a minimum, the following components:

• Definition of the missions of information operations (public and private, military and nonmilitary);
• Identification of all applicable national security policies, conventions, and treaties;
• Statement of objectives and implementation goals;
• Organizations, responsibilities, and roles;
• Strategic plan elements:
  1. Threats, capabilities, and threat projections;
  2. NII structure, owners, and vulnerabilities;
  3. Functional (operational) requirements of IW capabilities (time phased);
  4. Projected gaps in ability to meet national security objectives, and plan to close gaps and mitigate risks;
  5. Organizational plan;
  6. Operational plan (concepts of operations);
  7. Strategic technology plan;
  8. Risk management plan;

• Performance and effectiveness assessment plan.

5.2 An Operational Model of Information Warfare

Information operations are performed in the context of a strategy that has a desired objective (or end state) that may be achieved by influencing a target (the object of influence).

Information operations are defined by the U.S. Army as

Continuous military operations within the Military Information Environment (MIE) that enable, enhance and protect the friendly force’s ability to collect, process, and act on information to achieve an advantage across the full range of military operations; information operations include interacting with the Global Information Environment (GIE) and exploiting or denying an adversary’s information and decision capabilities

The model recognizes that targets exist in (1) physical space, (2) cyberspace, and (3) the minds of humans. The highest level target of information operations is the human perception of decision makers, policymakers, military commanders, even entire populations. The ultimate targets and the operational objective are to influence their perception to affect their decisions and resulting activities.

for example, the objective perception for targeted leaders may be “overwhelming loss of control, disarray, and loss of support from the populace.”

These perception objectives may be achieved by a variety of physical or abstract (information) means, but the ultimate target and objective is at the purely abstract perceptual level, and the effects influence operational behavior. The influences can cause indecision, delay a decision, or have the effect of biasing a specific decision. The abstract components of this layer include objectives, plans, perceptions, beliefs, and decisions.

Attacks on this intermediate layer can have specific or cascading effects in both the perceptual and physical layers.

5.3 Defensive Operations

The U.S. Defense Science Board performed a study of the defensive operations necessary to implement IW-defense at the national level, and in this section we adapt some of those findings to describe conceptual defensive capabilities at the operational level.

Offensive information warfare is attractive to many [potential adversaries] because it is cheap in relation to the cost of developing, maintaining, and using advanced military capabilities. It may cost little to suborn an insider, create false information, manipulate information, or launch malicious logic-based weapons against an information system connected to the globally shared telecommunication infrastructure. In addition, the attacker may be attracted to information warfare by the potential for large nonlinear outputs from modest inputs

Threat Intelligence, I&W

Essential to defense is the understanding of both the external threats and the internal vulnerabilities that may encounter attack. This understanding is provided by an active intelligence operation that performs external assessments of potential threats [16] and internal assessments of vulnerabilities.

The vulnerability assessment can be performed by analysis, simulation, or testing. Engineering analysis and simulation methods exhaustively search for access paths during normal operations or during unique conditions (e.g., during periods where hardware faults or special states occur). Testing methods employ “red teams” of independent evaluators armed with attack tools to exhaustively scan for access means to a system (e.g., communication link, computer, database, or display) and to apply a variety of measures (e.g., exploitation, disruption, denial of service, or destruction).

Protection Measures (IW-Defense)

Based on assessments of threats and vulnerabilities, operational capabilities are developed to implement protection measures (countermeasures or passive defenses) to deny, deter, limit, or contain attacks against the information infrastructure. All of these means may be adopted as a comprehensive approach, each component providing an independent contribution to overall protection of the infrastructure.

The prevention operations deploy measures at three levels.

Strategic-level activities seek to deter attacks by legal means that ban attacks, impose penalties or punishment on offenders, or threaten reprisals.

Operational security (OPSEC) activities provide security for physical elements of the infrastructure, personnel, and information regarding the infrastructure (e.g., classified technical data).

Technical security (INFOSEC) activities protect hardware, software, and intangible information (e.g., cryptographic keys, messages, raw data, information, knowledge) at the hardware and software levels.

The functions of tactical response include the following:

• Surveillance—Monitor overall infrastructure status and analyze, detect, and predict effects of potential attacks. Generate alert status reports and warn components of the infrastructure of threat activity and expected events.
• Mode control—Issue controls to components to modify protection levels to defend against incipient threat activities, and to oversee restoration of service in the postattack period.
• Auditing and forensic analysis—Audit attack activity to determine attack patterns, behavior, and damage for future investigation, effectiveness analysis, offensive targeting, or litigation.
• Reporting—Issue reports to command authorities.

5.4 Offensive Operations

Offensive operational capabilities require the capability to identify and specify the targets of attack (targeting) and then to attack those targets. These two capabilities must be able to be performed at all three levels of the operational model, as presented earlier in Section 5.2. In addition to these two, a third offensive capability is required at the highest (perceptual) level of the operational model: the ability to manage the perceptions of all parties in the conflict to achieve the desired end.

Public and civil affairs operations are open, public presentations of the truth (not misinformation or propaganda) in a context and format that achieves perception objectives defined in a perception plan. PSYOPS also convey only truthful messages (although selected “themes” and emphases are chosen to meet objectives) to hostile forces to influence both the emotions and reasoning of decision makers. PSYOPS require careful tailoring of the message (to be culturally appropriate) and selection of the media (to ensure that the message is received by the target population). The message of PSYOPS may be conveyed by propaganda or by actions.

military deception operations are performed in secrecy (controlled by operational security). These operations are designed to induce hostile military leaders to take operational or tactical actions that are favorable to, and exploitable by, friendly combat operations

They have the objective of conveying untruthful information to deceive for one of several specific purposes.

1. Deceit—Fabricating, establishing, and reinforcing incorrect or preconceived beliefs, or creating erroneous illusions (e.g., strength or weakness, presence or nonexistence);
2. Denial—Masking operations for protection or to achieve surprise in an attack operation;
3. Disruption—Creating confusion and overload in the decision-making process;
4. Distraction—Moving the focus of attention toward deceptive actions or away from authentic actions;
5. Development—Creating a standard pattern of behavior to develop preconceived expectations by the observer for subsequent exploitation.

All of these perception management operations applied in military combat may be applied to netwar, although the media for communication (the global information infrastructure) and means of deceptive activities are not implemented on the physical battlefield. They are implemented through the global information infrastructure to influence a broader target audience.

Intelligence for Targeting and Battle Damage Assessment

The intelligence operations developed for defense also provide support to offensive attack operations, as intelligence is required for four functions.

1. Target nomination—Selecting candidate targets for attack, estimating the impact if the target is attacked;
2. Weaponeering—Selecting appropriate weapons and tactics to achieve the desired impact effects (destruction, temporary disruption or denial of service, reduction in confidence in selected function); the process targets vulnerability, weapon effect, delivery accuracy, damage criteria, probability of kill, and weapon reliability;
3. Attack plan—Planning all aspects of the attack, including coordinated actions, deceptions, routes (physical, information infrastructure, or perception), mitigation of collateral damage, and contingencies;
4. Battle damage assessment (BDA)—Measuring the achieved impact of the attack to determine effectiveness and plan reattack, if necessary.

Attack (IW-Offense) Operations

Operational attack requires planning, weapons, and execution (delivery) capabilities. The weapons include perceptual, information, and physical instruments employed to achieve the three levels of effect in the operational model.

Offensive operations are often distinguished as direct and indirect means.

Indirect attacks focus on influencing perception by providing information to the target without engaging the information infrastructure of the target. This may include actions to be observed by the target’s sensors, deception messages, electronic warfare actions, or physical attacks. External information is provided to influence perception, but the target’s structure is not affected.

Direct attacks specifically engage the target’s internal information, seeking to manipulate, control, and even destroy the information or the infrastructure of the target.

Offensive information warfare operations integrate both indirect and direct operations to achieve the desired effects on the target. The effectiveness of attacks is determined by security (or stealth), accuracy, and direct and collateral effects.

5.5 Implementing Information Warfare Policy and Strategy

This chapter has emphasized the flow-down of policy to strategy, and strategy to operations, as a logical, traceable process. In theory, this is the way complex operational capabilities must be developed. In the real world, factors such as the pace of technology, a threatening global landscape, and dynamic national objectives force planners to work these areas concurrently—often having a fully developed capability (or threat) without the supporting policy, strategy, or doctrine to enable its employment (or protection from the threat).

