Toward a Functional Model of Information Warfare
A Major Intelligence Challenge
Toward a Functional Model of Information Warfare
Information Warfare (IW) is one of the hottest topics in current discussions of battlefield and geopolitical conflict. It has been addressed in writings, conferences, doctrine and plans, and military reorganizations, and it has been proposed as a fundamental element of 21st-century conflict. In a way, the IW situation is reminiscent of the concept of logistics as a military discipline, circa 1940:
- Elements of the concept had been known and used for millennia.
- The value of integrating those elements into a coherent discipline was just beginning to be recognized.
- The discipline was to become a central element of modern warfare--it is now said that "amateur generals [that is, Saddam Hussein] talk strategy, professional generals talk logistics."
This comparison has another point of similarity: the interest in IW far outstrips the users' understanding of the concept. Early in World War II, a senior US Army general said, "I don't know what this 'logistics' is, but I want some." Today, many people worldwide are saying the same about IW.
Searching for a Definition
This lack of a consistent and specific definition of IW is apparent throughout the literature. Col. Owen Jensen, USAF, discussing the evolution and use of the IW concept, says, "Although the Tofflers [Alvin and Heidi] have expounded on the origins of this type of warfare, no guru has yet established its principles."(1) VAdm A. Cebrowski, director of C4 for the US Joint Staff, has said, "The services and various Pentagon agencies that must prepare for IW do not yet agree on what the concept encompasses."(2) Almost every writing on IW makes a similar comment. Certainly, many definitions have been put forth; at the top level they sound much alike. But the simple fact that almost every writer on IW feels compelled to define it tells us that a clear concept has not yet crystallized.
Military writers discuss IW in terms of "information dominance" over an enemy, which is described as maintaining and applying a superior understanding of the battlefield situation.(3)
Strategic writers discuss IW as the next "paradigm" of modern warfare, and they quote military thinkers from Sun Tzu to Clausewitz and examples from Xenophon's "March of the 10,000" to the Gulf war. The concept of information dominance is again raised, in a related but different sense, as a means to identify the enemy's "centers of gravity" against which force can be most productively applied, while preventing an enemy from knowing one's own critical points.(4)
Finally, there have been many discussions of IW attack and defense as related to telecommunications and computer networks, often but not always at the national level. The focus of these discussions is the vulnerability of such networks to penetration, exploitation, and degradation; the magnification of these actions owing to a modern country's dependence on such networks; and the potential application of these actions in warfare, crises, international competition, and criminal activities.
These different points of view incorporate common elements, but a rigorous definition of the concept of IW has not yet evolved. Before we can identify and assess capabilities for IW and related activities, we need a definition, or a model, that is sufficiently concrete and specific to serve as a working aid.
A Starting Point
One can begin to derive a definition by asking why one should even bother with the concept of IW--is there any difference between IW and previous concepts of information attack? One might conclude, after a cursory review of some of the literature on the topic, that the concept of IW is in fact a rehash of existing concepts and techniques and that it adds little or no value. That conclusion, although understandable, would be incomplete.
Traditional forms of information attack, such as radar countermeasures, C3 countermeasures, computer intrusion, and psychological operations, typically:
- Consist of techniques, or measures and countermeasures.
- Have limited and local goals, and limited scope and orchestration (that is, being restricted to a specific combat operation).
- Perform a supporting role in combat activities.
These forms of attack tend to be used at the tactical level, and they require knowledge of the target's technical characteristics and operational procedures. In noncombat activities, these forms of attack typically are independent and isolated.
In contrast, IW truly is a form of comprehensive warfare, not merely a set of techniques. IW is differentiated from individual measures in that IW (like any other form of warfare) is governed by a strategy, which is focused on an objective. The strategy is a comprehensive plan for the use of IW-related weapons and tactics to attain the desired objective. The weapons and tactics may be any combination of military and nonmilitary techniques; the objective may be military, political, economic, or some combination thereof.
A unified IW campaign thus can be conducted alongside multiple concurrent or consecutive combat operations, can extend beyond the immediate battlefield, and can cross the boundaries between peacetime, crisis, and combat. The term "information" in IW suggests that the objective of such a campaign involves generation of effects on the adversary's information that will prevent or prompt certain actions, thereby creating an advantage for the attacker. (The objective of defensive IW involves prevention or counteraction of those effects.)
