ArchiveOODA Original

Cyberwar Was Coming: A Reflection on the 25 Year Old Thesis that Predicted a Generation of Cyberconflict

“You’ve got to read what this kid is writing out of his basement at the University of Vermont…”  – recently retired CIA officer to intelligence and military colleagues in 1994

That kid was me.

In 1992 I became obsessed with an idea that I just couldn’t shake. I was starting my senior year of college with a dual focus on political science/national security and computer science and I envisioned a mash-up between the two and I started thinking and writing about it every chance I got. That idea culminated into a graduate thesis on information warfare that was published in May 1995, exactly 25 years ago. The thesis attracted international attention and solidly established my career in the emerging cyber field. In one year, I went from relative obscurity writing in a basement to hacking aircraft carriers for the U.S. military and playing a role in emerging and important policy and doctrine development.

Reflecting on that thesis now, it is surprising to see how prescient it was and the depth and breadth of concepts and solutions that it was able to identify, predict, and address a quarter of a century ago. In other words, it has aged incredibly well and the ideas became our emergent reality with some trickling into existence and others entering with a bang.

I’d welcome you to read the entire thesis and share your own thoughts, but here are what I see as some of the most interesting elements 25 years later.  Sections in bold or quotes are directly extracted from the original thesis.

Defining the Threat

Unbeknownst to me the first paper I wrote on information warfare in 1992 coincided with a DoD Directive on the topic that had been classified at the Top Secret level. When I first proposed the topic as a graduate thesis topic a year later, the department denied my request only to acknowledge their error a few months later. There were several folks raising this issue in the public domain (for example Winn Schwartau), but there was still an argument to be made that this was a valid national security threat.

“Conceptions of national security can and do change. A series of new threats to American national security have developed with our transition into the Information Age. New technological developments and an increased reliance on computer-based technology will cause a shift in conceptions of national security for all advanced post-industrial societies. Nations face the danger of having their information infrastructures destroyed, altered, or incapacitated by new offensive technologies.”

The introduction serves as the culmination of my central idea. National security was going to be drastically impacted with our shift to the Information Age. I also stumbled into the CIA framework (confidentiality, integrity, availability) in a round-about way. Over the past 25 years, this opus idea has been realized in the grandest of fashions.

The Knowledge-Based Economy

“Whereas industrial societies were concerned with protecting physical capital and providing safe routes for the transport of resources, information societies must be concerned with protecting information and the transfer of information. Where the destruction of bridges was a threat to the national security of an industrial society, the destruction of information networks, especially those involved with financial transactions, is a threat to the national security of information societies.”

While I didn’t invent the concept of knowledge-based economy, I did put a selectively cybersecurity spin on the topic by arguing that cyber risks must be addressed to realize the benefits of the knowledge economy.

Defining three sets of potential information targets

In the thesis I distilled targets into three easily digestible categories to include personal information, business information and military information and while I had thoughts on how all three would be targeted, I was especially concerned with the potential impact on military intelligence.

“A potential attack on military information, especially that which is classified, poses a national security threat from a strategic standpoint. From a command and control perspective, denying communications capability or altering and destroying intelligence can have profound effects on the capabilities of modern militaries.”

I also dragged Sun Tzu into the cyber domain, perhaps for the first time ever.

“Whereas Sun Tzu regarded the skillful command of troops as having the potential “of round boulders which roll down from mountain heights,” in today’s military it would be round boulders capable of rolling by themselves, both on flat ground and up steep grades. Soldiers in battle are less reliant on a hierarchical command structure and are capable of making more autonomous decisions based on an increased ability to receive and analyze real-time information regarding the condition of the battlefield. In this situation, the emphasis is not on the function of command, but on maintaining the supply and value of the information.”

And I also focused on the military’s reliance on civilian infrastructure and the Defense Industrial Base.

“With military command and control placed in this context, threats to national security are present not only when military communications are targeted, but also when civilian support to operations is targeted.”

This what-if scenario around the theft of military innovation intellectual property theft was fully realized as well.

“What threat is posed to American national security if, during a war, the enemy were able to get information on troop movements or discover flaws in one of our weapons systems? Or if the Soviets, during the Cold War, had been able to access information on the Strategic Defense Initiative or stealth aircraft designs?”