6
The Elements of Information Operations

Information operations are the “continuous military operations within the military information environment that enable, enhance, and protect the friendly force’s ability to collect, process, and act on information to achieve an advantage across the full range of military operations; information operations include interacting with the global information environment and exploiting or denying an adversary’s information and decision capabilities”

Some information operations are inherently “fragile” because they are based on subtle or infrequent system vulnerabilities, or because they rely on transient deceptive practices that if revealed, render them useless. Certain elements of IO have therefore been allocated to the operational military, while others (the more fragile ones) have been protected by OPSEC within the intelligence communities to reduce the potential of their disclosure.

6.1 The Targets of Information Operations

The widely used term information infrastructure refers to the complex of sensing, communicating, storing, and computing elements that comprise a defined information network conveying analog and digital voice, data, imagery, and multimedia data. The “complex” includes the physical facilities (computers, links, relays, and node devices), network standards and protocols, applications and software, the personnel who maintain the infrastructure, and the information itself. The infrastructure is the object of both attack and defense; it provides the delivery vehicle for the information weapons of the attacker while forming the warning net and barrier of defense for the defender. Studies of the physical and abstract structure of the infrastructure are therefore essential for both the defender and the targeter alike.

Three infrastructure categories are most commonly identified.

The global information infrastructure (GII) includes the international complex of broadcast communications, telecommunications, and computers that provide global communications, commerce, media, navigation, and network services between NIIs. (Note that some documents refer to the GII as the inclusion of all NIIs; for our purposes, we describe the GII as the interconnection layer between NIIs.)

The national information infrastructure (NII) includes the subset of the GII within the nation, and internal telecommunications, computers, intranets, and other information services not connected to the GII. The NII is directly dependent upon national electrical power to operate, and the electrical power grid is controlled by components of the NII.

The defense information infrastructure (DII) includes the infrastructure owned and maintained by the military (and intelligence) organizations of the nation for purposes of national security. The DII includes command, control, communications, and computation components as well as dedicated administration elements. These elements are increasingly integrated to the NII and GII to use commercial services for global reach but employ INFOSEC methods to provide appropriate levels of security.

The critical infrastructures identified by the U.S. President’s Commission on Critical Infrastructure Protection (PCCIP) include five sectors

1. Information and communications (the NII)
2. Banking and finance
3. Energy
4. Physical distribution
5. Vital human services

Attackers may seek to achieve numerous policy objectives by attacking these infrastructures. In order to achieve these policies, numerous intermediate attack goals may be established that can then be achieved by information infrastructure attacks. Examples of intermediate goals might include the following:

• Reduce security by reducing the ability of a nation to respond in its own national interest;
• Weaken public welfare by attacking emergency services to erode public confidence in the sustainment of critical services and in the government;
• Reduce economic strength to reduce national economic competitiveness.

Two capabilities are required for the NII:

• Infrastructure protection requires defenses to prevent and mitigate the effects of physical or electronic attack.
• Infrastructure assurance requires actions to ensure readiness, reliability, and continuity—restricting damage and providing for reconstitution in the event of an attack.

 

The conceptual model provides for the following basic roles and responsibilities:

• Protected information environment—The private sector maintains protective measures (INFOSEC, OPSEC) for the NII supported by the deterrent measures contributed by the government. Deterrence is aimed at influencing the perception of potential attackers, with the range of responses listed in the figure. The private sector also holds responsibility for restoration after attack, perhaps supported by the government in legally declared emergencies.
• Attack detection—The government provides the intelligence resources and integrated detection capability to provide indications and warnings (strategic) and alerts (tactical) to structured attacks.
• Attack response—The government must also ascertain the character of the attack, assess motives and actors, and then implement the appropriate response (civil, criminal, diplomatic, economic, military, or informational).
• Legal protection—In the United States, the government also holds responsibility (under the Bill of Rights, 1791, and derivative statues cited below) for the protection of individual privacy of information, including oral and wire communications [26]; computers, e-mail, and digitized voice, data, and video [27]; electronic financial records and the transfer of electronic funds [28,29]; and cellular and cordless phones and data communications [30]. This is the basis for civil and criminal deterrence to domestic and international criminal information attacks on the NII.

While the government has defined the NII, the private sector protects only private property, and there is no coordinated protection activity. Individual companies, for example, provide independent protection at levels consistent with their own view of risk, based on market forces and loss prevention.

IO attacks, integrated across all elements of critical infrastructure and targeted at all three levels of the NII, will attempt to destabilize the balance and security of these operations. The objective and methodology is to:

• Achieve perception objectives at the perceptual level, causing leadership to behave in a desired manner.
• This perception objective is achieved by influencing the components of the critical infrastructure at the application level.
• This influence on the critical infrastructure is accomplished through attacks on the information infrastructure, which can be engaged at the physical, information, and perceptual layers.

6.1.3 Defense Information Infrastructure (DII)

The DII implements the functional “information grid”. In the United States, the structure is maintained by the Defense Information Systems Agency (DISA), which established the following definition:

The DII is the web of communications networks, computers, software, databases, applications, weapon system interfaces, data, security services, and other services that meet the information-processing and transport needs of DoD users across the range of military operations. It encompasses the following:

1. Sustaining base, tactical, and DoD-wide information systems, and command, control, communications, computers, and intelligence (C4I) interfaces to weapons systems.
2. The physical facilities used to collect, distribute, store, process, and display voice, data, and imagery.
3. The applications and data engineering tools, methods, and processes to build and maintain the software that allow command and control (C2), intelligence, surveillance, reconnaissance, and mission support users to access and manipulate, organize, and digest proliferating quantities of information.
4. The standards and protocols that facilitate interconnection and interoperation among networks.
5. The people and assets that provide the integrating design, management, and operation of the DII, develop the applications and services, construct the facilities, and train others in DII capabilities and use.

Three distinct elements of the U.S. DII are representative of the capabilities required by a third-wave nation to conduct information-based warfare.

6.2 Information Infrastructure War Forms

As the GII and connected NIIs form the fundamental interconnection between societies, it is apparent that this will become a principal vehicle for the conduct of competition, conflict, and warfare. The concept of network warfare was introduced and most widely publicized by RAND authors John Arquilla and David Ronfeldt in their classic think piece, “Cyberwar is Coming!”

The relationships between these forms of conflict may be viewed as sequential and overlapping when mapped on the conventional conflict time line that escalates from peace to war before de-escalation to return to peace (Figure 6.7). Many describe netwar as an ongoing process, with degrees of intensity moving from daily unstructured attacks to focused net warfare of increasing intensity until militaries engage in C2W. Netwar activities are effectively the ongoing, “peacetime”-up-to-conflict components of IO.

6.3 Information Operations for Network Warfare

Ronfeldt and Arquilla define netwar as a societal-level ideational conflict at a grand level, waged in part through Internetted modes of communications. It is conducted at the perceptual level, exploiting the insecurities of a society via the broad access afforded by the GII and NIIs. Netwar is characterized by the following qualities that distinguish it from all other forms:

• Target—Society at large or influential subsets are targeted to manage perception and influence the resulting opinion. Political, economic, and even military segments of society may be targeted in an orchestrated fashion. The effort may be designed to create and foster dissident or opposition groups that may gain connectivity through the available networks.
• Media—All forms of networked and broadcast information and communications within the NII of a targeted nation state may be used to carry out information operations. The GII may be the means for open access or illicit penetration of the NII.
• Means—Networks are used to conduct operations, including (1) public influence (open propaganda campaigns, diplomatic measures, and psychological operations); (2) deception (cultural deception and subversion, misinformation); (3) disruption and denial (interference with media or information services); and (4) exploitation (use of networks for subversive activities, interception of information to support targeting).
• Players—The adversaries in netwar need not be nation states. Nation states and nonstate organizations in any combination may enter into conflict. As networks increasingly empower individuals with information influence, smaller organizations (with critical information resources) may wage effective netwar attacks.

