Restricting Information Warfare: September 2000 Arms control can have a stabilizing effect on international relations. The agreements forged in the Cold War demonstrate its
usefulness in reducing dangers, opening dialogue, and establishing accepted norms for international behavior. Nations face
different goals and challenges as they attempt to apply arms control to different types of weapons or warfare, such as
conventional, nuclear, or biological. Arms control is not always applicable, however, and policy makers cannot consider it a
cure-all. Proponents of using arms control to restrict information warfare must therefore make the case for its need and the
likelihood of its success. The current literature on arms control and information warfare is limited to only a handful of papers. The authors who discuss
the applicability of arms control to information warfare explicitly are Lynn Davis (1999), Andrew Rathmell (1998), and Kevin
J. Soo Hoo, Lawrence Greenberg, and David Elliott2 (1996). Because their papers address a very specific subject, their
arguments tend to converge to a similar pattern. They each provide a definition of information warfare, present the reasons the
technology or techniques of information warfare should be controlled, and describe the potential for arms control as a means
of that control. Because of this similar structure, this section will present the manner in which each addressed those parts of the
argument, as opposed to presenting each argument serially. Each author begins by stating that the lack of rigorous definitions in the field of information warfare is the first impediment to
any international understanding. In addition, the field is quite broad, and a number of different activities tend to be categorized
under its name. For those reasons, each author is careful to attempt to pinpoint the specific aspect of information warfare that
might be suitable to an international agreement. Rathmell is reasonably specific about the types of information warfare attacks
that might be limited through arms control. He defines the lowest level of information warfare as attacks on “information flows
and activities.”3 These attacks range from “command, control and communications networks of a modern ‘digitized’ armed
force to the information infrastructures that form the backbone of modern economies, notably the telecommunications,
electrical power, energy and transportation networks.” It is only the latter—the attacks on “critical civilian or dual-use
infrastructures”—that Rathmell argues arms control could limit. Soo Hoo, Greenberg, and Elliott adopt a very similar definition. An examination of the risks from information warfare indicates
that the U.S. civil information-system-dependent infrastructures are particularly vulnerable. Any attempts to limit the actions of
adversaries should then focus on strategic information warfare (SIW), which targets them. Their full definition of SIW follows. SIW involves concerted actions by a state, or a state surrogate, to destroy, disable, or manipulate components of the essential
information infrastructures of another state. This infrastructure includes major networked systems that depend upon data
processing and transfer, digitally stored information, and electronic controls, as well as supporting sub-systems, such as
telecommunications and electric power. By intention or as a collateral effect, SIW would damage important elements of the
socioeconomic structure or the civil functions of the state, resulting in harm to civilians. Sectors targeted by SIW might include
energy, communications, financial services, health care, transportation, government civil records, and emergency services. Some of the means of conducting SIW include radio-frequency jamming; computer network penetration and hacking past
security controls; spoofing of telecommunications; injection and activation of malicious computer software programs;
incorporating trapdoors or bombs in imported system hardware or software; disabling of digital systems by electromagnetic
pulse, signal denial, or override; disabling electric systems by filament dispersal; and selected physical attacks. Davis, who spends a great deal of detail about the history and scope of arms control, gives much less attention to the definition
of information warfare. In part, she points out, this is because the field is still in development. There is little certainty about
which nations or groups will be able to develop or acquire methods and means for information warfare, or in what time frame.
