Restricting Information Warfare:
The Current Literature on Arms Control and Information Warfare

September 2000

Geoffrey S. French1

As the tools and techniques of information warfare continue to develop, policy will also progress to take the new capabilities and applications into account. Although the general subject of information warfare is not thoroughly understood—in part because modern information technology is still new and changing rapidly—many theorists and policy makers believe that it will have a destabilizing effect on international relations. One reason for this is that the costs of developing information warfare capabilities are theoretically low, whereas the benefits may be quite high. More importantly, the effects of information warfare are unknown and the parameters for its use have not solidified. One possibility for reducing the uncertainty would be an international agreement not to develop certain tools or use information warfare to attack certain targets. Although the literature on the possibility of using arms control to restrict the development or use of information warfare tools and techniques is thin, the arguments for pursuing such an agreement merit attention. A small number of articles specifically discuss the applicability of arms control to information warfare. A second set (consisting of unpublished papers) focuses instead on the goals of arms control as it regards information warfare. Both of these sets are described below.


Arms control can have a stabilizing effect on international relations. The agreements forged in the Cold War demonstrate its usefulness in reducing dangers, opening dialogue, and establishing accepted norms for international behavior. Nations face different goals and challenges as they attempt to apply arms control to different types of weapons or warfare, such as conventional, nuclear, or biological. Arms control is not always applicable, however, and policy makers cannot consider it a cure-all. Proponents of using arms control to restrict information warfare must therefore make the case for its need and the likelihood of its success.

The current literature on arms control and information warfare is limited to only a handful of papers. The authors who discuss the applicability of arms control to information warfare explicitly are Lynn Davis (1999), Andrew Rathmell (1998), and Kevin J. Soo Hoo, Lawrence Greenberg, and David Elliott2 (1996). Because their papers address a very specific subject, their arguments tend to converge to a similar pattern. They each provide a definition of information warfare, present the reasons the technology or techniques of information warfare should be controlled, and describe the potential for arms control as a means of that control. Because of this similar structure, this section will present the manner in which each addressed those parts of the argument, as opposed to presenting each argument serially.

Definitions of Information Warfare

Each author begins by stating that the lack of rigorous definitions in the field of information warfare is the first impediment to any international understanding. In addition, the field is quite broad, and a number of different activities tend to be categorized under its name. For those reasons, each author is careful to attempt to pinpoint the specific aspect of information warfare that might be suitable to an international agreement. Rathmell is reasonably specific about the types of information warfare attacks that might be limited through arms control. He defines the lowest level of information warfare as attacks on “information flows and activities.”3 These attacks range from “command, control and communications networks of a modern ‘digitized’ armed force to the information infrastructures that form the backbone of modern economies, notably the telecommunications, electrical power, energy and transportation networks.” It is only the latter—the attacks on “critical civilian or dual-use infrastructures”—that Rathmell argues arms control could limit.

Soo Hoo, Greenberg, and Elliott adopt a very similar definition. An examination of the risks from information warfare indicates that the U.S. civil information-system-dependent infrastructures are particularly vulnerable. Any attempts to limit the actions of adversaries should then focus on strategic information warfare (SIW), which targets them. Their full definition of SIW follows.

SIW involves concerted actions by a state, or a state surrogate, to destroy, disable, or manipulate components of the essential information infrastructures of another state. This infrastructure includes major networked systems that depend upon data processing and transfer, digitally stored information, and electronic controls, as well as supporting sub-systems, such as telecommunications and electric power. By intention or as a collateral effect, SIW would damage important elements of the socioeconomic structure or the civil functions of the state, resulting in harm to civilians. Sectors targeted by SIW might include energy, communications, financial services, health care, transportation, government civil records, and emergency services.

Some of the means of conducting SIW include radio-frequency jamming; computer network penetration and hacking past security controls; spoofing of telecommunications; injection and activation of malicious computer software programs; incorporating trapdoors or bombs in imported system hardware or software; disabling of digital systems by electromagnetic pulse, signal denial, or override; disabling electric systems by filament dispersal; and selected physical attacks.