In subsequent studies, Arquilla and Ronfeldt have further developed the potential emergence of netwar as dominant form of societal conflict in the twenty-first century and have prescribed the necessary preparations for such conflicts. A 1994 U.S. Defense Science Board study concluded that “A large structured attack with strategic intent against the U.S. could be prepared and exercised under the guise of unstructured activities”

6.3.1 A Representative Netwar Scenario

The U.S. defense community, futurists, and security analysts have hypothesized numerous netwar scenarios that integrate the wide range of pure information weapons, tactics, and media that may be applied by future information aggressors.

6.4 Information Operations for Command and Control Warfare (C2W)

Information operations, escalated to physical engagement against military command and control systems, enter the realm of C2W. C2W is “the integrated use of operations security (OPSEC), military deception, psychological operations (PSYOPS), electronic warfare (EW), and physical destruction, mutually supported by intelligence to deny information to, influence, degrade, or destroy adversary command and control capabilities, while protecting friendly command and control capabilities against such actions”.

C2W is distinguished from netwar in the following dimensions:

Target—Military command and control is the target of C2W. Supporting critical military physical and information infrastructures are the physical targets of C2W.

Media—While the GII is one means of access for attack, C2W is characterized by more direct penetration of an opponent’s airspace, land, and littoral regions for access to defense command and control infrastructure. Weapons are delivered by air, space, naval, and land delivery systems, making the C2W overt, intrusive, and violent. This makes it infeasible to conduct C2W to the degree of anonymity that is possible for netwar.

Means—C2W applies physical and information attack means to degrade (or destroy) the OODA loop function of command and control systems, degrading military leaders’ perceptual control effectiveness and command response. PSYOPS, deception, electronic warfare, and physically destructive means are used offensively, and OPSEC provides protection of the attack planning.

Players—The adversaries of C2W are military organizations of nation states, authorized by their governments.

Ronfeldt and Arquilla emphasize that future C2W will be characterized by a revision in structure, as well as operations, to transform the current view of command and control of military operations:

Waging [C2W] may require major innovations in organizational design, in particular a shift from hierarchies to networks. The traditional reliance on hierarchical designs may have to be adapted to network-oriented models to allow greater flexibility, lateral connectivity, and teamwork across institutional boundaries. The traditional emphasis on command and control, a key strength of hierarchy, may have to give way to emphasis on consultation and coordination, the crucial building blocks of network designs

6.5.1 Psychological Operations (PSYOPS)

PSYOPS are planned operations to convey selected information and indicators to foreign audiences to influence their emotions, motives, objective reasoning, and ultimately the behaviors of foreign governments, organizations, groups, and individuals. The objective of PSYOPS is to manage the perception of the targeted population, contributing to the achievement of larger operational objectives. Typical military objectives include the creation of uncertainty and ambiguity (confusion) to reduce force effectiveness, the countering of enemy propaganda, the encouragement of disaffection among dissidents, and the focusing of attention on specific subjects that will degrade operational capability. PSYOPS are not synonymous with deception; in fact, some organizations, by policy, present only truthful messages in PSYOPS to ensure that they will be accepted by target audiences.

PSYOPS are based on two dimensions: the communication of a message via an appropriate media to a target population (e.g., enemy military personnel or foreign national populations).

PSYOP activities begin with creation of the perception objective and development of the message theme(s) that will create the desired perception in the target population (Figure 6.11). Themes are based upon analysis of the psychological implications and an understanding of the target audience’s culture, preconceptions, biases, means of perception, weaknesses, and strengths. Theme development activities require approval and coordination across all elements of government to assure consistency in diplomatic, military, and economic messages. The messages may take the form of verbal, textual messages (left brain oriented) or “symbols” in graphic or visual form (right brain oriented).

6.5.2 Operational Deception

Military deception includes all actions taken to deliberately mislead adversary military decision makers as to friendly military capabilities, intentions, and operations, thereby causing the adversary to take specific actions (or inactions) that will contribute to the accomplishment of a friendly mission [60]. Deception operations in netwar expand the targets to include society at large, and have the objective of inducing the target to behave in manner (e.g., trust) that contributes to the operational mission.

Deception contributes to the achievement of a perception objective; it is generally not an end objective in itself.

Two categories of misconception are recognized: (1) ambiguity deception aims to create uncertainty about the truth, and (2) misdirection deception aims to create certainty about a falsehood. Deception uses methods of distortion, concealment, falsification of indicators, and development of misinformation to mislead the target to achieve surprise or stealth. Feint, ruse, and diversion activities are common military deceptive actions.

 

Because deception operations are fragile (their operational benefit is denied if detected), operational security must be maintained and the sequencing of deceptive and real (overt) activities must be timed to protect the deception until surprise is achieved. As in PSYOPS, intelligence must provide feedback on the deception effects to monitor the degree to which the deception story is believed.

Deception operations are based on exploitation of bias, sensitivity, and capacity vulnerabilities of human inference and perception (Table 6.9) [61]. These vulnerabilities may be reduced when humans are aided by objective decision support systems, as noted in the table.

Electronic attack can be further subdivided into four fundamental attack categories: exploitation, deception, disruption or denial, or destruction

6.5.5 Intelligence

Intelligence operations contribute assessments of threats (organizations or individuals with inimical intent, capability, and plans); preattack warnings; and postattack investigation of events.

Intelligence can be viewed as a defensive operation at the perception level because it provides information and awareness of offensive PSYOPS and deception operations.

Intelligence on information threats must be obtained in several categories:

1. Organization threat intelligence—Government intelligence activities maintain watches for attacks and focus on potential threat organizations, conducting counterintelligence operations (see next section) to determine intent, organizational structure, capability, and plans.
2. Technical threat intelligence—Technical intelligence on computer threats and technical capabilities are supplied by the government, academia, or commercial services to users as services.

 

6.5.6 Counterintelligence

Structured attacks require intelligence gathering on the infrastructure targets, and it is the role of counterintelligence to prevent and obstruct those efforts. Network counterintelligence gathers intelligence on adversarial individuals or organizations (threats) deemed to be motivated and potentially capable of launching a network attack.

6.5.7 Information Security (INFOSEC)

We employ the term INFOSEC to encompass the full range of disciplines to provide security protection and survivability of information systems from attacks, including the most common disciplines,

• INFOSEC—Measures and controls that protect the information infrastructure against denial of service and unauthorized (accidental or intentional) disclosure, modification, or destruction of information infrastructure components (including data). INFOSEC includes consideration of all hardware and/or software functions, characteristics and/or features; operational procedures, accountability procedures, and access controls at the central computer facility, remote computer, and terminal facilities; management constraints; physical structures and devices; and personnel and communication controls needed to provide an acceptable level of risk for the infrastructure and for the data and information contained in the infrastructure. It includes the totality of security safeguards needed to provide an acceptable protection level for an infrastructure and for data handled by an infrastructure.
• COMSEC—Measures taken to deny unauthorized persons information derived from telecommunications and to ensure the authenticity of such telecommunications. Communications security includes cryptosecurity, transmission security, emission security, and physical security of communications security material and information.
• TEMPEST—The study and control of spurious electronic signals emitted by electrical equipment.
• COMPUSEC—Computer security is preventing attackers from achieving objectives through unauthorized access or unauthorized use of computers and networks.
• System survivability—The capacity of a system to complete its mission in a timely manner, even if significant portions of the system are incapacitated by attack or accident.

 

6.5.8 Operational Security (OPSEC)

Operations security denies adversaries information regarding intentions, capabilities, and plans by providing functional and physical protection of people, facilities, and physical infrastructure components. OPSEC seeks to identify potential vulnerabilities and sources of leakage of critical indicators [80] to adversaries, and to develop measures to reduce those vulnerabilities. While INFOSEC protects the information infrastructure, OPSEC protects information operations (offensive and defensive).

7

An Operational Concept (CONOPS) for Information Operations

Units or cells of information warriors will conduct the information operations that require coordination of technical disciplines to achieve operational objectives. These cells require the support of planning and control tools to integrate and synchronize both the defensive and offensive disciplines introduced in the last chapter.

This chapter provides a baseline concept of operations (CONOPS) for implementing an offensive and defensive joint service IO unit with a conceptual support tool to conduct sustained and structured C2W. We illustrate the operational-level structure and processes necessary to implement information operations—in support of overall military operations—on a broad scale in a military environment.