Treaties might focus, however, as narrowly as on a specific weapon or class of weapons, such as the electronic pulse system
or computer viruses. They might also address types of attacks, such as those against domestic infrastructures. Davis identifies a single reason for the United States to seek arms control to restrict information warfare. “The risk of not
pursuing any arms control is that the abilities of potential adversaries to acquire information-warfare capabilities would not be
constrained in any way. Over time, this could threaten the U.S. ability to maintain [military] superiority.” It may seem that this
argument would have little sway; indeed, many in the U.S. government and military hold that information warfare attacks could
grant the United States a large advantage. Few, however, would contest the assessment that the United States itself is very
vulnerable to such attacks, and that information warfare is one of the few areas where potential adversaries may challenge the
United States. Limiting the capabilities of others may be motivation enough for the United States to agree to self-imposed
restrictions. The reason that Davis gives can also be found in the other papers. Rathmell states that the “ability to undertake these types of
attacks empowers small nations or groups that might not otherwise be able to challenge the United States or other powerful
nations.” To that he adds two additional reasons why countries should be interested in limiting the possibility that information
warfare attacks might occur. First, “the interdependence of various nations’ information infrastructures could result in the
attack on one leading to unpredictable, far-reaching, detrimental consequences for others.” Second, “one detrimental
consequence would be a breach in trust among governments and businesses in their information systems, leading to (among
other possibilities) chaos or a dramatic loss in the privacy of citizens as surveillance and monitoring increased.” Soo Hoo and colleagues also argue that SIW is “a particularly serious danger to the United States,” and one that it has yet to
address adequately. The United States has three distinct methods of dealing with threats to its national security: deterrence,
defense, and arms control. Although the authors do not discuss the other options in depth, they argue that they do not
adequately eliminate the risk from SIW. Deterrence, for example, “will be unlikely to offer the same degree of protection as it
does in other security contexts.”4 Similarly, the defensive measures that the U.S. government is able to take are limited. Much
of the national information infrastructure is not owned or operated by the government, and “neither the privately owned major
information systems, nor the information products industry is likely to respond effectively to national-level security concerns,
because of the impacts that defensive measures would have on cost, loss of functionality, and other competitive
considerations.” Arms control may not be the solution to the threat, but the shortcomings of the two other approaches means
that forfeiting some offensive capabilities in order to restrict SIW through international agreements should be considered to at
least some extent. In their paper, Soo Hoo, Greenberg, and Elliott present arguments for and against the use of arms control to limit information
warfare. First, as stated above, seeking arms control may be one of the few means at the disposal of the United States to deal
with the threat from SIW. An international agreement could be one way for the United States to protect itself. Second, given
that most SIW programs are felt to be in their infancy, it may be an appropriate time to attempt to curtail international efforts in
the area. A treaty could also provide some stability in that it could eliminate uncertainty about the circumstances in which a
nation may retaliate for SIW attacks. Most of the arguments against such a treaty are based on its implementation: whether it
could be credibly enforced and monitored, and whether it could include the most likely sources of SIW threats, specifically,
non-state groups. Other objections include the fact that the distinction between offense and defense is blurred in information
warfare; limiting the tools that detect vulnerabilities in civilian infrastructures may hinder a nation’s defenses as much as it
blocks its offensive capabilities. Finally, other nations might not be interested in such a treaty because they are not as
dependent upon their information infrastructures as the United States. Moreover, the authors argue, “the formalization of SIW
as a legitimate military endeavor, worthy of an arms control treaty, may merely entice other countries to pursue it, causing
greater instability rather than promoting it.” Davis provides a much broader examination of the possibility for international agreements, including (1) arms control treaties,
(2) export controls, and (3) multilateral cooperation. Just as each avenue has its own advantage, however, each is also fraught
with difficulties. Treaties, for example, could have a high degree of specificity, banning a specific weapon or technique. As
Soo Hoo and colleagues point out as well, this advantage may be offset by the nature of the nations or groups who pose the
greatest threat of using those weapons or techniques. If they are non-state groups or states that tend to disregard international
law or norms, then arms control will not be an effective tool to limit their actions. Moreover, the ability to verify the treaty
would be a major—and potentially insurmountable—issue. Security assurances (a lesser form of arms control) effect the same
lack of confidence. Export controls overcome some of these problems, in that “their focus on individual sales ensures that
governments, non-governmental groups, and individuals are covered.” The “utility and effectiveness” of existing controls on
supercomputers and encryption, however, have been called into question, as well as the ability to enforce them. Davis also
discusses the possibility of multilateral cooperation to address the threat of information warfare. Although she does not
describe the stumbling blocks in this area, the reader can infer that they parallel those from above. The tools and techniques of
information warfare do not lend themselves to transparency, and it will be difficult for nations (especially nations that are not
close allies) to achieve a necessary level of trust to engage in joint defense or response. Rathmell argues that arms control might not be able to limit information warfare capabilities from growing vertically (i.e., more
effective or powerful) or horizontally (i.e., to a larger number of countries or groups). Export restrictions, therefore, are of
limited use. Instead, information warfare might be restricted as biological and chemical warfare is, through a convention. As
with information warfare, the technology to produce chemical weapons is impossible to control through export restrictions.