Davis, who spends a great deal of detail about the history and scope of arms control, gives much less attention to the definition of information warfare. In part, she points out, this is because the field is still in development. There is little certainty about which nations or groups will be able to develop or acquire methods and means for information warfare, or in what time frame. Treaties might focus, however, as narrowly as on a specific weapon or class of weapons, such as the electronic pulse system or computer viruses. They might also address types of attacks, such as those against domestic infrastructures.

Reasons to Restrict Information Warfare

Davis identifies a single reason for the United States to seek arms control to restrict information warfare. “The risk of not pursuing any arms control is that the abilities of potential adversaries to acquire information-warfare capabilities would not be constrained in any way. Over time, this could threaten the U.S. ability to maintain [military] superiority.” It may seem that this argument would have little sway; indeed, many in the U.S. government and military hold that information warfare attacks could grant the United States a large advantage. Few, however, would contest the assessment that the United States itself is very vulnerable to such attacks, and that information warfare is one of the few areas where potential adversaries may challenge the United States. Limiting the capabilities of others may be motivation enough for the United States to agree to self-imposed restrictions.

The reason that Davis gives can also be found in the other papers. Rathmell states that the “ability to undertake these types of attacks empowers small nations or groups that might not otherwise be able to challenge the United States or other powerful nations.” To that he adds two additional reasons why countries should be interested in limiting the possibility that information warfare attacks might occur. First, “the interdependence of various nations’ information infrastructures could result in the attack on one leading to unpredictable, far-reaching, detrimental consequences for others.” Second, “one detrimental consequence would be a breach in trust among governments and businesses in their information systems, leading to (among other possibilities) chaos or a dramatic loss in the privacy of citizens as surveillance and monitoring increased.”

Soo Hoo and colleagues also argue that SIW is “a particularly serious danger to the United States,” and one that it has yet to address adequately. The United States has three distinct methods of dealing with threats to its national security: deterrence, defense, and arms control. Although the authors do not discuss the other options in depth, they argue that they do not adequately eliminate the risk from SIW. Deterrence, for example, “will be unlikely to offer the same degree of protection as it does in other security contexts.”4 Similarly, the defensive measures that the U.S. government is able to take are limited. Much of the national information infrastructure is not owned or operated by the government, and “neither the privately owned major information systems, nor the information products industry is likely to respond effectively to national-level security concerns, because of the impacts that defensive measures would have on cost, loss of functionality, and other competitive considerations.” Arms control may not be the solution to the threat, but the shortcomings of the two other approaches means that forfeiting some offensive capabilities in order to restrict SIW through international agreements should be considered to at least some extent.

Potential for Arms Control

In their paper, Soo Hoo, Greenberg, and Elliott present arguments for and against the use of arms control to limit information warfare. First, as stated above, seeking arms control may be one of the few means at the disposal of the United States to deal with the threat from SIW. An international agreement could be one way for the United States to protect itself. Second, given that most SIW programs are felt to be in their infancy, it may be an appropriate time to attempt to curtail international efforts in the area. A treaty could also provide some stability in that it could eliminate uncertainty about the circumstances in which a nation may retaliate for SIW attacks. Most of the arguments against such a treaty are based on its implementation: whether it could be credibly enforced and monitored, and whether it could include the most likely sources of SIW threats, specifically, non-state groups. Other objections include the fact that the distinction between offense and defense is blurred in information warfare; limiting the tools that detect vulnerabilities in civilian infrastructures may hinder a nation’s defenses as much as it blocks its offensive capabilities. Finally, other nations might not be interested in such a treaty because they are not as dependent upon their information infrastructures as the United States. Moreover, the authors argue, “the formalization of SIW as a legitimate military endeavor, worthy of an arms control treaty, may merely entice other countries to pursue it, causing greater instability rather than promoting it.”

Davis provides a much broader examination of the possibility for international agreements, including (1) arms control treaties, (2) export controls, and (3) multilateral cooperation. Just as each avenue has its own advantage, however, each is also fraught with difficulties. Treaties, for example, could have a high degree of specificity, banning a specific weapon or technique. As Soo Hoo and colleagues point out as well, this advantage may be offset by the nature of the nations or groups who pose the greatest threat of using those weapons or techniques. If they are non-state groups or states that tend to disregard international law or norms, then arms control will not be an effective tool to limit their actions. Moreover, the ability to verify the treaty would be a major—and potentially insurmountable—issue. Security assurances (a lesser form of arms control) effect the same lack of confidence. Export controls overcome some of these problems, in that “their focus on individual sales ensures that governments, non-governmental groups, and individuals are covered.” The “utility and effectiveness” of existing controls on supercomputers and encryption, however, have been called into question, as well as the ability to enforce them. Davis also discusses the possibility of multilateral cooperation to address the threat of information warfare. Although she does not describe the stumbling blocks in this area, the reader can infer that they parallel those from above. The tools and techniques of information warfare do not lend themselves to transparency, and it will be difficult for nations (especially nations that are not close allies) to achieve a necessary level of trust to engage in joint defense or response.