 

The 16 essential capabilities identified in the U.S. Joint Warfighter Science and Technology Plan (1997) as necessary to achieve an operational information warfare capability [1].

1. Information consistency includes the integrity, protection, and authentication of information systems.
2. Access controls/security services ensures information security and integrity by limiting access to information systems to authorized personnel only. It includes trusted electronic release, multilevel information security, and policies.

3.Service availability ensures that information systems are available when needed, often relying upon communications support for distributed computing.

4. Network management and control ensures the use of reconfigurable robust protocols and control algorithms, self-healing applications, and systems capable of managing distributed computing over heterogeneous platforms and networks.
5. Damage assessment determines the effectiveness of attacks in both a defensive capacity (e.g., where and how bad) and an offensive capacity (e.g., measure of effectiveness).
6. Reaction (isolate, correct, act) responds to a threat, intruder, or network or system disturbance. Intrusions must be characterized and decision makers must have the capability to isolate, contain, correct, monitor surreptitiously, and so forth. The ability to correct includes recovery, resource reallocation, and reconstitution.
7. Vulnerability assessment and planning is an all-encompassing functional capability that includes the ability to realistically assess the joint war fighter’s information system(s) and information processes and those of an adversary. The assessment of war-fighter systems facilitates the use of critical protection functions such as risk management and vulnerability analysis. The assessment of an adversary’s information system provides the basis for joint war-fighter attack planning and operational execution.
8. Preemptive indication provides system and subsystem precursors or indications of impending attack.
9. Intrusion detection/threat warning enables detection of attempted and successful intrusions (malicious and nonmalicious) by both insiders and outsiders.

10.Corruption of adversary information/systems can take many diverse forms, ranging from destruction to undetected change or infection of information. There are two subsets of this function: (1) actions taken on information prior to its entry into an information system, and (2) actions taken on information already contained within an information system.

11. Defeat of adversary protection includes the defeat of information systems, software and physical information system protection schemes, and hardware.
12. Penetration of adversary information system provides the ability to intrude or inject desired information into an adversary’s information system, network, or repository. The function includes the ability to disguise the penetration—either the fact that the penetration has occurred or the exact nature of the penetration.

13.Physical destruction of adversary’s information system physically denies an adversary the means to access or use its information systems. Actions include traditional hard kills as well as actions of a less destructive nature that cause a physical denial of service.

14. Defeat of adversary information transport defeats any means involved in the movement of information either to or within a given information system. It transcends the classical definition of electronic warfare by encompassing all means of information conveyance rather than just the traditional electrical means.
15. Insertion of false station/operator into an adversary’s information system provides the ability to inject a false situation or operator into an adversary’s information system.
16. Disguise of sources of attack encompasses all actions designed to deny an adversary any knowledge of the source of an information attack or the source of information itself. Disguised sources, which deny the adversary true information sources, often limit the availability of responses, thereby delaying correction or retaliation.

Concept of Operations (CONOPS) for Information Operations Support System (IOSS)

Section 1 General 1.1 Purpose

This CONOPS describes an information operations support system (IOSS) comprised of integrated and automated tools to plan and conduct offensive and defensive information operations.

This CONOPS is a guidance document, does not specify policy, and is intended for audiences who need a quick overview or orientation to information operations (IO).

1.2 Background

Information operations provide the full-spectrum means to achieve information dominance by: (1) monitoring and controlling the defenses of a force’s information infrastructure, (2) planning activities to manage an adversary’s perception, and (3) coordinating PSYOPS, deception, and intrusive physical and electronic attacks on the adversary’s information infrastructure.

CONOPS provides an overview of the methodology to implement an IO cell supported by the semiautomated and integrated IOSS tools to achieve information dominance objectives. The following operational benefits are accrued:

• Synchronization—An approach to synchronize all aspects of military operations (intelligence, OPSEC, INFOSEC, PSYOPS, deception, information, and conventional attack) and to deconflict adverse actions between disciplines;

• Information sharing—The system permits rapid, adaptive collaboration among all members of the IO team;
• Decision aiding—An automated process to manage all IO data, provide multiple views of the data, provide multiple levels of security, and aid human operators in decision making.

 

3.3 Operational Process

Defensive planning is performed by the OPSEC and INFOSEC officers, who maintain a complete model of friendly networks and status reports on network performance. Performance and intrusion detection information is used to initiate defensive actions (e.g., alerts, rerouting, service modification, initiation of protection or recovery modes). The defensive process is continuous and dynamic, and adapts security levels and access controls to maintain and manage the level of accepted risk established at the operational level.

The flow of offensive planning activities performed by the IOSS  is organized by the three levels of planning.

• Perceptual level—The operational plan defines the intent of policy and operational objectives. The operational and perception plans, and desired behaviors of the perception targets (audiences), are defined at this level.

• Information infrastructure level—The functional measures for achieving perception goals, in the perception target’s information infrastructure, are developed at this level.

• Physical level—The specific disciplines that apply techniques (e.g., physical attack, network attack, electronic support) are tasked at this level.

The IOSS performs the decide function of the OODA loop for information operations, and the functional flow is organized to partition both the observe/orient function that provides inputs and the operational orders (OPORDS) that initiate the attack actions. The sequence of planning activities proceeds from the perceptual to the physical level, performing the flow-down operations defined in the following subsections.

3.3.1 Perception Operations The operational objectives and current situation are used to develop the desired perception objectives, which are balanced with all other operational objectives.

3.3.2 Information Infrastructure Operations At this level, the targeted information infrastructure (II) (at all ISO levels) is analyzed and tactics are developed to achieve the attack objectives by selecting the elements of the II to be attacked (targeted). The product is a prioritized high-value target (HVT) list. Using nodal analysis, targets are nominated for attack by the desired functional effect to achieve flowed-down objectives: denial, disruption, deceit, exploitation, or destruction.

Once the analysis develops an optimized functional model of an attack approach that achieves the objectives, weapons (techniques) are selected to accomplish the functional effects. This weaponeering process pairs the techniques (weapons) to targets (e.g., links, nodes, processing, individual decision makers). It also considers the associated risks due to attack detection and collateral damage and assigns intelligence collection actions necessary to perform BDA to verify the effectiveness of the attack.

3.3.3 Physical Level At the physical level, the attacking disciplines plan and execute the physical-level attacks.

Section 4 Command Relationships

4.3 Intelligence Support

IOSS requires intelligence support to detect, locate, characterize, and map the threat-critical infrastructure at three levels.

Section 5 Security 5.1 General

IO staff operations will be implemented and operated at multiple levels of security (MLS). Security safeguards consist of administrative, procedural, physical, operational, and/or environmental, personnel, and communications security; emanation security; and computer security (i.e., hardware, firmware, network, and software), as required.

Section 6 Training

6.1 General

Training is the key to successful integration of IO into joint military operations. Training of IO battle staff personnel is required at the force and unit levels, and is a complex task requiring mastery of the related disciplines of intelligence, OPSEC, PSYOPS, deception, electronic warfare, and destruction.

6.2 Formal Training

The fielding and operation of an IO cell or battle staff may require formal courses or unit training for the diverse personnel required. Training audiences include instructors, IO operators, IO battle staff cadre, system support, a broad spectrum of instructors in related disciplines, and senior officers.

7.2 Select Bibliography

Command and Control Warfare Policy

CJCSI 3210.01, Joint Information Warfare Policy, Jan. 2, 1996. DOD Directive S-3600.1, Information Warfare.

CJCSI 3210.03, Joint Command and Control Warfare Policy (U), Mar. 31, 1996.
JCS Pub 3-13.1, Joint Command and Control Warfare (C2W) Operations, Feb. 7, 1996.

Information Operations

“Information Operations,” Air Force Basic Doctrine (DRAFT), Aug. 15, 1995. FM-100-6, Information Operations, Aug. 27, 1997.
TRADOC Pam 525-69, Concept for Information Operations, Aug. 1, 1995.

Intelligence

Joint Pub 2-0, Doctrine for Intelligence Support to Joint Operations, May 5, 1995. AFDD 50, Intelligence, May 1996.
FM 34-130, Intelligence Preparation of the Battlefield, July 8, 1994.

