Shunning the Frumious Bandersnatch: August 2000 The first step in any discussion of information warfare is to define the term. Although the phrase is used frequently in military
and strategic planning circles, seldom do two groups use the phrase similarly. A number of authors have written widely
accepted definitions. Winn Schwartau (1994), for example, defines information warfare as “an electronic conflict in which
information is a strategic asset worthy of conquest or destruction. Computers and other communications and information
systems become attractive first-strike targets.” In contrast, Martin Libicki (1995) defines the term more broadly to include
“command-and-control, intelligence-based warfare, electronic warfare, psychological warfare, hacker warfare, economic
information warfare, and cyberwarfare.” There are a number of other definitions for the phrase, but at least five are pertinent
to the literature that discusses its role in deterrence. Unfortunately, in the same way that the concept of information warfare varies widely among authors, the growing jargon in the
field also tends to be adrift. Terms such as cyber war and net war have so many meanings and nuances, that the words
quickly become confusing or lose their meaning altogether (see, for example, Box 1). Before too long, the articles seem to
have been written by Lewis Carroll, with dire warnings of the Jabberwock, the Jubjub bird, and the frumious Bandersnatch. A clear example of a term that has a number of meanings is the phrase “net war.”
Writings about net war tend to focus on organizational structures allowed by new
technologies. A network organization of a military force, as opposed to the traditional
hierarchical organization, brings about better methods of attack and highlights new
military targets. The definitions of the phrase, however, may not reflect this distinction.
John Arquilla and David Ronfeldt (1993), for example, define net war as
“information-related conflict at a grand level between nations or societies. It means
trying to disrupt or damage what a target population knows or thinks it knows about
itself and the world around it.” This definition describes the spread of culture or religion
better than it does modern war, even though the authors’ main point is that modern
militaries require a network-based organization to attack network-based threats such as
terrorists and insurgency groups. To complicate matters, Richard Harknett (1996)
adopts their terminology, but changes their definitions. Net war then becomes an attack
on personal electronic records, a business’s transactions, or a city’s infrastructure. The
literature on information warfare tends to have many of these discrepancies between
concepts, denotations, and connotations. Because these definitions differ greatly across the spectrum of information warfare, they also drive the relationship with
deterrence. For this reason, the publications reviewed in this paper are grouped by their interpretations of information warfare
(see Table 1). It is important to note, however, that some authors either use a broad definition of information warfare or
definitions that address multiple categories. In those cases, the aspect of information warfare that has the highest overlap with
deterrence determines the categorization. Augmented Conventional Attack Some theorists believe that the world has already witnessed information warfare in the conflicts between Iraq or Yugoslavia
and the United States and its allies. In this view, information warfare is essentially superior conventional strength. Not only are
U.S. weapons better than any other military’s, but advances in computers and communications have led to a method of
integrating conventional forces so well that a new type of fighting emerges: augmented conventional attack. Information
warfare, therefore, is a method of integrating conventional forces to further increase their effectiveness and lethality. If
thoroughly integrated, the fighting force becomes a “system of systems.” For example, information from multiple systems that
identify enemy targets is processed by a system that prioritizes them and tasks multiple systems that destroy targets. James Der Derian explored this concept in 1994, arguing that “cyber-deterrence”—that is, the powerful integration of
conventional forces, technological exhibitionism, and strategic simulations—could be so overwhelming to other nations that it
could replace nuclear deterrence. Although an adversary might doubt U.S. resolve to use nuclear weapons or to get involved
in a protracted conventional war, it would be foolish to assume that the United States would not engage in quick, spectacular
wars. Information warfare allows the United States to do just that. Impressive simulations and exercises serve the purposes of
nuclear testing: “to render visible and plausible the cyber-deterrent for all . . . that might not have sufficiently learned the lesson
of the prototype cyberwar, DESERT STORM.” Thomas Mahnken went a step further in 1995, introducing the concept of “shock warfare.” Although Mahnken begins with a
rather modest definition for information warfare (the means “by which a state denies or manipulates the intelligence available to