Rathmell argues that arms control might not be able to limit information warfare capabilities from growing vertically (i.e., more effective or powerful) or horizontally (i.e., to a larger number of countries or groups). Export restrictions, therefore, are of limited use. Instead, information warfare might be restricted as biological and chemical warfare is, through a convention. As with information warfare, the technology to produce chemical weapons is impossible to control through export restrictions. For that reason, the Chemical Warfare Convention tends to focus instead on behavior: the use of chemical weapons. Rathmell argues that an Information Warfare Convention would similarly restrict the use of information warfare, specifically its use against critical civilian or dual-use infrastructures. He also identifies several stumbling blocks for this convention. First, it is not currently verifiable. Although nations could use the time that it takes to negotiate the details of such a convention to come up with ways to verify it, the solutions would have to exist before a large number of nations agreed to the convention. Similarly, punishment for transgressions would need clear delineation. Rathmell suggests that a sanctions regime could place commercial restrictions on a country’s information technology sector. Ultimately, the convention would be “at most a partial response to the potentially destabilizing effects of [information warfare]. Nonetheless, it would at least provide an international forum in which these issues could be discussed and in which cooperative defensive measures could be developed.”

Conclusions of the Published Literature

All the authors concur that the field needs to establish accepted definitions in order to make any progress. Soo Hoo and colleagues state that “the definitional issues demand resolution before any international agreement has a chance of being successful.” Even then, the problems involved in the creation and enforcement of any treaty or agreement may be too complex. The authors also agree, however, that multilateral discussions about the possibility of a treaty would have some value. Like Rathmell, Davis argues that the exchange of information is the most viable path toward international control of information warfare. Clear communication can lead to cooperation, which in turn could lead to the establishment of norms and standards, and possible codification of those standards. Soo Hoo and colleagues add that the “creation of a such a norm is significant because it could eventually be used as the basis for future punitive measures taken against illegal SIW perpetrators.”

Davis further identifies five tasks that could lead to productive engagement in arms control or multilateral methods to limit the risk from information warfare. First, the United States needs to “understand more precisely the characteristics and capabilities of future information warfare systems and the technologies and management skills that will be critical to their development.” Second, the United States should “come to basic understandings about its strategic goals and assumptions with respect to information warfare.” These first two tasks describe the need to understand the benefits, risks, and potential adversaries who may engage in information warfare. The next step would be to communicate this understanding, ensuring “that other countries understand U.S. goals and the characteristics of the information-warfare systems that it is developing.” Only after these steps might the U.S. address the fourth task: identifying “how the systems and technologies might be controlled effectively as they are being developed.” The final step would be joint defense and prevention of threats to domestic infrastructure.

The general conclusion of the literature on the applicability of arms control is best stated by E. Anders Eriksson (1999).5 Although he mentions arms control only in passing, he states that “the avenues available for ‘arms control’ in this arena are primarily information exchange and norm-building, whereas structural approaches—trying to prohibit the means of information warfare altogether or restricting their availability—are largely impossible due to the ubiquity and dual-use nature of information technology.”


In addition to the three papers described above, two unpublished papers also address some aspect of arms control and information warfare. Because these are unpublished, it is important to keep in mind that neither has been peer-reviewed, nor is either endorsed by an organization. Both were drafted to initiate dialogue on the subject and attempt to sketch the goals of a possible treaty. The first paper, written by David Elliott in preparation for the Workshop on Information Technologies and National Security, October 8, 1996,6 contains a draft convention on the prohibition of use of information warfare techniques against non-combatants. The second document, presented by William Church at a conference on the Future of War in St. Petersburg, Russia, on February 26, 1999, explores a broader goal for a treaty: complete control of information operations.