PSYOPS, Civil and Public Affairs

JCS Pub 3-53, “Doctrine for Joint Psychological Operations,” AFDD 2.5-5, Psychological Operations, Feb. 1997.

FM 33-1, Psychological Operations, Feb. 18, 1993. FM 41-10, Civil Affairs Operations, Jan. 11, 1993. FM 46-1, Public Affairs Operations, July 23, 1992.

Operational Deception

CJCSI 3211.01, Joint Military Deception, June 1, 1993.
JCS Pub 3-58, Joint Doctrine for Operational Deception, June 6, 1994.
AR 525-21, Battlefield Deception Policy, Oct. 30, 1989.
FM 90-2, Battlefield Deception [Tactical Cover and Deception], Oct. 3, 1988. FM 90-2A (C), Electronic Deception, June 12, 1989.

Information Attack

FM 34-1, Intelligence and Electronic Warfare Operations, Sept. 27, 1994.

FM 34-37, Echelon Above Corps Intelligence and Electronic Warfare Operations, Jan. 15, 1991.

FM 34-36, Special Intelligence Forces Intelligence and Electronic Warfare Operations, Sept. 30, 1991.

Operational Security (OPSEC)

DOD Directive 5205.2, Operations Security Program, July 7, 1983. Joint Pub No. 3-54 Joint Doctrine for Operations Security.

AFI 10-1101, (Air Force), Operational Security Instruction.

AR 530-1, (Army) Operations Security, Mar. 3, 1995.

Information Security (INFOSEC)

DoD 5200.1-R, Information Security Program Regulation. AFPD 31-4, (Air Force) Information Security, Aug. 1997.
AR 380-19, (Army) Information System Security, Aug. 1, 1990.

8
Offensive Information Operations

This chapter introduces the functions, tactics, and techniques of malevolence against information systems. Offensive information operations target human perception, information that influences perception, and the physical world that is perceived. The avenues of these operations are via perceptual, information, and physical means.

Offensive information operations are malevolent acts conducted to meet the strategic, operational, or tactical objectives of authorized government bodies; legal, criminal, or terrorist organizations; corporations; or individuals. The operations may be legal or illegal, ethical or unethical, and may be conducted by authorized or unauthorized individuals. The operations may be performed covertly, without notice by the target, or they may be intrusive, disruptive, and even destructive. The effects on information may bring physical results that are lethal to humans.

Offensive operations are uninvited, unwelcome, unauthorized, and detrimental to the target; therefore, we use the term attack to refer to all of these operations.

security design must be preceded by an understanding of the attacks it must face.

Offensive information attacks have two basic functions: to capture or to affect information. (Recall that information may refer to processes or to data/information/knowledge content.) These functions are performed together to achieve the higher level operational and perceptual objectives. In this chapter, we introduce the functions, measures, tactics, and techniques of offensive operations.

• Functions—The fundamental functions (capture and affect) are used to effectively gain a desired degree of control of the target’s information resources. Capturing information is an act of theft of a resource if captured illegally, or technical exploitation if the means is not illicit. The object of capture may be, for example, a competitor’s data, an adversary’s processed information, another’s electronic cash (a knowledgelevel resource with general liquidity), or conversations that provide insight into a target’s perception. Affecting information is an act of intrusion with intent to cause unauthorized effects, usually harmful to the information owner. The functional processes that capture and affect information are called offensive measures, designed to penetrate operational and defensive security measures of the targeted information system.
• Tactics—The operational processes employed to plan, sequence, and control the countermeasures of an attack are the attack tactics. These tactics consider tactical factors, such as attack objectives; desired effects (e.g., covertness; denial or disruption of service; destruction, modification, or theft of information); degree of effects; and target vulnerabilities.
• Techniques—The technical means of capturing and affecting information of humans—their computers, communications, and supporting infrastructures—are described as techniques. In addition to these dimensions, other aspects, depending upon their application, may characterize the information attacks.

• Motive—The attacker’s motive may be varied (e.g., ideological, revenge, greed, hatred, malice, challenge, theft). Though not a technical characteristic, motive is an essential dimension to consider in forensic analysis of attacks.
• Invasiveness—Attacks may be passive or active. Active attacks invade and penetrate the information target, while passive attacks are noninvasive, often observing behaviors, information flows, timing, or other characteristics. Most cryptographic attacks may be considered passive relative to the sender and receiver processes, but active and invasive to the information message itself.

• Effects—The effects of attacks may vary from harassment to theft, from narrow, surgical modification of information to large-scale cascading of destructive information that brings down critical societal infrastructure.
• Ethics and legality—The means and the effects may be legal or illegal, depending upon current laws. The emerging opportunities opened by information technology have outpaced international and U.S. federal laws to define and characterize legal attacks. Current U.S. laws, for example, limit DoD activities in peacetime. Traditional intelligence activities are allowed in peacetime (capture information), but information attacks (affect information) form a new activity (not necessarily lethal, but quite intrusive) not covered by law. Offensive information operations that affect information enable a new range of nonlethal attacks that must be described by new laws and means of authorization, even as blockades, embargoes, and special operations are treated today. These laws must define and regulate the authority for transitional conflict operations between peace and war and must cover the degree to which “affect” operations may access nonmilitary infrastructure (e.g., commercial, civilian information). The laws must also regulate the scope of approved actions, the objective, and the degree to which those actions may escalate to achieve objectives. The ethics of these attacks must also be considered, understanding how the concepts of privacy and ownership of real property may be applied to the information resource. Unlike real property, information is a property that may be shared, abused, or stolen without evidence or the knowledge of the legitimate owner.

8.1 Fundamental Elements of Information Attack

Before introducing tactics and weapons, we begin the study of offense with a complete taxonomy of the most basic information-malevolent acts at the functional level. This taxonomy of attack countermeasures may be readily viewed in an attack matrix formed by the two dimensions:

• Target level of the IW model: perceptual, information, or physical;
• Attack category: capture or affect.

The attack matrix (Figure 8.1) is further divided into the two avenues of approach available to the attacker:

Direct, or internal, penetration attacks—Where the attacker penetrates [1] a communication link, computer, or database to capture and exploit internal information, or to modify information (add, insert, delete) or install a malicious process;

Indirect, or external, sensor attacks—Where the attacker presents open phenomena to the system’s sensors or information to sources (e.g., media, Internet, third parties) to achieve counterinformation objectives. These attacks include insertion of information into sensors or observation of the behavior of sensors or links interconnecting fusion nodes.

In C2W, indirect attacks target the observation stage of the OODA loop, while direct attacks target the orient stage of the loop [2]. The attacker may, of course, orchestrate both of these means in a hybrid attack in which both actions are supportive of each other

Two categories of attacks that affect information are defined by the object of attack.

Content attacks—The content of the information in the system may be attacked to disrupt, deny, or deceive the user (a decision maker or process). In C2W information operations, attacks may be centered on changing or degrading the intelligence preparation of the battlefield (IPB) databases, for example, to degrade its use in a future conflict.

Temporal attacks—The information process may be affected in such a way that the timeliness of information is attacked. Either a delay in receipt of data (to delay decision making or desynchronize processes) or deceptive acceleration by insertion of false data characterizes these attacks.

8.2

The Weapons of Information Warfare

8.3.1 Network Attack Vulnerabilities and Categories

Howard has developed a basic taxonomy of computer and network attacks for use in analyzing security incidents on the Internet [5]. The taxonomy structure is based on characterizing the attack process (Figure 8.2) by five basic components that characterize any attack.

1. Attackers—Six categories of attackers are identified (and motivations are identified separately, under objectives): hackers, spies, terrorists, corporate, professional criminals, and vandals.
2. Tools—The levels of sophistication of use of tools to conduct the attack are identified.
3. Access—The access to the system is further categorized by four branches.

Vulnerability exploited—Design, configuration (of the system), and implementation (e.g., software errors or bugs [7]) are all means of access that may be used.

Level of intrusion—The intruder may obtain unauthorized access, but may also proceed to unauthorized use, which has two possible subcategories of use.

 

Use of processes—The specific process or service used by the unauthorized user is identified as this branch of the taxonomy (e.g., SendMail, TCP/IP).

Use of information—Static files in storage or data in transit may be the targets of unauthorized use.