an enemy”), he argues that, if done exceptionally well, augmented conventional attack can even ignore the methods and goals
of attrition warfare. By coupling information warfare with long-range precision-guided munitions, the United States may have
invented a new “era in conflict based on paralysis and shock rather that attrition.” Long-range attacks against an enemy’s
force and disruption of its coordination would “crush its will to resist.” This might be achieved before forces meet on the
battlefield. By striking at an enemy’s “command and control networks, civil telecommunications, and even military and civilian
leaders,” the pre-battle information suppression operation itself might “shatter an enemy’s will to fight and force it to sue for
peace.” In other words, information warfare augments the ability and lethality of U.S. conventional forces to the point that they
become a very powerful deterrent. Furthermore, even if an enemy prepares to combat the United States and its allies, a
thorough strike against its leadership targets and command-and-control infrastructure would cause it to sue for peace. Some theorists would argue that the targets of shock warfare (as described above) are more important than the systems
attacking them. This interpretation of information warfare—IT-based military attack—focuses less on the integration of
military forces and more on the new targets that new technology brings. Although many armies have targeted an enemy’s
command-and-control structure in the past, new technologies have introduced both new capabilities and vulnerabilities,
creating new methods of attacking those structures. Information warfare, therefore, encompasses both physical and cyber
methods of attacking enemy information and information networks. Roger Barnett addressed the role that IT-based military attack plays in deterrence in 1998. His article uses the U.S.
Department of Defense definition of information operations: “actions taken to affect adversary information and information
systems while defending one’s own information and information systems” (Joint Chiefs of Staff, 1998). Although he does not
identify any specific targets that the United States might attack, he implies that they should consist of military targets, referring
to “enemy systems” or “an adversary’s computer,” while adding that “noncombatants must not be targeted directly.” He does
acknowledge that other nations may target U.S. civilian infrastructure. Barnett argues that the United States can both deter
information warfare and use it as a deterrent, but both will require much more work in policy. The United States has a strong
willingness to deter a strategic information attack through denial (making the likelihood of success unacceptably low), for
example, but suspect capability to do so. Conversely, the United States has a strong capability to deter attacks through
punishment (making the costs of an attack unacceptably high), but a questionable will to retaliate for an information attack.
The United States needs to be clear, he states, about how it would retaliate for an attack on its critical infrastructure and
identify the context in which IT-based military attack would be an acceptable tool for U.S. interests. Barnett highlights an important nuance to U.S. policy. The U.S. Department of Defense defines information warfare as
“information operations conducted during a time of crisis or conflict to achieve or promote specific objectives over a specific
adversary or adversaries.” Although the definition seems to be of little use, being entirely dependent on the definition of
“information operations,” it does belie a fundamental conceptual judgement: Information warfare is defined more by the
conditions surrounding the actions than the actions themselves. Barnett argues that engagement in IT-based military attack
should not be considered a use of force. “Careful, controlled use of these particular information operations could fortify
deterrence in peacetime—both general and focused. Employment in peace, crisis, and war, unencumbered by the baggage
that attends the use of force, would render the information operation an integral, high-leverage instrument of statecraft.” Timothy Thomas (1996) discusses both attacks on military targets and on civilian critical infrastructure, which is discussed
below (see IT-Based Civilian Attack). Because he treats information assaults as essentially a military phenomenon, however,
his article is included here, under IT-based military attack. Thomas describes “information assaults” that use advanced
information technologies to “defeat an opposing force or damage a state infrastructure.” Thomas likens information warfare to
nuclear warfare because they both can target entire civilian populations even though they are military weapons. For similar
reasons, he believes that information assaults can be deterred just as nuclear attacks were during the Cold War. Through
international law, arms control (i.e., agreement to limit the “information component or potential of a weapon” and thereby its
“lethality and accuracy”), and early warning systems, governments can endeavor to limit the scope or onset of information
warfare. In addition to treaties and agreements, state infrastructures might be protected in that they may not be viable targets.