For that reason, the Chemical Warfare Convention tends to focus instead on behavior: the use of chemical weapons. Rathmell
argues that an Information Warfare Convention would similarly restrict the use of information warfare, specifically its use
against critical civilian or dual-use infrastructures. He also identifies several stumbling blocks for this convention. First, it is not
currently verifiable. Although nations could use the time that it takes to negotiate the details of such a convention to come up
with ways to verify it, the solutions would have to exist before a large number of nations agreed to the convention. Similarly,
punishment for transgressions would need clear delineation. Rathmell suggests that a sanctions regime could place commercial
restrictions on a country’s information technology sector. Ultimately, the convention would be “at most a partial response to
the potentially destabilizing effects of [information warfare]. Nonetheless, it would at least provide an international forum in
which these issues could be discussed and in which cooperative defensive measures could be developed.” All the authors concur that the field needs to establish accepted definitions in order to make any progress. Soo Hoo and
colleagues state that “the definitional issues demand resolution before any international agreement has a chance of being
successful.” Even then, the problems involved in the creation and enforcement of any treaty or agreement may be too
complex. The authors also agree, however, that multilateral discussions about the possibility of a treaty would have some
value. Like Rathmell, Davis argues that the exchange of information is the most viable path toward international control of
information warfare. Clear communication can lead to cooperation, which in turn could lead to the establishment of norms and
standards, and possible codification of those standards. Soo Hoo and colleagues add that the “creation of a such a norm is
significant because it could eventually be used as the basis for future punitive measures taken against illegal SIW perpetrators.” Davis further identifies five tasks that could lead to productive engagement in arms control or multilateral methods to limit the
risk from information warfare. First, the United States needs to “understand more precisely the characteristics and capabilities
of future information warfare systems and the technologies and management skills that will be critical to their development.”
Second, the United States should “come to basic understandings about its strategic goals and assumptions with respect to
information warfare.” These first two tasks describe the need to understand the benefits, risks, and potential adversaries who
may engage in information warfare. The next step would be to communicate this understanding, ensuring “that other countries
understand U.S. goals and the characteristics of the information-warfare systems that it is developing.” Only after these steps
might the U.S. address the fourth task: identifying “how the systems and technologies might be controlled effectively as they
are being developed.” The final step would be joint defense and prevention of threats to domestic infrastructure. The general conclusion of the literature on the applicability of arms control is best stated by E. Anders Eriksson (1999).5
Although he mentions arms control only in passing, he states that “the avenues available for ‘arms control’ in this arena are
primarily information exchange and norm-building, whereas structural approaches—trying to prohibit the means of information
warfare altogether or restricting their availability—are largely impossible due to the ubiquity and dual-use nature of information
technology.” In addition to the three papers described above, two unpublished papers also address some aspect of arms control and
information warfare. Because these are unpublished, it is important to keep in mind that neither has been peer-reviewed, nor is
either endorsed by an organization. Both were drafted to initiate dialogue on the subject and attempt to sketch the goals of a
possible treaty. The first paper, written by David Elliott in preparation for the Workshop on Information Technologies and
National Security, October 8, 1996,6 contains a draft convention on the prohibition of use of information warfare techniques
against non-combatants. The second document, presented by William Church at a conference on the Future of War in St.