1. Results—Four results are considered: denial or theft of service, or corruption or theft (disclosure) of information.
2. Objectives—Finally, the objective of the attack (often closely correlated to the attacker type) is the last classifying property.

(This taxonomy is limited to network attacks using primarily information layer means, and can be considered a more refined categorization of the attacks listed in the information-layer row of the attack matrix presented earlier in Section 8.1.)

/IP).

8.4 Command and Control Warfare Attack Tactics

In military C2W, the desired attack effects are degradation of the opponent’s OODA loop operations (ineffective or untimely response), disruption of decision-making processes, discovery of vulnerabilities, damage to morale, and, ultimately, devastation of the enemy’s will to fight.

Command and control warfare has often been characterized as a war of OODA loops where the fastest, most accurate loop will issue the most effective actions [20]. The information-based warfare concepts introduced in Chapter 3 (advanced sensors, networks, and fusion systems) speed up the loop, improving information accuracy (content), visualization and dissemination (delivery), and update rates (timeliness).

Offensive information operations exploit the vulnerabilities described here and in Section 8.3.1.

Attacks exploit vulnerabilities in complex C4I systems to counter security and protection measures, as well as common human perceptual, design, or configuration vulnerabilities that include the following:

• Presumption of the integrity of observations and networked reports;
• Presumption that observation conflicts are attributable only to measurement error;
• Presumption that lack of observation is equivalent to nondetection rather than denial;

• Absence of measures to attribute conflict or confusion to potential multisource denial and spoofing.

Four fusion-specific threat mechanisms can be defined to focus information on the fusion process:

• Exploitation threats seek to utilize the information obtained by fusion systems or the fusion process itself to benefit the adversary. Information that can be captured from the system covertly can be used to attack the system, to monitor success of IW attacks, or to support other intelligence needs.
• Deception threats to fusion systems require the orchestration of multiple stimuli and knowledge of fusion processes to create false data and false fusion decisions, with the ultimate goal of causing improper decisions by fusion system users. Deception of a fusion system may be synchronized with other deception plots, including PSYOPS and military deceptions to increase confidence in the perceived plot.
• Disruption of sensor fusion systems denies the fusion process the necessary information availability or accuracy to provide useful decisions. Jamming of sensors, broadcast floods to networks, overloads, and soft or temporary disturbance of selected links or fusion nodes are among the techniques employed for such disruption.
• Finally, softand hard-kill destruction threats include a wide range of physical weapons, all of which require accurate location and precision targeting of the fusion node.

The matrix provides a tool to consider each individual category of attack against each element of the system.

8.5 IW Targeting and Weaponeering Considerations

Structured information strikes (netwar or C2W) require functional planning before coordinating tactics and weapons for all sorties at the perceptual, information, and physical levels. The desired effects, whether a surgical strike on a specific target or cascading effects on an infrastructure, must be defined and the uncertainty in the outcome must also be determined. Munitions effects, collateral damage, and means of verifying the functional effects achieved must be considered, as in physical military attacks.

8.8 Offensive Operations Analysis, Simulation, and War Gaming

The complexity of structured offensive information operations and the utility of their actions on decision makers is not fully understood or completely modeled. Analytic models, simulations, and war games will provide increasing insight into the effectiveness of these unproven means of attack. Simulations and war games must ultimately evaluate the utility of complex, coordinated, offensive information operations using closed loop models (Figure 8.11) that follow the OODA loop structure presented in earlier chapters to assess the influence of attacks on networks, information systems, and decision makers.

Measures of performance and effectiveness are used to assess the quantitative effectiveness of IW attacks (or the effectiveness of protection measures to defend against them). The measures are categorized into two areas.

• Performance metrics quantify specific technical values that measure the degree to which attack mechanisms affect the targeted information source, storage, or channel.

• Effectiveness metrics characterize the degree to which IW objectives impact the mission functions of the targeted system.

8.9 Summary

The wide range of offensive operations, tactics, and weapons that threaten information systems demand serious attention to security and defense. The measures described in this chapter are considered serious military weapons. The U.S. director of central intelligence (DCI) has testified that these weapons must be considered with other physical weapons of mass destruction, and that the electron should be considered the ultimate precision guided weapon [65].

9
Defensive Information Operations

This chapter provides an overview of the defensive means to protect the information infrastructure against the attacks enumerated in the last chapter. Defensive IO measures are referred to as information assurance.

Information operations that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and nonrepudiation. This includes providing for the restoration of information systems by incorporating protection, detection, and reaction capabilities.

assurance includes the following component properties and capabilities:

• Availability provides assurance that information, services, and resources will be accessible and usable when needed by the user.
• Integrity assures that information and processes are secure from unauthorized tampering (e.g., insertion, deletion, destruction, or replay of data) via methods such as encryption, digital signatures, and intrusion detection.
• Authentication assures that only authorized users have access to information and services on the basis of controls: (1) authorization (granting and revoking access rights), (2) delegation (extending a portion of one entity’s rights to another), and (3) user authentication (reliable corroboration of a user, and data origin. (This is a mutual property when each of two parties authenticates the other.)
• Confidentiality protects the existence of a connection, traffic flow, and information content from disclosure to unauthorized parties.
• Nonrepudiation assures that transactions are immune from false denial of sending or receiving information by providing reliable evidence that can be independently verified to establish proof of origin and delivery.
• Restoration assures information and systems can survive an attack and that availability can be resumed after the impact of an attack.

While these asymmetric threats (e.g., lone teenager versus large corporation or DoD) have captured significant attention, they do not pose the more significant threat that comes in two areas.

• Internal threats (structured or unstructured)—Any insider with access to the targeted system poses a serious threat. Perverse insiders, be they disgruntled employees, suborned workers, or inserted agents, pose an extremely difficult and lethal threat. Those who have received credentials for system access (usually by a process of background and other assessments) are deemed trustworthy. Protection from malicious acts by these insiders requires high-visibility monitoring of activities (a deterrent measure), frequent activity audits, and high-level physical security and internal OPSEC procedures (defensive measures). While continuous or periodic malicious actions may be detected by network behavior monitoring, the insider inserted to perform a single (large) destructive act is extremely difficult to detect before that act. OPSEC activities provide critical protection in these cases, due to the human nature of the threat. This threat is the most difficult, and it’s risk should not be understated because of the greater attention often paid to technical threats.

• Structured external threats—Attackers with deep technical knowledge of the target, strong motivation, and the capability to mount combination attacks using multiple complex tactics and techniques also pose a serious threat. These threats may exploit subtle, even transitory, network vulnerabilities (e.g., configuration holes) and apply exhaustive probing and attack paths to achieve their objectives. While most computer vulnerabilities can be readily corrected, the likelihood that all computers in a network will have no vulnerabilities exposed at any given time is not zero. Structured attackers have the potential to locate even transient vulnerabilities, to exploit the momentary opportunity to gain access, and then expand the penetration to achieve the desired malevolent objective of attack.

9.1 Fundamental Elements of Information Assurance

The definition of information assurance includes six properties, of which three are considered to be the fundamental properties from which all others derive [20].

• Confidentiality (privacy)—Assuring that information (internals) and the existence of communication traffic (externals) will be kept secret, with access limited to appropriate parties;

• Integrity—Assuring that information will not be accidentally or maliciously altered or destroyed, that only authenticated users will have access to services, and that transactions will be certified and unable to be subsequently repudiated (the property of nonrepudiation);
• Availability—Assuring that information and communications services will be ready for use when expected (includes reliability, the assurance that systems will perform consistently and at an acceptable level of quality; survivability, the assurance that service will exist at some defined level throughout an attack; and restoration to full service following an attack).

These fundamentals meet the requirements established for the U.S. NII [21] and the international community for the GII.

9.2 Principles of Trusted Computing and Networking

Traditional INFOSEC measures applied to computing provided protection from the internal category of attacks.

For over a decade, the TCSEC standard has defined the criteria for four divisions (or levels) of trust, each successively more stringent than the level preceding it.