IW's Ultimate Target
Such an objective implies that the true target of an IW campaign is not the specific systems that are actually attacked, but rather the adversary's decision process. Thus, IW attack planning has to be based not only on the characteristics of those systems, but also on the desired higher order effects. This consequence can be illustrated by a simple example, a jamming attack on a sensor. As an individual electronic warfare (EW) operation, the attack is based largely on the sensor's technical and operational characteristics. As an element of an IW campaign, the planning and conduct of the attack has to be based on the way in which that sensor contributes to the adversary's situation picture and the information that the sensor provides on the attacker's forces and operations. An even higher level that has to be considered in the attack planning and implementation is the effect on the adversary's decisions of blocking, degrading, falsifying, or inserting the sensor information. The same requirement holds for attacks on communications systems, networks, links, and processing centers.
The overall concept of IW can thus be considered as having three parts: a set of IW elements (techniques and capabilities), a comprehensive strategy that applies and orchestrates them, and a target and objective. Only the elements are common to both IW and the earlier concepts of information attack.
A useful definition or model of IW therefore has to:
- Describe the ultimate target and objective.
- Identify and list the applicable elements of IW.
- Show how the elements can be combined in the strategy to attack the target.
Inasmuch as the target and objectives are the basis for designing an IW strategy, I will start with a "target model." Then I will describe the elements involved in IW. Finally, I will present a templating approach to organize the elements and their interrelations, so as to support analyses of IW strategy.
A Target Model
A generic model of the target of an IW operation is based on the abovementioned difference between IW and individual information attacks. Consider the previous example--a sensor is attacked in order to affect its contribution to the adversary's knowledge, thereby affecting the adversary's decision process. Thus, a three-layered target model is defined as:
- The information systems layer--the physical elements that generate, transfer, or store information. Attacks against information systems create technical effects.
- The information-management layer--the processes for handling and dissemination of information. At this layer, attacks create functional effects.
- The decision-process layer--the intellectual processes for interpreting and using information. At this layer, attacks create operational effects.
Effects at one level generate consequent effects at the higher levels. For example, a communications jamming attack on an information system creates blockage or corruption of the signal at a receiver (technical effect), which in turn reduces the information available from this channel (functional effect). One type of consequent operational effect would be decision delay.
One has to recognize, however, that this propagation of effects is not the only way to attack the decision layer, because attacks can be performed against any level. Although an attack ultimately comes down to a physical operation involving a physical information system, that system may be only a vehicle, not the target, of the attack. Thus, the attack may have little or no direct technical effect. In fact, an attack may have no functional effect either--it may create directly an operational effect on the decisionmaker. An example is a propaganda campaign wherein the information system being used is the local newspaper, the target is the decisionmaker, and the technical and functional effects are nil. Thus, attacks may have different immediate targets and effects, and not all effects propagate up from the basic information-system layer.
Some examples of different attack processes, and how they can be mapped against the model, are illustrated in Table 1 on the next page.
The point to remember is that the operational effects are the ultimate objective. Any attack has to create or contribute to the desired operational effect(s), either by itself or in combination with other attacks. Note that the propagation of effects may be complex and that not all IW attacks will create every type of effect. A given technical effect may generate widely different operational effects, depending on what is attacked and under what circumstances. Also, operational effects may depend on combinations of technical and functional effects. IW strategy has to account for these factors.
This model provides a framework for mapping and analyzing IW strategies and attacks. With the model, doctrine and capabilities for IW can be correlated. Intentions, doctrine, and plans usually start with the operational effects, whereas capabilities are usually described at the technical level. The layered model allows one to link the two and to find applicable capabilities that may be only indirectly related to IW. Directly related capabilities are usually apparent at the technical level. By looking at the functional level, additional capabilities that will have IW effects can be identified.
The Three Target Layers
Information systems layer. IW attacks, regardless of their ultimate objective, have to start with an information system, often but not always an electronic system. In many but not all cases, that system is the initial target of the attack, and technical effects are intended--receiver overload, data corruption, computer shutdown, data erasure, physical destruction, and so forth. This point is well recognized in the literature, and detailed discussions of IW capabilities often concentrate almost exclusively on the technical attack methods and targets. What is not always recognized is the need for those effects to propagate through the target and create the desired operational effects, and those only. It is quite possible to conduct a technical attack that degrades or negates other elements of an IW operation.