Petersburg, Russia, on February 26, 1999, explores a broader goal for a treaty: complete control of information operations. Elliot lays out a simple document to begin the discussion about possible goals for arms control in information warfare. The
draft convention contains a preamble that describes the goals and assumptions, nine articles that outline the restrictions on
actions, and two “understandings” that explicate some of the terms in the articles. The goal is succinct and well defined: “to
prohibit the use of information warfare techniques against non-combatants in order to reduce the dangers to mankind from
such use, and affirming [the signatories’] willingness to work toward achieving this objective.” The first article forbids this use,
as well as developing the means for it, planning it, or assisting others to engage in it. The second and third articles define it, the
former by stating what it includes (“any technique to manipulate, interrupt, or interfere with information systems and their
supporting infrastructure or another State for the purpose of causing civil deprivation or disorder or significant economic
harm”), the latter by what it excludes (“the use of information technology for peaceful purposes”). By extension, the language
also allows the use of information warfare techniques against military targets. The remaining articles outline the workings of the convention. The fifth creates a “Consultative Committee of Experts” to hear
complaints and “make appropriate findings of fact.” The sixth allows for amendments to the convention, and the eighth calls
for periodic review of the convention. The seventh details the duration of the treaty, and the ninth describes the conditions for
it entering into force. The text of this convention is very brief, and many of the ideas merit greater exploration. Although its
brevity limits its utility, the paper does serve as a starting point for any discussion on the possibilities of a workable convention. William Church’s paper, “Developing an information operations treaty,” takes a very different approach. Instead of focusing
on a specific effect on information warfare, Church addresses the general destabilizing effects of information operations.7
Church’s presents two principle reasons for this broad scope: (1) that “the expansion of the concept of information operations
. . . expands the current battlefield,” and (2) that it “upsets the offense-defense status quo of defensive domination.” His basis
for the first point is the policy set by the U.S. Joint Chiefs of Staff. Joint Publication 3-13 states that information operations
“target information technology or information systems in order to affect the information-based process whether human or
automated. Such information dependent processes range from National Command Authorities-level decision making to the
automated control of key commercial infrastructure such as telecommunications and electric power.” Church interprets this to
mean that the new battleground “is the infrastructure” and that in a conflict the United States “will deprive a nation of vital
infrastructure to achieve its goals.” Although many would readily accept that information operations introduces new vulnerabilities and tends to favor offense over
defense, Church argues this point at length, and in a surprisingly roundabout way. Church begins by describing the post-World
War II balance between offense and defense as being dominated by defense, especially in the 1990s.8 The argument is
substantially weakened by that lack of evidence or anecdotes to illustrate this domination, but he posits that information
operations upset the balance. First, information warfare reduces the cost of offense and increases the cost of defense. Second,
the West’s “[loss] of faith in physical weapons” has led to declining military budgets, making cost a more important factor of
military investments. Third, the “acceptance of the neoliberal view of globalization and market expansion” rejects wars as
“unnatural,” and therefore places a higher value on coercion by other means. Finally, nations are becoming more reliant on
infrastructures, offering appealing targets to any country willing to exploit the vulnerability. None of these arguments are
particularly compelling; luckily, none are needed to prove his point. From these two points, Church sees a world in which nations, led by the example of the United States, eagerly engage in
information operations that target each other’s infrastructures. Preemptive strikes would be commonplace for many political or
military grievances, creating large-scale instability. The goal of arms control, therefore, is to check the escalation of information
operations before it begins. “The area of information infrastructure should be clearly defined as off-limits to aggression of any
form because it is not possible for world leaders to promote information economic growth and at the same [time] develop
military strategy using that information infrastructure in a hostile arena.” The general consensus of both the published and the unpublished literature is that civilian infrastructure is not an acceptable
target for information warfare. Because it indirectly targets non-combatants, its use even in a military campaign is questionable.