In looking at the patterns of conflict, I stated that information warfare was inevitable.

“Historical patterns reveal that information warfare is undoubtedly warfare of the future.”

I expected critics to argue that information warfare and espionage were not new, and they were right, but this was going to be different as information was going to be more highly valued that ever before.

“Today’s Third Wave societies are no longer based entirely on industrial concepts and information has a higher strategic value now than it has had at any point in history. This means that information warfare poses a greater threat to national security in the Information Age than it did in the Industrial Age. In fact, for several reasons illustrated later, information warfare may become the preferred method of conflict among Third Wave nations.”

New warfare, new weapons.

I spent time looking at the range of weapons that might be used to disrupt information systems including HERF and EMP, but also system intrusion with multiple case studies.

“Interconnected communications and computer systems are also susceptible to intrusion. Commonly referred to as hacking, system intrusion creates a wide variety of security concerns. Hacked systems can be utilized for information gathering purposes, information alteration, and sabotage. Vulnerabilities exist in almost every externally networked computer in the United States.”

I gave a shout-out to the 1st Hackers on Planet Earth (HOPE) conference and called out that “hackers” had a positive connotation in reference to Levy’s book and I wanted to retain that context.

“Today, the term hacker is often used to indicate a. computer criminal. This creates a difficult dilemma for those who wish to use the term with positive connotations.”

While Fred Cohen has termed the phrase “computer virus” a decade earlier, I was drawn to their potential destructive potential.

“Viruses, trojan horses and worms. Viruses, trojan horses and worms have huge destructive potential. Perhaps the greatest threat of the three is the computer virus, a program which has the ability to attach itself to legitimate files and then propagate, spreading much like an infectious disease from computer to computer as files are exchanged between them.”

And very early foreshadowing of ransomware and the impact of targeting medical environments.

“Imagine a virus that spreads to a bank computer and then randomly modifies numbers within a database, or simply causes the bank’s computers to shut down. The potential for damage is enormous, but it is mostly monetary damage. Now imagine that same virus attacks a hospital computer system. Human lives are at stake, making that virus a tool of murder no less dangerous than a loaded weapon.”

While the Morris worm caused accidental destruction, I was worried that bad actors could follow suit.

“If one college student could do so much damage by accident, what could a rogue nation or terrorist group do on purpose?”

In looking at Operation Datastream, I hypothesized that North Korea would be interested in cyber attacks to support its nuclear proliferation initiatives.

“North Korea might have been able to alter inspection reports and falsify data to cover up their nuclear proliferation efforts, or it might have utilized the information to find out which sites the United States was targeting for inspection.”

In the context of the Cuckoo’s Egg, I observed that Russia could decrease its use of human assets in favor of hiring hackers.

“Surely one must look at this case as a threat to U.S. national security, especially in the context of the Cold War. Gone are the days of searching for Ivans in elite factions of the U.S. military. Now any twenty-year-old German drug addict can accomplish the same thing from an apartment in West Germany. The vast computer networks gives him the means, and the lax security of the United States computer systems allows him to gain access to them and compromise national interests.”

Absent any examples of cyber infrastructure attacks, I looked at the impact of the failures of infrastructures like communication and power as examples of what could happen.

“In an information-based or knowledge-based economy, denying access to information transfers causes economic instability. However, due to the infancy of the information-based economy and an increased hesitance to report instances where damage is incurred, there are very few examples in which individual actors have inflicted this sort of damage. Instead, this section will focus on examples of accidental failure that demonstrate vulnerabilities in the infrastructure of Information Age societies.”

I spent some time exploring a possible attack scenario where companies like Microsoft, auto manufacturers, airlines, and banks were targeted and brought it all to a rather foreboding observation.

“Ivan Bloch has stated that the “future of war [would be] not fighting, but famine, not the slaying of men but the bankruptcy of nations and the break-up of the whole social organization.”(72) The transition into the Information Age makes such a vision all the more plausible. Where national security is concerned, information networks have created a tunnel to the center of our vulnerability, usable by any nation or collective of individuals at their discretion.”