As global systems tie more nations together, singling out a particular nation’s infrastructure will become increasingly difficult. In
other words, the “growing business of transnational relations,” Thomas states, “may itself have a deterrent effect.” A third interpretation of information warfare blends augmented conventional attack and IT-based military attack. Some
analysts point out that new technology allows new methods of organizing a fighting force (not just better integration of current
organization). A networked organizational structure would have a number of benefits, such as increased flexibility and reduced
reaction time. Although traditional militaries have a difficult time with organizational change on this scale, smaller militaries,
insurgent groups, and non-state actors may be able to accomplish it. Furthermore, effectively combating a group with such an
organization would require, at a minimum, knowing the key targets within it, and possibly being organized as a network to
combat it at all. John Arquilla and David Ronfeldt described this type in information warfare in 1996.6 The authors observed that improved
technology allows military forces to be lighter, more mobile, and better able to concentrate fire quickly (compare with Der
Derian and Mahnken, above). The key to capitalizing on those improvements, however, is more thorough “decentralization of
command and control.” Coupled with better intelligence from better sensors, intelligence, and communications, a networked
force could quickly strike “information and communications systems” (compare with Barnett, above). Combat networks,
therefore, become a new way of fighting. Arquilla and Ronfeldt emphasize, however, that the organization is more important
than the intelligence or sophistication of the weapons. A networked organization will be able to gather, process, and
disseminate information better than a hierarchical organization. This, the authors contend, is key in preventing a war from
arising. “Deterrence in a chaotic world may become as much a function of one’s cyber posture and presence as of one’s force
posture and presence.” The future, the authors add, “may belong to whoever masters the network form.” Still others see a new type of attack altogether as information warfare. One of the different aspects of information warfare that
Gary Wheatley and Richard Hayes (1996) identify is IT-based civilian attacks, defined as physical or computer attacks that
would “do great harm to the United States. Destruction of the systems that control systems in key industries and leave them so
they cannot be repaired promptly.”7 Wheatley and Hayes are the most thorough of any authors in defining deterrence and the
necessary components for it to function. They also entertain the broadest scope for information warfare, but in doing so, do
not deliver a succinct definition. They do, however, clearly state where information warfare applies to deterrence and limit
their discussion to three areas: (1) IT-based civilian attack, (2) media war, and (3) augmented conventional attack.
Augmented conventional attack (or “offensive information warfare,” of which DESERT STORM is an example) is seen as a
deterrent to other nations, and given relatively little discussion. They include media war—“the use of television images to
change or modify the political will of an opponent”—to be thorough in their discussion of information warfare, but
acknowledge that it has minimal relationship with deterrence. Although the authors emphasize that information warfare takes
many shapes depending on the actors, their relationship, and the substantive domain in which they interact, IT-based civilian
attack is discussed the most (and the reader can assume given the most weight).8 Wheatley and Hayes acknowledge that the United States is the largest target for information warfare, and deterring a
potentially strategic attack on civilian infrastructure targets should be a high priority. They argue that this type of attack is
deterred by robust computer security9 and diplomatic or military intervention. “Some information warfare attacks on the
United States,” they state, “are deterred by the same policy that deters other types of attacks.” The core conclusion,
therefore, is that IT-based civilian attacks can be deterred and that the United States “already has basic policies in place that
serve as effective deterrents in many circumstances.” Like Thomas, above (see IT-Based Civilian Attack), Richard Harknett (1996) addressed both deterrents to attacks on
military targets (“connectivity on the battlefield”) and civilian targets (“societal connectivity”).10 Whereas Thomas gave more
weight to the consideration of military targets when considering deterrence, Harknett argues that the civilian targets are more
important in terms of deterrence. Military networks should be built with robustness and redundancy in mind, giving them
greater sustainability in the face of an attack. Societal connectivity, on the other hand, is more vulnerable at three levels: “the
personal, the institutional, and the national.” An adversary might attack a single person, through his or her electronic records,
or a single institution, such as a business or an industry. More worrisome are attacks on a region’s or nation’s infrastructure: its
transportation, communication, or financial systems. But just as deterrence has a strained relationship with IT-based military attack (the ability to absorb the attack makes it less of