Use of the Target Model To Analyze Attack Processes
The initial effect, corresponding to the target layer, is highlighted.
Type of Attack Target Layer Technical Effect Functional Effect Operational Effect
Communications Information Signal blockage Information loss Delayed or wrong
jamming system decision
Communications Information None--link continues Information misrouting, self- Delay, confusion
intrusion--short management to exist generated overload (diagnostic,
control message* correction, repeat messages)
Communications Decision process None--link continues Negligible--short message does Delay, confusion,
intrusion--short continues to exist not affect routing/ wrong decision
information message handling/storage
Computer virus Information System paralysis Loss of data, loss of function Delayed or wrong decision
system at node
Network worm Information None--network Delay or overload amounting Delayed decisions;
management links continue to to loss of function deliberate shutdown of
exist and operate unaffected nodes
PSYOPS/propaganda Decision process None None Decision influence
Military operation as Decision process None None Perception
PSYOPS maneuver manipulation
* Many modern communications systems/protocols use machine control messages to establish links and route traffic.
The control network may be separate from the information-carrying network. Examples are Signaling System 7 and
computer-controlled adaptive HF systems.
Information management layer. Information management means information transfer, dissemination, storage, fusion, and conversion. These functions are performed by information systems, and they represent a logical layer overlaid on the physical information-systems layer. Examples of functional effects are a change in information transfer capacity, performance delays, and misrouting of traffic.
Information management is becoming increasingly important and vulnerable, because modern information systems are barely keeping pace with evolving formation-generation capabilities and information technologies. For example, data overload has come to be a serious problem in US military sensor and C3 nets. The US Navy encountered this problem in the Gulf war. Aegis systems and E-2/E-3 surveillance aircraft provided so much data that the flagship command center displays were overloading and locking up. As a result, it was necessary to reduce the original surveillance area (Red Sea-Iran-Turkey) to a region covering only southern Iraq, the Persian Gulf, and part of Iran.(5) An enemy who takes note of this problem could develop measures to increase overload and exploit the lack of reserve capacity in US military information-management systems.
Civil systems are also becoming more vulnerable to this problem. The Internet "worm" of 1988 was an example of an overload attack. The worm was intrinsically harmless to the information systems--it did not destroy files or operating systems. Rather, it occupied the memory and resources of computers and virtually monopolized the network links among computers. The result was that many systems nationwide came to a grinding halt, and countless hours of effort were expended in diagnosis and recovery measures.(6)
Another increasingly serious military problem is information incompatibility. This problem represents another network vulnerability. It is caused by evolving requirements for joint operations, coupled with a huge increase in the number of communications and data systems that have stringent compatibility requirements. Traditional VHF voice radios working on standard channels could be used by anybody; Link 11 can be used only if the recipient has compatible equipment. Many articles have discussed this problem, often in connection with Desert Storm and the joint operations in the Mediterranean and Adriatic. As just one example, an attempt to pass imagery between the US Air Force and the Navy revealed 12 incompatible systems. The Navy ultimately solved compatibility problems in Desert Storm by providing equipment to selected other units. Other compatibility problems were solved by developing conversion systems and deploying them on selected platforms.(7)
An enemy could exploit this problem by identifying and targeting the critical nodes where data conversion is performed, or by taking advantage of the confusion via deception, confusion, or intrusion attacks. If information managers are accustomed to seeing unreadable data, they might not recognize the fact that some data have been garbled or corrupted, attributing the problems to the known inadequacies of their system. Thus, the IW planner has to understand an adversary's information-management processes and problems.
Decision process layer. The ultimate target of IW is the way in which information is used--that is, the decision process. The desired effects of IW attacks may be indirect--not just blinding or confusing the enemy, but shaping his perceptions, decisions, opinions, or behavior. The IW planner's understanding of the target has to extend to this layer, and knowledge of the adversary has to include his decision criteria, decision processes and time scales, and vulnerabilities. Many or most of the successful commanders and leaders throughout history had an intuitive understanding of their adversaries at this level; they often applied it in "IW-like" tactics, maneuvers, and psychological operations that confused, delayed, manipulated, or paralyzed the enemy.
The Elements of IW
The elements of IW extend beyond the techniques and capabilities for traditional forms of information attack. Taking a literal view of the term "warfare," the elements needed to perform IW are:
- Primary: Attack and defense capabilities and techniques.