Elliot lays out a simple document to begin the discussion about possible goals for arms control in information warfare. The draft convention contains a preamble that describes the goals and assumptions, nine articles that outline the restrictions on actions, and two “understandings” that explicate some of the terms in the articles. The goal is succinct and well defined: “to prohibit the use of information warfare techniques against non-combatants in order to reduce the dangers to mankind from such use, and affirming [the signatories’] willingness to work toward achieving this objective.” The first article forbids this use, as well as developing the means for it, planning it, or assisting others to engage in it. The second and third articles define it, the former by stating what it includes (“any technique to manipulate, interrupt, or interfere with information systems and their supporting infrastructure or another State for the purpose of causing civil deprivation or disorder or significant economic harm”), the latter by what it excludes (“the use of information technology for peaceful purposes”). By extension, the language also allows the use of information warfare techniques against military targets.

The remaining articles outline the workings of the convention. The fifth creates a “Consultative Committee of Experts” to hear complaints and “make appropriate findings of fact.” The sixth allows for amendments to the convention, and the eighth calls for periodic review of the convention. The seventh details the duration of the treaty, and the ninth describes the conditions for it entering into force. The text of this convention is very brief, and many of the ideas merit greater exploration. Although its brevity limits its utility, the paper does serve as a starting point for any discussion on the possibilities of a workable convention.

William Church’s paper, “Developing an information operations treaty,” takes a very different approach. Instead of focusing on a specific effect on information warfare, Church addresses the general destabilizing effects of information operations.7 Church’s presents two principle reasons for this broad scope: (1) that “the expansion of the concept of information operations . . . expands the current battlefield,” and (2) that it “upsets the offense-defense status quo of defensive domination.” His basis for the first point is the policy set by the U.S. Joint Chiefs of Staff. Joint Publication 3-13 states that information operations “target information technology or information systems in order to affect the information-based process whether human or automated. Such information dependent processes range from National Command Authorities-level decision making to the automated control of key commercial infrastructure such as telecommunications and electric power.” Church interprets this to mean that the new battleground “is the infrastructure” and that in a conflict the United States “will deprive a nation of vital infrastructure to achieve its goals.”

Although many would readily accept that information operations introduces new vulnerabilities and tends to favor offense over defense, Church argues this point at length, and in a surprisingly roundabout way. Church begins by describing the post-World War II balance between offense and defense as being dominated by defense, especially in the 1990s.8 The argument is substantially weakened by that lack of evidence or anecdotes to illustrate this domination, but he posits that information operations upset the balance. First, information warfare reduces the cost of offense and increases the cost of defense. Second, the West’s “[loss] of faith in physical weapons” has led to declining military budgets, making cost a more important factor of military investments. Third, the “acceptance of the neoliberal view of globalization and market expansion” rejects wars as “unnatural,” and therefore places a higher value on coercion by other means. Finally, nations are becoming more reliant on infrastructures, offering appealing targets to any country willing to exploit the vulnerability. None of these arguments are particularly compelling; luckily, none are needed to prove his point.

From these two points, Church sees a world in which nations, led by the example of the United States, eagerly engage in information operations that target each other’s infrastructures. Preemptive strikes would be commonplace for many political or military grievances, creating large-scale instability. The goal of arms control, therefore, is to check the escalation of information operations before it begins. “The area of information infrastructure should be clearly defined as off-limits to aggression of any form because it is not possible for world leaders to promote information economic growth and at the same [time] develop military strategy using that information infrastructure in a hostile arena.”


The general consensus of both the published and the unpublished literature is that civilian infrastructure is not an acceptable target for information warfare. Because it indirectly targets non-combatants, its use even in a military campaign is questionable. Unfortunately, none of the articles address whether civilian infrastructure is a legitimate target for other forms of combat. The United States targeted bridges, roads, power distribution, and telecommunications in its joint campaigns against Iraq and Serbia, but it used conventional weapons as opposed to information technology to attack them. This is a serious issue that warrants much more attention and that plays a considerable role in the discussion of arms control. If smaller or less powerful nations view U.S. efforts at arms control as merely a means to protect its infrastructure while allowing it to attack the infrastructure of other nations by conventional forces, then few would see the benefit of joining such a regime.