a threat, and less punishable), deterring a civilian attack is also problematic. Although an adversary might be deterred by the
interconnected nature of modern infrastructure (see Thomas above and Devost below), the possibility of undertaking an attack
without being identified may be incentive enough to attempt an attack. The most significant problem in basing defense of
information warfare on deterrence is that “the attack may not emanate from a state at all.” If terrorists or organized crime, for
example, attack U.S. infrastructure, few courses of action are available, and fewer still for military retaliation. Ultimately, the
United States will be better served by developing an “imposing offensive capability and a formidable ability to defend” rather
than tailoring a deterrence strategy to specific adversaries. Matthew Devost (1995) addressed deterrents to attacking the U.S. infrastructure in his thesis “National Security in the
Information Age.” Although he uses a broad definition for information warfare—destroying information, reducing information
flows, reducing the reliability of information content, and denying access to services—Devost identifies three deterrents to
waging information warfare: economic interdependence, fear of escalation, and lack of technical expertise. Of these, he names
the first as the most significant, and it clearly applies to attacks on civilian (in this case financial) infrastructure. As the
economies of nations become increasingly interdependent, the more likely it is that “nations will feel the economic aftershocks
of economic instability,” especially sudden, drastic effects that could follow a strategic information attack. For countries that
are part of the global market, an IT-based civilian attack may be too costly to undertake. The reverse of this—the use of IT-based civilian attack as a deterrent—was obliquely discussed by Leonard Sullivan in 1994.
Although it was questionable to include his paper in this review (he never uses the term information warfare), he does describe
all the essential elements of a IT-based civilian attack and argues for its use in deterring aggressive behavior. The paper
addresses the effects of the end of the Cold War on regional security and calls for regional security apparatuses (RSAs) to
enforce international law and oppose aggression or gross violations of human rights within their communities or geographic
area. Each RSA would have a collective foreign policy and take collective measures to check and then correct the aggressive
party. It is in his description of “nonlethal ‘persuasion’” that he lays the groundwork for IT-based civilian attack as a deterrent. Sullivan describes “confidence-destroying measures” as means that could become “acceptable forms of persuasion at the
national level” whose purpose is to “reduce the assurance of the perpetrators or their followers that their actions or cause can
produce the desired results.” More specifically, they might “convince their publics that their leaders can no longer keep their
national infrastructure operating at tolerable levels.” To achieve this, the RSA engage in “very specialized high-tech covert
activities.” Unfortunately, the author does not get much more specific about these activities. Although he does state that
“dependence on high-tech electronic systems” is a considerable vulnerability, and names financial systems, mass
communication systems, and the electrical grid as potential targets, he is unclear about the methods of attacking them in
non-physical ways. These targets, for example, “can be rendered inoperable without destroying them,” a task to be
undertaken by “high-tech special forces” who “‘get into’ any or all of these systems and sow confusion or doubt.” Beyond
that, the reader can only guess what activities are included in Sullivan’s term “dirty tricks” that “could become an essential
element” in this form of deterrence. Regardless, Sullivan has laid out the argument that (1) a nation’s critical infrastructure is a
viable target not only in battle, but in a time of latent hostility and (2) that the willingness to use a IT-based civilian attack could
be a powerful deterrent. Robert Critchlow (2000) addressed the concept more directly, arguing that the threat and use of information warfare could
supplant the U.S. nuclear deterrent in military and foreign policy. Critchlow states that both the “utility and credibility” of U.S.
nuclear weapons as a deterrent have been called into question at a time when the United States faces more adversaries with
nuclear, biological, or chemical weapons. This situation of having increased need for deterrence and questionable means to
provide it emphasizes the need for a new alternative. Information warfare—specifically, “the use of computer network attacks
and electronic warfare techniques against the military systems and, especially, the national information infrastructure of an
antagonist”—can provide that alternative. Potential adversaries (the former rogue states) are very susceptible to information warfare attacks, Critchlow posits, because
their infrastructures (both civilian and military) are not as well developed as those of the West. Although he does discuss
strikes on enemy command and control, Critchlow directs most of his attention to civilian targets. With fewer redundancies,
those systems (such as the electric power grid, telecommunications, and air traffic control) are more likely to fail if attacked.