- Supporting: Intelligence collection for targeting information--locations (which, for IW, may be physical or logical), strengths and vulnerabilities, and defenses.
- Supporting: Intelligence collection for battle damage assessment (BDA). Note that this concept is separate from the idea of conventional BDA information as a target of IW.
- Supporting: Intelligence collection for attack indications and warning (I&W).
The attack/defense capabilities and techniques are the primary functions of IW. As mentioned above, these capabilities currently exist under different guises--EW, computer intrusion and viruses, psychological operations, concealment and deception, firewalls and antivirus programs, encryption and spread-spectrum COMSEC techniques, and so forth.
Like traditional warfare, IW requires support from external sources. One is target intelligence collection, incorporating both prewar preparation ("strategic reconnaissance") and operational targeting during IW activity ("tactical reconnaissance"). At the simplest level, this concept is obvious. An attacker needs to know the RFs of target communications links; the locations of sensors, communications nodes, and decision nodes; addresses, access protocols, and passwords for computer systems and networks; and so forth. The IW target model shows, however, that an attacker also has to know or discover how a candidate target system contributes to the adversary's situation picture and what information it provides on the attacker's forces and operations. Similar requirements exist at the decision-process level, relating to the decision criteria used by the adversary and to the effect on those decisions of blocking, degrading, falsifying, or inserting certain information.
IW therefore has to be supported by sensors for electronic intercept and monitoring, tools and access points for computer network probing and analysis, and reconnaissance to detect and locate C3 nodes. Again, these are pre-existing types of capabilities that may be applied in an IW strategy.
IW is like any other form of warfare in another respect--it has to be supported by a damage assessment function to be effective. The ability to measure IW effectiveness, however, is complicated. For example, even the effect of a direct attack on a communications node can be difficult to assess unless the attacker can tap a node or link elsewhere, or can exploit other elements of the communications net to assess the success of the attack (such as by monitoring requests for retransmission or traffic volume on return links). In this example, the attacker would be observing functional effects to diagnose technical effects. Higher level effects are even harder to assess, and some may be impossible to diagnose until the conflict is over and the adversary's records or memoirs can be examined.
Nevertheless, an IW strategy has to provide for intelligence collection and damage assessment, using typically the same elements that provide targeting data.
An IW capability also has to be supported by defensive intelligence elements, equivalent to I&W capabilities in traditional warfare. To use most defensive IW measures successfully, one has to detect, localize, and diagnose attacks on one's own information systems. The elements involved typically are detection/diagnostic tools embedded in or applied to one's potential target systems. Often, a detector may be merely a trained operator or analyst who can tell when jamming is occurring or when the pattern of incoming data is inconsistent or otherwise suspect. Technical measures include network analyzers, activity monitors, and signal analyzers. (One might also envision artificial-intelligence pattern recognition systems for data analysis and similar concepts.)
Two other key elements, which are related, cross over all these categories. These elements are expertise and understanding. Technical expertise and operational skills in the use of IW systems are necessary but not sufficient. An understanding of the target, whether a technical system, a network structure, an operational procedure, or a decisionmaker, and an understanding of how the target layers interact for the specific adversary and scenario of interest are necessary for the development of an effective IW strategy.
The orchestration of multiple IW elements is, again, one of the defining characteristics of IW. A combination of attacks is assembled and applied toward a specific objective. Military operations may involve IW campaigns designed to limit and control the enemy's knowledge of the situation and, ultimately, his ability to operate effectively. Nonmilitary IW also often involves orchestrated campaigns of multiple attacks--a political IW effort can involve PSYOPS, data denial, data insertion, cover and deception, and attacks on communications and computer systems. (A multipronged approach does not always apply, especially in technical attacks on computers and networks. In fact, these cases can be almost exactly opposite--a single attack generates multiple effects on multiple targets.)
To identify how the various IW elements can be combined and orchestrated, one can fall back on the target model. After dividing the target into layers, each layer can be broken down into its components. The next step is to list the attack actions that are possible against each component. Knowing the actions and the target characteristics, the capabilities needed to perform each attack against each component can be identified.
By combining the target model and the list of elements that resulted from consideration of IW as warfare, one arrives at a detailed list of required or relevant capabilities that can be used to guide data searches and analyses. This process justifies each item on the list as being relevant to IW. Furthermore, the process automatically develops the position and role of each capability in the IW concept. Finally, the organization shows how the capabilities, attack techniques, and target elements interrelate, and it allows us to develop integrated and accurate descriptions of IW capabilities.