Unfortunately, none of the articles address whether civilian infrastructure is a legitimate target for other forms of combat. The
United States targeted bridges, roads, power distribution, and telecommunications in its joint campaigns against Iraq and
Serbia, but it used conventional weapons as opposed to information technology to attack them. This is a serious issue that
warrants much more attention and that plays a considerable role in the discussion of arms control. If smaller or less powerful
nations view U.S. efforts at arms control as merely a means to protect its infrastructure while allowing it to attack the
infrastructure of other nations by conventional forces, then few would see the benefit of joining such a regime. The literature is also united in identifying a clear threat to the United States. Whether the risk is only to U.S. military
supremacy (Davis) or to global international relations (Church), the common consent is that a risk does exist, and that it is
poorly addressed by either deterrence or current defensive measures. Although no author proposes that arms control is the
only solution, each believes that it should be a part of the solution. The authors also agree, however, that implementation of
any agreement would be very difficult. Agreement of what actions should be limited, verification of the agreement, and punitive
actions for transgressions are all major stumbling blocks to any international dialogue. Even if these could be overcome, it is
doubtful that any agreement would include the nations that pose the highest risk of aggressive behavior or non-state groups. The tension between the threat to the United States from information warfare on one hand and the ambiguity about how well
arms control might reduce it clearly illuminates several pressing needs for U.S. policy makers. As Davis points out, the United
States has yet to discover the true promise of information warfare and from that determine its strategy to implement and
defend against such weapons and tactics. Similarly, it needs to ascertain the real threat from information warfare to its military,
its civilian infrastructure, and to international relations. More important, however, is the sense that the United States is ill
prepared to address the risk by any means, not just through arms control. The dilemma that faces arms control also applies to
diplomacy, deterrence, and defense. As the United States gets a better understanding of its capabilities and vulnerabilities, the
development of methods to defend itself should be a high priority, and one that involves all the mechanisms at its disposal. 2 “Strategic Information Warfare—A New Arena for Arms Control?” represents the work of a workshop organized by the
Center for International Security and Arms Control (now the Center for International Security and Cooperation) at Stanford
University. A full list of participants can be found on page 2 of that publication. 3 Information warfare at its highest level is “an ideational struggle for the mind of an opponent. At this level, [it] encompasses
the whole range of psychological, media, diplomatic and military techniques for influencing the mind of an opponent, whether
that opponent is a military commander or a whole population.” The second level is the use of military forces “to dominate the
‘information spectrum,’ after which physical conflict will be either unnecessary or at worst, short, sharp and successful.” 4 For a full review of the literature on information warfare and deterrence, see Geoffrey French, “Shunning the frumious
Bandersnatch: Current literature on information warfare and deterrence,” Information Warfare Research Center, 2000. 5 Eriksson’s paper was not included in the review because it does not discuss the issue in any depth. Regardless, the paper’s
astute summary of the literature warrants its citation. 6 The results of this workshop can be found in the document described above: Kevin J. Soo Hoo, Lawrence Greenberg, and
David Elliott, “Strategic information warfare—A new arena for arms control?” Center for International Security and Arms
Control, Stanford University, 1996. 7 Information operations are defined by the Joint Chiefs of Staff (1998) as “actions taken to affect adversary information and
information systems while defending one’s own information and information systems.” 8 Church states that “defense domination” means that “defense [has] the advantage in an attack.” Davis, L. 1999. Arms control, export regimes, and multilateral cooperation. In: The Changing Role of Information in Warfare.
Z. M. Khalilzad and J. P. White, eds. Santa Monica, Calif.: Rand. Elliott, D. 1996. Strategic information warfare—A new arena for arms control? Paper for the Workshop on Information
Technologies and National Security, October 8, 1996. Stanford, Calif.: Center for International Security and Arms Control,
Stanford University. Eriksson, E. A. 1999. Information warfare: Hype or reality? The Nonproliferation Review 6(3):57–64. French, G. S. 2000. Shunning the frumious Bandersnatch: Current literature on information warfare and deterrence.
Washington D.C.: Information Warfare Research Center. Joint Chiefs of Staff. 1998. Joint Pub 3-13: Joint Doctrine for Information Operations. Washington D.C.: U.S. Department of
Defense. Rathmell, A. 1998. Information warfare: Implications for arms control. Bulletin of Arms Control 29:8–14. Soo Hoo, K. J., L. Greenberg, and D. Elliott. 1996. Strategic information warfare—A new arena for arms control? Stanford,
Calif.: Center for International Security and Arms Control, Stanford University. |