Oil refineries and nuclear reactors could also be potential targets. These well focused attacks should be a very valuable
deterrent. Information warfare attacks present a “range of options for threatening punishment against the targets adversaries
may well value, and they can help to limit the ability of an enemy to strike at U.S. forces or allies.” Another view of information warfare is that information itself might be enough to prevent conflict. This was one definition that
was presented in a 1995 article in the Economist. It stated that if information warfare “means something new, it is the use of
information as a substitute for traditional ways of fighting, rather than as an adjunct to them. . . . [namely,] by the
high-technology equivalent of brute force; by subversion; and by a new form of deterrence.” The first of these definitions
matches closely to the concept of IT-based civilian attack detailed above. As the article states, information infrastructure
would become a military target and attacked by cyber means, “destroying information systems with weapons of pure
information.” The second is very much in line with the combat networks interpretation, one in which information
technology—specifically, improved communication and organization—makes the “greatest contribution to [an insurgent’s]
struggles against the status quo.” It is the third, however, that is tied to deterrence, and introduces another spin on the possibilities of information warfare in the
form of perfect intelligence. The argument is based on the increased abilities of both sensors and simulators to detect and
predict conflicts in the short-term future.11 By detecting military build-ups and disseminating that intelligence, for example, the
United States could eliminate strategic surprise in a region with rising local hostilities. Similarly, the prediction of losses that
both sides would suffer could well convince them to search for a peaceful solution. This could be done not only “locally or
regionally, by establishing monitoring zones,” the article states, but also globally. The logical conclusion of this line of reasoning
is that conflicts between regional powers could be detected and deterred with the help of the United States and that greater
conflicts, including those involving the United States, could be demonstrated to be pointless, and thus deterred. In the ten publications reviewed in this paper, five different concepts of information warfare were explored. These ranged from
the relatively simple (augmented conventional attack) to the complex (combat networks). Of these, four hypothesized that the
United States can (or does) use information warfare as a deterrent. Two of these (Der Derian, 1994; Mahnken, 1995),
however, see information warfare as little more than a conventional attack, albeit a much more effective form that the United
States would be comfortable using. The third (Economist, 1995) has a number of dependencies. Sensors, for example, have
finite capability, and it is possible to deceive them. Although the article does call for humans to be a component of the
monitoring networks, people can be deceived, or bought, in other ways. Politics will also affect how the information is given
and received. Only Sullivan (1994) and Critchlow (2000) outline the use of IT-based attacks as a deterrent. In these
discussions, the use of IT-based attacks against the United States is barely addressed. Critchlow merely states that “as in the
nuclear era, political decision makers must consider carefully how close to the brink to go” to avoid retailiation in kind. In
addition to these uses as a deterrent, Arquilla and Ronfeldt (1993) argue that the United States could reap the benefit of
information warfare and use it as a deterrent by reorganizing the military. Three of the authors examined the threat of information warfare to the United States and concluded that the United States can
(or does) deter information warfare attacks. Wheatley and Hayes (1996) see this achieved primarily through military means,
whereas Devost (1995) identifies economic interdependence as another key factor. Thomas (1996) adds that international
law could be an effective deterrent force. In addition to those three, Barnett (1998) argues that the United States has the
potential to deter information warfare with thought and effort from political and military leadership. Only one author—Harknett
(1996)—feels that information warfare has little to no interaction with deterrence and does not encourage U.S. leaders to
pursue a deterrent strategy. Table 2 summarizes the authors’ conclusions. This review of the literature, however, illuminates other conclusions about information warfare in general and its relationship
with deterrence in particular. First, the lack of generally accepted definitions clearly demonstrates the immaturity of the field.
