Shunning the Frumious Bandersnatch: Current Literature on Information Warfare

Attempts to link information warfare and deterrence were inevitable. Emerging at the end of the Cold War, the concept of information warfare seemed to offer new relevancy for old doctrines, policies, or ideas. Many leaders and analysts, searching for new foreign policy priorities and grand strategies, have linked information warfare to a range of issues, from terrorism to weapons of mass destruction. Similarly, it has been linked to deterrence, one of the most important concepts that underpinned the Cold War. The relationship between information warfare and deterrence, however, is still very ambiguous due to the

wide range of perspectives, interpretations, and conclusions about both concepts. This paper endeavors to describe the literature that connects information warfare and deterrence, explaining the definitions used and the associations assigned.

DEFINITIONS OF INFORMATION WARFARE

The first step in any discussion of information warfare is to define the term. Although the phrase is used frequently in military

and strategic planning circles, seldom do two groups use the phrase similarly. A number of authors have written widely

accepted definitions. Winn Schwartau (1994), for example, defines information warfare as “an electronic conflict in which

information is a strategic asset worthy of conquest or destruction. Computers and other communications and information

systems become attractive first-strike targets.” In contrast, Martin Libicki (1995) defines the term more broadly to include

“command-and-control, intelligence-based warfare, electronic warfare, psychological warfare, hacker warfare, economic

information warfare, and cyberwarfare.” There are a number of other definitions for the phrase, but at least five are pertinent

to the literature that discusses its role in deterrence.

Unfortunately, in the same way that the concept of information warfare varies widely among authors, the growing jargon in the

field also tends to be adrift. Terms such as cyber war and net war have so many meanings and nuances, that the words

quickly become confusing or lose their meaning altogether (see, for example, Box 1). Before too long, the articles seem to

have been written by Lewis Carroll, with dire warnings of the Jabberwock, the Jubjub bird, and the frumious Bandersnatch.

To avoid the pitfalls of adopting terms with disputed definitions or nuances, this paper employs new descriptors in an attempt

to be clearer, if less marketable. At the risk of oversimplification, then, the categories of information warfare and the ways

each defines the phenomenon as something unique or new are as follows. The first interpretation of information warfare as a

new military phenomenon is augmented conventional attack.² This term reflects recent developments in information

technology (IT)—specifically in computers and communications—that have brought about new ways of integrating and

organizing conventional forces. IT-based military attack, on the other hand, addresses new military targets that can be

attacked by cyber or conventional forces.³ The concepts are blended in the term combat networks.⁴ This term focuses on

organizational structures enabled by new technologies, and emphasizes that these bring about new military targets. Analysts

who explore this topic tend to agree that a military requires a network-based organization (as opposed to the traditional

military hierarchical organization) to attack network-based threats. IT-based civilian attack addresses the new civilian targets

that can be attacked with cyber or physical forces.⁵ Finally, proponents of perfect intelligence speculate that nations can use

information to prevent military conflict altogether.

Because these definitions differ greatly across the spectrum of information warfare, they also drive the relationship with

deterrence. For this reason, the publications reviewed in this paper are grouped by their interpretations of information warfare

(see Table 1). It is important to note, however, that some authors either use a broad definition of information warfare or

definitions that address multiple categories. In those cases, the aspect of information warfare that has the highest overlap with

deterrence determines the categorization.

RELATIONSHIPS TO DETERRENCE

Augmented Conventional Attack

Some theorists believe that the world has already witnessed information warfare in the conflicts between Iraq or Yugoslavia

and the United States and its allies. In this view, information warfare is essentially superior conventional strength. Not only are

U.S. weapons better than any other military’s, but advances in computers and communications have led to a method of

integrating conventional forces so well that a new type of fighting emerges: augmented conventional attack. Information

warfare, therefore, is a method of integrating conventional forces to further increase their effectiveness and lethality. If

thoroughly integrated, the fighting force becomes a “system of systems.” For example, information from multiple systems that

identify enemy targets is processed by a system that prioritizes them and tasks multiple systems that destroy targets.

James Der Derian explored this concept in 1994, arguing that “cyber-deterrence”—that is, the powerful integration of

conventional forces, technological exhibitionism, and strategic simulations—could be so overwhelming to other nations that it

could replace nuclear deterrence. Although an adversary might doubt U.S. resolve to use nuclear weapons or to get involved

in a protracted conventional war, it would be foolish to assume that the United States would not engage in quick, spectacular

wars. Information warfare allows the United States to do just that. Impressive simulations and exercises serve the purposes of

nuclear testing: “to render visible and plausible the cyber-deterrent for all . . . that might not have sufficiently learned the lesson

of the prototype cyberwar, DESERT STORM.”

Thomas Mahnken went a step further in 1995, introducing the concept of “shock warfare.” Although Mahnken begins with a

rather modest definition for information warfare (the means “by which a state denies or manipulates the intelligence available to

an enemy”), he argues that, if done exceptionally well, augmented conventional attack can even ignore the methods and goals

of attrition warfare. By coupling information warfare with long-range precision-guided munitions, the United States may have

invented a new “era in conflict based on paralysis and shock rather that attrition.” Long-range attacks against an enemy’s

force and disruption of its coordination would “crush its will to resist.” This might be achieved before forces meet on the

battlefield. By striking at an enemy’s “command and control networks, civil telecommunications, and even military and civilian

leaders,” the pre-battle information suppression operation itself might “shatter an enemy’s will to fight and force it to sue for

peace.” In other words, information warfare augments the ability and lethality of U.S. conventional forces to the point that they

become a very powerful deterrent. Furthermore, even if an enemy prepares to combat the United States and its allies, a

thorough strike against its leadership targets and command-and-control infrastructure would cause it to sue for peace.