Given that I was going to have to defend this thesis is front of a panel of political science professors, I also spent some time examining how information warfare fit with the traditional context of liberalism and realism and how each strategy would look to address these issues. While I felt the case for information warfare being a national security issue was sound, I argued that the definition needed to be broadened to include elements of economic security.

“To fully realize the potential threat of information warfare, the definition of national security must be broadened. The economic arguments of scholars like Luttwak, Thurow and Prestowitz(78) must be included in our definition of national security. Is United States national security threatened if our ability to maintain a prosperous economic system declines? If so, how might other nations gain competitive advantages against U.S. industries and financial markets using information warfare techniques?”

“Information warfare endangers not only our ability to respond to physical threats, but our economic prosperity, as well. Traditionally, our ability to remain prosperous has been directly linked to physical threats. In the Information Age this is no longer true. Economic prosperity, indeed the very lifeblood of our economic identity, can be destroyed without any physical damage being inflicted.”

I also highlighted why information warfare would be attractive to include:

  • Low cost
  • Timely and Not Location Specific
  • Anonymity
  • Minimal Loss of Human Life
  • First Strike Advantage
  • Offensive Nature

And provided some early hints at “attacker advantage”

“Information technology and computer systems, are vulnerable by nature. Therefore, taking defensive measures against the information warfare threat will always be difficult and costly.”

I also spent a great deal of time looking at deterrents to information warfare to include:

  • Economic Interdependence
  • Fear of Escalation
  • Lack of Technical Expertise

And also discussed the emergence of cyberterrorism at great length including the fact that we needed to increase attacker costs.

“This numerous and diverse array of potential threats, substantiates the proposition that information warfare is best averted by concentrating resources on defensive initiatives. Information terrorism can be decreased by making the costs exceed the benefits. This can only be done by reducing the potential for damage to our information infrastructure should the United States be attacked.”

With regards to how Realists would address information warfare, I proposed five unique areas.

  • Increase security of information systems at home
  • Constant evaluation of possible adversaries information systems for weaknesses
  • Formation of possible responses
  • Develop methods for assessing information damage.
  • Decrease levels of interdependence
  • Create autonomous networks

I also argue the Liberal approach to IW would be much more simplified and mostly comprised of two broad approaches.

  • Increase levels of interdependence
  • Create global institutions and international agreements

The thesis also highlighted the emergence of more automated weapons platforms and the role they would play.

“In the Information Age, not only is the autonomy of soldiers increased as command is decentralized, but the weapons have become self-capable as well. Using vast information systems, we have created weapons that seek out their own destination. Where the infantry men of nineteenth century were capable of outdistancing artillery with the advent of the conoidal bullet, smart weapons allow the United States’ military to outdistance entire countries. The soldier trained to program coordinates and digital mapping software into Tomahawk missiles now becomes as effective as a jetfighter pilot, without placing American lives at risk. This is, no doubt, a comforting notion for those policy makers initiating hostilities.”

To conclude the thesis, I proposed my own set of initiatives that should be pursued to ensure national security in the Information Age.

Step One: Declassify the Threat

“Acknowledging the threat acts as a deterrent for several reasons. First, it increases the number of responses available to the United States because the issue has been addressed at a political level, and it demonstrates to the international community that this is an important issue. Our capabilities to deal with such an attack are increased because we are prepared for it. Second, it motivates the military and private industry to deal with this problem and create viable security solutions that minimize the vulnerability of the United States’ information infrastructure. Third, it gives the United States a political catalyst to deal with this issue on a global level and to enter into treaties and agreements to protect the global information infrastructure and to avert common worst case scenarios.”

Step Two: Increase Security

In this section I highlight the role of encryption, but also the role it can play in developing the technology industry.

“As technological advancements in information technology continue, security must be a vital component. Perhaps, easier said than done. The security of our information systems must be continually increased. Security experts and hackers agree that encryption will be the critical component used to secure computer systems and information transfers of the future.”

“In order for this to occur, the United States government will have to release its stranglehold on encryption technology and allow U.S. companies to export this technology without restriction. Not only does this increase security and stability, but it will also generate growth in the software industry and allow U.S. companies to maintain a comparative advantage in this area.”