The literature is also united in identifying a clear threat to the United States. Whether the risk is only to U.S. military supremacy (Davis) or to global international relations (Church), the common consent is that a risk does exist, and that it is poorly addressed by either deterrence or current defensive measures. Although no author proposes that arms control is the only solution, each believes that it should be a part of the solution. The authors also agree, however, that implementation of any agreement would be very difficult. Agreement of what actions should be limited, verification of the agreement, and punitive actions for transgressions are all major stumbling blocks to any international dialogue. Even if these could be overcome, it is doubtful that any agreement would include the nations that pose the highest risk of aggressive behavior or non-state groups.

The tension between the threat to the United States from information warfare on one hand and the ambiguity about how well arms control might reduce it clearly illuminates several pressing needs for U.S. policy makers. As Davis points out, the United States has yet to discover the true promise of information warfare and from that determine its strategy to implement and defend against such weapons and tactics. Similarly, it needs to ascertain the real threat from information warfare to its military, its civilian infrastructure, and to international relations. More important, however, is the sense that the United States is ill prepared to address the risk by any means, not just through arms control. The dilemma that faces arms control also applies to diplomacy, deterrence, and defense. As the United States gets a better understanding of its capabilities and vulnerabilities, the development of methods to defend itself should be a high priority, and one that involves all the mechanisms at its disposal.



1 Geoffrey French is an Operations Coordination Manager for Veridian–Trident Data Systems and an Associate of the Information Warfare Research Center.

2Strategic Information Warfare—A New Arena for Arms Control?” represents the work of a workshop organized by the Center for International Security and Arms Control (now the Center for International Security and Cooperation) at Stanford University. A full list of participants can be found on page 2 of that publication.

3 Information warfare at its highest level is “an ideational struggle for the mind of an opponent. At this level, [it] encompasses the whole range of psychological, media, diplomatic and military techniques for influencing the mind of an opponent, whether that opponent is a military commander or a whole population.” The second level is the use of military forces “to dominate the ‘information spectrum,’ after which physical conflict will be either unnecessary or at worst, short, sharp and successful.”

4 For a full review of the literature on information warfare and deterrence, see Geoffrey French, “Shunning the frumious Bandersnatch: Current literature on information warfare and deterrence,” Information Warfare Research Center, 2000.

5 Eriksson’s paper was not included in the review because it does not discuss the issue in any depth. Regardless, the paper’s astute summary of the literature warrants its citation.

6 The results of this workshop can be found in the document described above: Kevin J. Soo Hoo, Lawrence Greenberg, and David Elliott, “Strategic information warfare—A new arena for arms control?” Center for International Security and Arms Control, Stanford University, 1996.

7 Information operations are defined by the Joint Chiefs of Staff (1998) as “actions taken to affect adversary information and information systems while defending one’s own information and information systems.”

8 Church states that “defense domination” means that “defense [has] the advantage in an attack.”



Church, W. 1999. Developing an information operations treaty. Paper presented at the Future of War conference, St. Petersburg, Russia, February 26, 1999. Posted on the web site of

Davis, L. 1999. Arms control, export regimes, and multilateral cooperation. In: The Changing Role of Information in Warfare. Z. M. Khalilzad and J. P. White, eds. Santa Monica, Calif.: Rand.

Elliott, D. 1996. Strategic information warfare—A new arena for arms control? Paper for the Workshop on Information Technologies and National Security, October 8, 1996. Stanford, Calif.: Center for International Security and Arms Control, Stanford University.

Eriksson, E. A. 1999. Information warfare: Hype or reality? The Nonproliferation Review 6(3):57–64.

French, G. S. 2000. Shunning the frumious Bandersnatch: Current literature on information warfare and deterrence. Washington D.C.: Information Warfare Research Center.

Joint Chiefs of Staff. 1998. Joint Pub 3-13: Joint Doctrine for Information Operations. Washington D.C.: U.S. Department of Defense.

Rathmell, A. 1998. Information warfare: Implications for arms control. Bulletin of Arms Control 29:8–14.

Soo Hoo, K. J., L. Greenberg, and D. Elliott. 1996. Strategic information warfare—A new arena for arms control? Stanford, Calif.: Center for International Security and Arms Control, Stanford University.