• D: Minimal protection—Security is based on physical and procedural controls only; no security is defined for the information system.
• C: Discretionary protection—Users (subjects), their actions, and data (objects) are controlled and audited. Access to objects is restricted based upon the identify of subjects.
• B: Mandatory protection—Subjects and objects are assigned sensitivity labels (that identify security levels) that are used to control access by an independent reference monitor that mediates all actions by subjects.
• A: Verified protection—Highest level of trust, which includes formal design specifications and verification against the formal security model.

The TCSEC defines requirements in four areas: security policy, accountability, assurance, and documentation.

Most commercial computer systems achieve C1 or C2 ratings, while A and B ratings are achieved only by dedicated security design and testing with those ratings as a design objective.

Networks pose significant challenges to security.

• Heterogeneous systems—The variety of types and configurations of systems (e.g., hardware platforms, operating systems), security labeling, access controls, and protocols make security analysis and certification formidable.
• Path security—Lack of control over communication paths through the network may expose data packets to hostile processes.
• Complexity—The complexity of the network alone provides many opportunities for design, configuration, and implementation vulnerabilities (e.g., covert channels) while making comprehensive analysis formidable.

Trusted networks require the properties already identified, plus three additional property areas identified in the TNI.

1. Communications integrity—Network users must be authenticated by secure means that prevent spoofing (imitating a valid user or replaying a previously sent valid message). The integrity of message contents must be protected (confidentiality), and a means must be provided to prove that a message has been sent and received (nonrepudiation).
2. Protection from service denial—Networks must sustain attacks to deny service by providing a means of network management and monitoring to assure continuity of service.
3. Compromise protection services—Networks must also have physical and information structure protections to maintain confidentiality of the traffic flow (externals) and message contents (internals). This requirement also imposes selective routing capabilities, which permit control of the physical and topological paths that network traffic traverse.

The concept of “layers” of trust or security is applied to networks, in which the security of each layer is defined and measures are taken to control access between layers and to protect information transferred across the layers.

9.3 Authentication and Access Control

The fundamental security mechanism of single or networked systems is the control of access to authentic users. The process of authentication requires the user to verify identity to establish access, and access controls restrict the processes that may be performed by the authenticated user or users attempting to gain authentication.

9.3.1 Secure Authentication and Access Control Functions

Authentication of a user in a secure manner requires a mechanism that verifies the identity of the requesting user to a stated degree of assurance.

Remote authentication and granting of network access is similar to the functions performed by military identification friend or foe (IFF) systems, which also require very high authentication rates. In network systems, as in IFF, cryptographic means combined with other properties provide high confidence and practical authentication. A variety of methods combining several mechanisms into an integrated system is usually required to achieve required levels of security for secure network applications.

 

 

9.5 Incident Detection and Response

Extensive studies of network intrusion detection have documented the technical challenge of achieving comprehensive detection on complex networks. There are several technical approaches to implementing detection mechanisms including the following:

1. Known pattern templates—Activities that follow specific sequences (e.g., attempts to exploit a known vulnerability, repeated password attacks, virus code signatures, etc.) of identified threats may be used to detect incidents. For example, Courtney, a detection program developed by the Lawrence Livermore National Laboratory, specifically detects the distinctive scan pattern of the SATAN vulnerability scanning tool.
2. Threatening behavior templates—Activities that follow general patterns that may jeopardize security are modeled and applied as detection criteria. Statistical, neural network, and heuristic detection mechanisms can detect such general patterns, but the challenge is to maintain an acceptably low false alarm rate with such general templates.
3. Traffic analysis—Network packets are inspected within a network to analyze source and destination as an initial filter for suspicious access activities. If packets are addressed to cross security boundaries, the internal packet contents are inspected for further evidence of intrusive or unauthorized activity (e.g., outgoing packets may be inspected for keywords, data contents; inbound packets for executable content).
4. State-based detection—Changes in system states (i.e., safe or “trusted” to unsafe transitions as described in Section 9.2) provide a means of detecting vulnerable actions.

 

Responses to incident detections can range from self-protective measures (terminate offending session and modify security policy) to offensive reactions, if the source of attack can be identified. In order to identify attackers, entrapment measures that are used include the deliberate insertion of an apparent security hole into a system.

In order to identify attackers, entrapment measures that are used include the deliberate insertion of an apparent security hole into a system. The intruder is seduced (through the entrapment hole) into a virtual system (often called the “honey pot”) that appears to be real and allows the intruder to carry out an apparent attack while the target system “observes” the attack. During this period, the intruder’s actions are audited and telecommunication tracing activities can be initiated to identify the source of the attack. Some firewall products include such entrapment mechanisms, presenting common or subtle security holes to attackers’ scanners to focus the intruder’s attention on the virtual system.

In addition to technical detection and response for protection, conventional investigative responses to identify and locate network or electronic attack intruders are required for deterrence (e.g., to respond with criminal prosecution or military reprisal). Insight into the general methodology for investigating ongoing unstructured attacks on networks is provided by a representative response that was performed in 1994 by the Air Force Computer Emergency Response Team (AFCERT) from the U.S. Information Warfare Center [47].

1. Auditing—Analyze audit records of attack activities and determine extent of compromise. The audit records of computer actions and telecommunication transmissions must be time-synchronized to follow the time sequence of data transactions from the target, through intermediate network systems, to the attacker. (Audit tracking is greatly aided by synchronization of all telecommunication and network logging to common national or international time standards.)
2. Content monitoring—Covertly monitor the content of ongoing intrusion actions to capture detailed keystrokes or packets sent by the attacker in these attacks.
3. Context monitoring—Remotely monitor Internet traffic along the connection path to determine probable telecommunication paths from source to target. This monitoring may require court-ordered “trap and trace” techniques applied to conventional telecommunication lines.
4. End-game search—Using evidence about likely physical or cyber location and characteristics of the attacker, other sources (HUMINT informants, OSINT, other standard investigative methods) are applied to search the reduced set of candidates to locate the attacker.

 

9.6 Survivable Information Structures

Beyond the capabilities to detect and respond to attacks is the overall desired property of information system survivability to provide the following characteristics:

• Fault tolerance—Ability to withstand attacks, gracefully degrade (rather than “crash”), and allocate resources to respond;

• Robust, adaptive response—Ability to detect the presence of a wide range of complex and subtle anomalous events (including events never before observed), to allocate critical tasks to surviving components, to isolate the failed nodes, and to develop appropriate responses in near real time;

• Distribution and variability—Distributed defenses with no singlepoint vulnerability, and with sufficient diversity in implementations to avoid common design vulnerabilities that allow single attack mechanisms to cascade to all components;

• Recovery and restoration—Ability to assess damage, plan recovery, and achieve full restoration of services and information.

Survivable systems are also defined by structure rather than properties (as above), characterizing such a system as one comprised of many individual survivable clusters that “self-extend,” transferring threat and service data to less capable nodes to improve overall health of the system

The U.S. Defense Advanced Research Projects Agency (DARPA) survivability program applies a “public health system” model that applies (1) distributed immune system detection, (2) active probing to diagnose an attack and report to the general network population, (3) reassignment of critical tasks to trusted components, (4) quarantine processes to segregate untrusted components, and (5) immunization of the general network population [52]. The DARPA program is developing the technology to provide automated survivability tools for large-scale systems.

9.7 Defense Tools and Services

System and network administrators require a variety of tools to perform security assessments (evaluation of the security of a system against a policy or standard) and audits (tracing the sequence of actions related to a specific security-relevant event)

9.9 Security Analysis and Simulation for Defensive Operations

Security analysis and simulation processes must be applied to determine the degree of risk to the system, to identify design, configuration, or other faults and vulnerabilities, and to verify compliance with the requirements of the security policy and model. Depending on the system and its application, the analysis can range from an informal evaluation to a comprehensive and exhaustive analysis.

The result of the threat and vulnerability assessment is a threat matrix that categorizes threats (by attack category) and vulnerabilities (by functions). The matrix provides a relative ranking of the likelihood of threats and the potential adverse impact of attacks to each area of vulnerability. These data form the basis for the risk assessment.

The risk management process begins by assessing the risks to the system that are posed by the risk matrix. Risks are quantified in terms of likelihood of occurrence and degree of adverse impact if they occur. On the basis of this ranking of risks, a risk management approach that meets the security requirement of the system is developed. This process may require modeling to determine the effects of various threats, measured in terms of IW MOP or MOEs, and the statistical probability of successful access to influence the system.