Step Three: Increase Vendor Accountability

“In order to increase security and not just manifest an illusion of having done so, vendors must be held accountable for the “secure” products they distribute. Though it is impossible to eliminate all security holes and to find every bug, more must be done to ensure the reliability of systems and software before they are shipped. Also, vendors should be required to create patches and fixes for security holes as they are found and distribute them to all customers.”

Step Four: Facilitate Private/Public Sector Cooperation

Just a couple of years later, I would play a role in the writing of the PCCIP report and the emergency of the ISAC concept, but the need for cooperation was identified in the thesis as well.

“Not only does this increase the security of military systems, it also increases the security of the private sector upon which they are reliant for communications and open source intelligence gathering and storage. In this way, the United States can expand the umbrella of security over a larger part of its information sphere.”

Step Five: Conceptualize Our Information Sphere

As Sun Tzu and later the Oracle in the movie the Matrix acknowledged, “know thyself” was also identified as a critical path towards cyber defense and also quantifying risk and attack impact.

“Once we have conceptualized our information sphere, we must develop methods to asses damage incurred within it. Upon suffering an information warfare attack, the United States must be able to evaluate and assess the damage that its information sphere has sustained. Not only is this essential for repair, but it also allows us to gauge our possible responses based on the extent of the damage we have suffered. We must be able to place realistic values on the information that our networks contain.”

Without any formal military or intelligence experience, I also identified the dichotomy between intelligence collection and target destruction.

“Similarly, for strategic purposes we must be able to measure the damage the United States inflicts on other nations should it utilize offensive information warfare capabilities. What is the strategic value of destroying an enemy’s communications network versus the strategic value of manipulating it for our own purposes?”

Step Six: Multi-Level Education

In this section I argued that policy makers must be educated so they can make informed policies, but that we must also address the human factors and yes, I referred to it as Human Factors 25 years ago.

“At another level, those who run the systems or are in charge of security must be educated to understand and deal with the threats. The largest security hole in computer systems is the human factor.”

I also identified the need for agencies like CISA and U.S. CERT.

“There are fundamental security measures that can be taught to system users to ensure that the security of the system is not compromised and scenarios like the one above are not repeated. It might be necessary, as argued in other papers, to create a centralized agency in charge of coordinating education and providing support for system administrators in patching known security holes.”

Step Seven: Use Hackers as a National Resource

Perhaps the most controversial recommendation was the role that hackers can play in cyber defense. The original conception of hacker was a useful framework for me to self identify with, but I’d also become friends with many well-known hackers and I saw them as the solution, not the problem. Fortunately, history shows that I was right. The hacker community serves as the foundation for our cyber security posture, innovation, and thought leadership to this day.

“Hackers can be used to secure the United States’ digital interests. Every effort should be made not to alienate them from the newly emerging digital infrastructure.”

You also see the emergence of concepts like bug bounties:

“The United States should utilize hackers, and give them recognition in exchange for the service they provide by finding security holes in computer systems.”

And responsible disclosure:

“The United States should not discontinue efforts to stop credit fraud and other computer activities that are unquestionably criminal. But, the United States should allow the hackers to conditionally roam the realm of cyberspace. These conditions would include the following: (1) If computer access is gained, the security hole should be immediately reported to the government or centralized agency and should not be given to anyone else, and (2) information files should not be examined, modified or stolen from the site.”

Lastly, it kicked off a 25 year initiative of my trying to personally mentor young hackers which still continues today.

“Most hackers are still young and have not formulated complete ideologies regarding right and wrong behavior. Bob Stratton, a former hacker who now works as a highly trusted security expert, argues that “These people (hackers) haven’t decided in some cases, to be good or evil yet and it is up to us to decide which way we want to point them.”(139) Mr. Stratton argues that we can mentor these individuals and thereby utilize their technological skills.”

Step Eight: Global Institutions and International Agreements

In my view, international norms and agreements were inevitable.

“Just as this issue has domestic political implications, it also has international political implications that need to be addressed. Once the United States acknowledges the potential threat of information warfare it must be prepared to deal with nations expressing similar concerns. Political deterrents like economic interdependence and fear of escalation must be backed by global institutions and international agreements that set standards and pacts for varying levels of information warfare.”

Conclusions

Despite focusing an entire thesis on the soft component of information warfare, I was keen to acknowledge the idea of a blended attack.