Template of target Elements and Attack/Supporting Actions
Targets Elements Attack/Support Actions
Intelligence Information Nodes Links
Physical Operation Data Control Offensive Support
Location Users Video Link Data sources Comms Block Obtain Intelligence
Parameters Data flow Text Common Relays Data Corrupt information Relay intelligence
Function Msg timing Voice Fusion points Computer Saturate node Control attack
Architecture Image Processing Delay Information Use intelligence
Network Digital Data Storage Insert Information Use information
Data Conversion Relay Information And so forth
Interpretation/ And so forth
Table 2 shows a top-level view of this breakdown or template. In the table, connections between logical and physical target elements are not shown, and relations between attack/supporting actions and target elements are shown in words rather than as connections (for example, "relay information" and "relay intelligence" actually refer to one type of action applied to two target elements). A complete template can be developed that divides this structure into a set of tables and diagrams that show the relations explicitly.
The table does not show the lowest levels of detail. Other items can be added at the lowest (bulleted) level shown, and that is not the final level. It actually is another row in the hierarchy that can be subdivided into different types. The nodes and links clearly can be broken out further, and attack actions in particular are to be subdivided. For example, the "block information" action actually includes actions such as destroy source, destroy node, saturate node, and jam link, which can be further broken down to specific types of nodes and links and to specific types of information. The table also does not show defensive actions and their relations to the attack actions. A fully detailed template has a separate entry for each type of action and each type of target element.
In the table, the term "intelligence" refers to information describing elements of the target system. This information may be developed by the IW support activity, as by SIGINT measurements or network probes, or it may actually reside within the target system, alongside the user information. The latter case is exemplified by an Internet host that maintains a database of other hosts and users. It is this information that an IW attacker needs to develop or retrieve in order to focus the attack or assess the damage.
Note that there are two forms of such intelligence, physical and operational. Physical intelligence provides target parameters and structural or architectural information on target networks. Operational information identifies users, data flow patterns, system status, and so forth. Both targeting and damage assessment need both types of intelligence.
The "information" category refers to the contents of the adversary's information systems, and it is divided into data (the actual information that the adversary eventually interprets) and control information that supports network operations. Sophisticated attacks on control information can be a serious threat to modern computer and communications nets. The "data" category is broken down by type, because the type of data usually defines the technical capabilities required for an attack. A complete template, however, also organizes data by the type of knowledge it represents (sensor data, situation data, own-force data) because this is what determines the functional and operational effects of attacking the data.
The attack actions include offensive measures and supporting measures, as shown in the table. The attack measures are not limited to blockage or degradation of information. One may insert false information into the adversary's information systems. One may also use (or misuse) information obtained from the adversary, as indicated by the entry "relay information." Passing on or publishing information that an adversary wants to conceal is a classic IW measure. The supporting measures may involve the target or may be self-contained within the IW system, such as return of collected information or command and control for the IW operation. The function "use information" refers to exploitation of collected information, and it is as important a function as denying information to the adversary. (There has always been the often painful tradeoff between jamming and listening.)
It should be noted that this template is an overall guide, not a rigid description. Not all IW systems or IW attacks will incorporate all elements of the template. What the template provides is a framework to guide the search and interpretation of relevant capabilities, and the evaluation of the completeness and sophistication of a country's IW capability or concept. For capabilities analyses, the template shows what capabilities to look for, what indirect capabilities might exist, and what supporting capabilities must be identified before a primary capability can be assessed as effective. For doctrine analysis, the template's presentation of relations and supporting elements is compared against the country's understanding of IW to evaluate the completeness and sophistication of their doctrine.
(1) Col. O. Jensen, "Information Warfare--Principles of Third-Wave War", Air Power Journal, winter 1994.
(2) Defense News, 12-18 June 1995.
(3) USAF position, quoted in Aviation Week & Space Technology, 10 October 1994.
(4) J. Arquilla, "The Strategic Implications of Information Dominance", Strategic Review, summer 1994.
(5) US Naval Institute Proceedings, May 1993.
(6) W. Schwartau, Hackers, Sniffers, Worms, and Demons, book extract via the Internet.
(7) US Naval Institute Proceedings, August 1992 and May 1993.