The lack of taxonomy reflects how little progress has been made in the theory of information warfare, even though some claim
that it is not a new phenomenon at all. Second, discussion of deterrence relies on high-level discussions about information
warfare and official policy. These, too, appear to be lacking and this helps explain why so little of the discussions of
information warfare and deterrence build upon one another. Finally, the literature clearly demonstrates that a conceptual
field—regardless of how poorly articulated—is developing. Whether information technology simply allows militaries to
operate better or is ushering in a new era in military affairs, the issues technology brings do exist, and the need to address
those issues is becoming increasingly urgent. 1 Geoffrey French is an Operations Coordination Manager for Veridian-Trident Data Systems and an Associate of the
Information Warfare Research Center. 2 The most common term for this is cyber war, but the phrase can also indicate an attack on military connectivity (see
Harknett, 1996), among other definitions. 3 Some authors use the phrase information operations to describe this aspect of information warfare. 4 Net war or network-centric warfare are common descriptors of this interpretation. Box 1, however, describes the other
ways authors have employed the phrase. 5 Some analysts refer to this as a strategic information attack or as strategic information warfare. 6 Arquilla and Ronfeldt use netwar to refer to “information-related conflict at a grand level between nations or societies.”
They define cyberwar to mean “conducting military operations according to information-related principles.” Because of the
emphasis on networked organization in the text, however, this paper categorizes the authors’ paper by the definition of
combat networks outlined above. 7 Information Warfare and Deterrence represents the work of a roundtable organized by the Institute for National Strategic
Studies Directorate of Advanced Concepts, Technologies, and Information Strategies. A full list of participants can be found
in Appendix A of that publication. 8 Although Wheatley and Hayes use cyber war to mean “attacks directed through computers and their connectivity.” The
highest level of this type of attack is a “strategic (catastrophic) attack” that includes targeting key industries. 9 The workshop also stated that a robust defensive computer security posture could also serve as a challenge to individual
hackers. 10 Harknett used the term cyberwar to indicate attacks on connectivity on the battlefield and netwar to mean attacks on
societal connectivity. 11 Michael O’Hanlon reviews the capabilities and limitations of both sensors and predictive military algorithms in
Technological Change and the Future of Warfare. BIBLIOGRAPHY Barnett, R. W. 1998. Information operations, deterrence, and the use of force. Naval War College Review 51(2):7–19. Critchlow, R. D. 2000. Whom the gods would destroy: An information warfare alternative for deterrence and compellence.
Naval War College Review 53(3):21–38. Der Derian, J. 1994. Cyber-deterrent. Wired 2(9):116–122; 158. Devost, M. G. 1995. National security in the information age. Thesis. University of Vermont. Posted on the web site of the
Terrorism Research Center. Economist. 1995. The ties that bind. Economist 335:Special Sup 18–20. Harknett, R. J. 1996. Information warfare and deterrence. Parameters 1996 (Autumn):93–107. Joint Chiefs of Staff. 1998. Joint Pub 3-13: Joint Doctrine for Information Operations. Washington D.C.: U.S. Department of
Defense. Libicki, M. 1995. What Is Information Warfare? ACIS Paper 3. Washington D.C.: National Defense University Press. Mahnken, T. G. 1995. War in the Information Age. Joint Force Quarterly 1995–96 (Winter):39–43. O’Hanlon, M. 2000. Technological Change and the Future of Warfare. Washington D.C.: Brookings Institution Press. Sullivan, Jr., L. 1994. Meeting the Challenges of Regional Security. Carlisle, Penn.: Strategic Studies Institute, U.S. Army
War College. Schwartau, W. 1994. Information Warfare: Chaos on the Electronic Superhighway. New York: Thunder’s Mouth Press. Thomas, T. L. 1996. Deterring information warfare: A new strategic challenge. Parameters 1996–97 (Winter):81–91. Wheatley, G. F., and R. E. Hayes. 1996. Information Warfare and Deterrence. Washington D.C.: National Defense
University Press. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||