“In the most apocalyptic scenario, information warfare will be waged in conjunction with conventional warfare, to determine the hegemon of the Information Age.”

That acknowledged, the optimistic approach shows the Information Age providing tremendous societal value.

“In the Information Age, Third Wave nations have legitimate aspirations to create a global information system that adds value to their existing information infrastructures. Information technology is cooperative by nature and tremendous benefits can be derived from greater interconnectivity. Therefore, nations will seek out ways to integrate their networks with the international network. Once that integration takes place, each connected nation will have an interest in maintaining the stability and survivability of the overall network. Each nation has a vested interesting in preventing global information warfare.”

I was also concerned about the window of opportunity for cyberterrorism, a topic I would narrowly focus on just a year later with colleagues Pollard and Houghton in our work “Information Terrorism: Can You Trust Your Toaster?”

“By increasing security and gathering intelligence regarding any plans that might be in consideration, we can ensure that the threat of terrorism is contained to isolated incidents from which the United States can recover. Unfortunately, the environment under which we currently operate can make no such promise, therefore it is essential that we address this issue now.”

And rounding out the threats, I considered the role of information warfare being used to influence political decisions overtly and covertly.

“Other likely scenarios include the use of information warfare for blackmail or for limited short-term gains. These scenarios present other difficult political dilemmas that must be addressed at a global level. Will nations allow information warfare threats to be used as blackmail? Will we allow limited information warfare in order to pursue strategic or comparative political and economic gains? Or is the fear of escalation an adequate deterrent to such ambitions? These questions must also be addressed.”

I also noted that cyberspace will shine sunlight on lots of societal issues.

“Cyberspace has empowered the average person to explore and question the structure of our society and those that benefit from the way it is operated. Fundamental issues arise from hacker explorations. We must decide how, as a nation, how we wish to deal with these issues.”

And acknowledged that security must not come at the cost of individual liberty.

“As a society we have much to learn about ourselves through this new medium of communication. As a nation the United States must make sure that the structure it is building has a strong foundation and that weaknesses in that structure are not used to destroy it. It is a difficult task, because the constitutionally guaranteed rights of United States citizens must be upheld in the process.”

And also an early thematic on what Jason Healey would later focus on as “Saving Cyberspace”.

“There is no need to stop the technology, but we must decide what direction we want the technology to take, and what rules will govern its use. We must do this now, before the technology starts dictating the rules to us, before it is too late to make changes in the basic structure of cyberspace without destroying the whole concept.”

The closing paragraph blends Al Gore, science fiction author Isaac Asimov, and futurist John Petersen. The divergent mash-up would be a hallmark of my future work.

“We certainly are, as Al Gore noted, in the midst of an Information Revolution. Methods of warfare will continue to evolve as the revolution progresses. Conceptions of national security will have to evolve as well. Information warfare and information security must be incorporated into the national security agenda of any nation that is making the transition into the Information Age. Isaac Asimov notes that “Waiting for a crisis to force us to act globally runs the risk of making us wait too long.”(143) We can not allow this to be the case where information technologies are concerned, because they are the foundation for that which we aspire to become. Similarly, John Petersen argues that a “philosophy comes bundled with every new technology; when one is embraced, the other is there at well.”(144) The United States has already embraced the technology of the Information Age, it must prepare itself to deal with the philosophy that comes with it. The United States must be prepared to deal with a philosophy that changes the distribution of power, changes political relationships, and challenges the essence of nation states. Only then can we rightfully justify a leading role in the Information Age.”

Thanks for reading and I’d welcome any comments or thoughts you might have on the impact of this thesis.  You can send those to me directly at mgd@ooda.com.

As to what I’m focusing on now, you can find that all right here at OODAloop.com

Matt Devost

Matt Devost

Matthew G. Devost is the CEO & Co-Founder of OODA LLC. Matt is a technologist, entrepreneur, and international security expert specializing in counterterrorism, critical infrastructure protection, intelligence, risk management and cyber-security issues. Matt co-founded the cyber security consultancy FusionX from 2010-2017. Matt was President & CEO of the Terrorism Research Center/Total Intel from 1996-2009. For a full bio, please see www.devost.net