Security performance is quantified in terms of risk, including four components: (1) percent of attacks detected; (2) percent detected and contained; (3) percent detected, contained, and recovered; and (4) percent of residual risk.

This phase introduces three risk management alternatives.

• Accept risk—If the threat is unlikely and the adverse impact is marginal, the risk may be accepted and no further security requirements imposed.
• Mitigate (or manage) risk—If the risk is moderate, measures may be taken to minimize the likelihood of occurrence or the adverse impact, or both. These measures may include a combination of OPSEC, TCSEC, INFOSEC, or internal design requirements, but the combined effect must be analyzed to achieve the desired reduction in risk to meet the top-level system requirements.
• Avoid risk—For the most severe risks, characterized by high attack likelihood or severe adverse impact, or both, a risk avoidance approach may be chosen. Here, the highest level of mitigation processes are applied (high level of security measures) to achieve a sufficiently low probability that the risk will occur in operation of the system.

When the threats and vulnerabilities are understood, the risks are quantified and measures are applied to control the balance of risk to utility to meet top-level security requirements, and overall system risk is managed.

10
The Technologies of Information Warfare

The current state of the art in information operations is based on core technologies whose performance is rapidly changing, even as information technologies (sensing, processing, storage, and communication) rapidly advance. As new technologies enable more advanced offenses and defense, emerging technologies farther on the horizon will introduce radically new implications for information warfare.

10.1 A Technology Assessment

Information warfare–related technologies are categorized both by their information operations role and by three distinct levels of technology maturity.

• Core technologies are the current state-of-the-art, essential technologies necessary to sustain the present level of information operations.
• Enabling technologies form the technology base for the next generation of information warfare capabilities; more than incremental improvements, they will enable the next quantum enhancement in operations.

• Emerging technologies on the far horizon have conceptual applications when feasibility is demonstrated; they offer a significant departure from current core technologies and hold the promise of radical improvements in capability, and changes in the approach to information operations.

Developers, strategists, and decision makers who create and conduct information operations must remain abreast of a wide range of technologies to conceive the possibilities, predict performance impacts, and strategically manage development to retain leadership in this technology-paced form of warfare.

U.S. panels commissioned by the federal government and independent organizations have considered global environment as well as information technology impacts in studies of the intelligence organizational aspects of information-based warfare.

• Preparing for the 21st Century: An Appraisal of U.S. Intelligence—An appraisal commissioned by the U.S. White House and Congress.
• IC21—The Intelligence Community in the 21st Century—A “bottom-up” review of intelligence and future organization options by the U.S. Congress.
• Making Intelligence Smarter: The Future of U.S. Intelligence—Report of an independent task force sponsored by the Council on Foreign Relations, February 1996.

 

10.2 Information Dominance Technologies

Three general areas characterize the information dominance technologies: collection of data, processing of the data to produce knowledge, and dissemination of the knowledge to humans.

• Collection—The first area includes the technical methods of sensing physical phenomena and the platforms that carry the sensors to carry out their mission. Both direct and remote sensing categories of sensors are included, along with the means of relaying the sensed data to users.

• Processing—The degree and complexity of automation in information systems will continue to benefit from increases in processing power (measured in operations per second), information storage capacity (in bits), and dissemination volumes (bandwidth). Processing “extensibility” technologies will allow heterogeneous nets and homogeneous clusters of hardware along with operating systems to be scaled upwards to ever-increasing levels of power. These paramount technology drivers are, of course, essential. Subtler, however, are the intelligent system technologies that contribute to system autonomy, machine understanding, and comprehension of the information we handle. Software technologies that automate reasoning at ever more complex levels will enable humans to be elevated from data-control roles to informationsupervision roles and, ultimately, to knowledge-management roles over complex systems.

• Dissemination—Communication technologies that increase bandwidth and improve the effective use of bandwidth (e.g., data, information and knowledge compression) will enhance the ability to disseminate knowledge. (Enhancements are required in terms of capacity and latency.) Presentation technologies that enhance human understanding of information (“visualization” for the human visual sense, virtual reality for all senses) by delivering knowledge to human minds will enhance the effectiveness of the humans in the dominance loop.

10.2.1 Collection Technologies

Collection technologies include advanced platforms and sensing means to acquire a greater breadth and depth of data. The collection technologies address all three domains of the information warfare model: physical, information, and perceptual variables.

10.2.2 Processing Technologies

Processing technologies address the increased volume of data collected, the increased complexity of information being processed, and the fundamental need for automated reasoning to transform data to reliable knowledge.

Integrated and Intelligent Inductive (Learning) and Deductive Decision Aids

Reasoning aids for humans applying increasingly complex reasoning (integrating symbolic and neural or genetic algorithms) will enhance the effectiveness of humans. These tools will allow individuals to reason and to make decisions on the basis of projected complex outcomes across many disciplines (e.g., social, political, military, and environmental impacts). Advances in semiotic science will contribute to practical representations of knowledge and reasoning processes for learning, deductive reasoning, and self-organization.

Computing Networks (Distributed Operating Systems) With Mediated Heterogeneous Databases

Open system computing, enabled by common object brokering protocols, will perform network computing with autonomous adaptation to allocate resources to meet user demands. Mediation agents will allow distributed heterogeneous databases across networks to provide virtual object-level database functions across multiple types of media.

Precision Geospatial Information Systems

Broad area (areas over 100,000 km2) geospatial information systems with continuous update capability will link precision (~1m) maps, terrain, features, and other spatially linked technical data for analysis and prediction.

Autonomous Information Search Agents

Goal-seeking agent software, with mobile capabilities to move across networks, will perform information search functions for human users. These agents will predict users’ probable needs (e.g., a military commander’s information needs) and will prepare knowledge sets in expectation of user queries.

Multimedia Databases (Text, Audio, Imagery, Video) Index and Retrieval

Information indexing discovery and retrieval (IIDR) functions will expand from text-based to true multimedia capabilities as object linking and portable ontology techniques integrate heterogeneous databases and data descriptions. IIRD functions will permit searches and analysis by high-level conceptual queries.

Digital Organisms

Advanced information agents, capable of adaptation, travel, and reproduction will perform a wide range of intelligent support functions for human users, including search, retrieval, analysis, knowledge creation, and conjecture.

Hypermedia Object Information Bases

Object-oriented databases with hyperlinks across all-media sources will permit rapid manipulation of large collections of media across networks.

10.2.3 Dissemination and Presentation Technologies

Dissemination technologies increase the speed with which created knowledge can be delivered, while expanding the breadth of delivery to all appropriate users. Presentation technologies address the critical problems of communicating high-dimensionality knowledge to human users efficiently and effectively, even while the human is under duress.

10.3 Offensive Technologies

Current offensive technologies (Table 10.4) are essentially manual weapons requiring human planning, targeting, control, and delivery. Enabling technologies will improve the understanding of weapon effects on large-scale networks, enabling the introduction of semiautomated controls to conduct structured attacks on networks. Integrated tools (as discussed in Chapter 7) will simulate, plan, and conduct these semiautomated attacks. Emerging technologies will expand the scope and complexity of attacks to provide large-scale network control with synchronized perception management of large populations.

Computational Sociology (Cyber PSYOPS)

Complex models of the behavior of populations and the influencing factors (e.g., perceptions of economy, environment, security) will permit effective simulation of societal behavior as a function of group perception. This capability will permit precise analysis of the influence of perception management plans and the generation of complex multiple-message PSYOPS campaigns. These tools could support the concepts of “neocortal warfare” in which national objectives are achieved without force [29,30].

10.4 Defensive Technologies

Core defensive technologies (Table 10.5) now being deployed by both the military and commercial domains provide layers of security to bridge the gap between the two approaches.

• First generation (and expensive) military “trusted” computers based on formal analysis/testing, and dedicated secure nets with strong cryptography;
• Commercial information technologies (computers, UNIX or Windows NT operating systems, and networks) with augmenting components (e.g., firewalls, software wrappers, smart card authentication) to manage risk and achieve a specified degree of security for operation over the nonsecure GII.

Enabling technologies will provide affordable security to complex heterogeneous networks with open system augmentations that provide layers of protection for secure “enclaves” and the networks over which they communicate.