IT-Based Military Attack

Some theorists would argue that the targets of shock warfare (as described above) are more important than the systems

attacking them. This interpretation of information warfare—IT-based military attack—focuses less on the integration of

military forces and more on the new targets that new technology brings. Although many armies have targeted an enemy’s

command-and-control structure in the past, new technologies have introduced both new capabilities and vulnerabilities,

creating new methods of attacking those structures. Information warfare, therefore, encompasses both physical and cyber

methods of attacking enemy information and information networks.

Roger Barnett addressed the role that IT-based military attack plays in deterrence in 1998. His article uses the U.S.

Department of Defense definition of information operations: “actions taken to affect adversary information and information

systems while defending one’s own information and information systems” (Joint Chiefs of Staff, 1998). Although he does not

identify any specific targets that the United States might attack, he implies that they should consist of military targets, referring

to “enemy systems” or “an adversary’s computer,” while adding that “noncombatants must not be targeted directly.” He does

acknowledge that other nations may target U.S. civilian infrastructure. Barnett argues that the United States can both deter

information warfare and use it as a deterrent, but both will require much more work in policy. The United States has a strong

willingness to deter a strategic information attack through denial (making the likelihood of success unacceptably low), for

example, but suspect capability to do so. Conversely, the United States has a strong capability to deter attacks through

punishment (making the costs of an attack unacceptably high), but a questionable will to retaliate for an information attack.

The United States needs to be clear, he states, about how it would retaliate for an attack on its critical infrastructure and

identify the context in which IT-based military attack would be an acceptable tool for U.S. interests.

Barnett highlights an important nuance to U.S. policy. The U.S. Department of Defense defines information warfare as

“information operations conducted during a time of crisis or conflict to achieve or promote specific objectives over a specific

adversary or adversaries.” Although the definition seems to be of little use, being entirely dependent on the definition of

“information operations,” it does belie a fundamental conceptual judgement: Information warfare is defined more by the

conditions surrounding the actions than the actions themselves. Barnett argues that engagement in IT-based military attack

should not be considered a use of force. “Careful, controlled use of these particular information operations could fortify

deterrence in peacetime—both general and focused. Employment in peace, crisis, and war, unencumbered by the baggage

that attends the use of force, would render the information operation an integral, high-leverage instrument of statecraft.”

Timothy Thomas (1996) discusses both attacks on military targets and on civilian critical infrastructure, which is discussed

below (see IT-Based Civilian Attack). Because he treats information assaults as essentially a military phenomenon, however,

his article is included here, under IT-based military attack. Thomas describes “information assaults” that use advanced

information technologies to “defeat an opposing force or damage a state infrastructure.” Thomas likens information warfare to

nuclear warfare because they both can target entire civilian populations even though they are military weapons. For similar

reasons, he believes that information assaults can be deterred just as nuclear attacks were during the Cold War. Through

international law, arms control (i.e., agreement to limit the “information component or potential of a weapon” and thereby its

“lethality and accuracy”), and early warning systems, governments can endeavor to limit the scope or onset of information

warfare. In addition to treaties and agreements, state infrastructures might be protected in that they may not be viable targets.

As global systems tie more nations together, singling out a particular nation’s infrastructure will become increasingly difficult. In

other words, the “growing business of transnational relations,” Thomas states, “may itself have a deterrent effect.”

Combat Networks

A third interpretation of information warfare blends augmented conventional attack and IT-based military attack. Some

analysts point out that new technology allows new methods of organizing a fighting force (not just better integration of current

organization). A networked organizational structure would have a number of benefits, such as increased flexibility and reduced

reaction time. Although traditional militaries have a difficult time with organizational change on this scale, smaller militaries,

insurgent groups, and non-state actors may be able to accomplish it. Furthermore, effectively combating a group with such an

organization would require, at a minimum, knowing the key targets within it, and possibly being organized as a network to

combat it at all.

John Arquilla and David Ronfeldt described this type in information warfare in 1996.⁶ The authors observed that improved

technology allows military forces to be lighter, more mobile, and better able to concentrate fire quickly (compare with Der

Derian and Mahnken, above). The key to capitalizing on those improvements, however, is more thorough “decentralization of

command and control.” Coupled with better intelligence from better sensors, intelligence, and communications, a networked

force could quickly strike “information and communications systems” (compare with Barnett, above). Combat networks,

therefore, become a new way of fighting. Arquilla and Ronfeldt emphasize, however, that the organization is more important

than the intelligence or sophistication of the weapons. A networked organization will be able to gather, process, and

disseminate information better than a hierarchical organization. This, the authors contend, is key in preventing a war from

arising. “Deterrence in a chaotic world may become as much a function of one’s cyber posture and presence as of one’s force

posture and presence.” The future, the authors add, “may belong to whoever masters the network form.”

IT-Based Civilian Attack

Still others see a new type of attack altogether as information warfare. One of the different aspects of information warfare that

Gary Wheatley and Richard Hayes (1996) identify is IT-based civilian attacks, defined as physical or computer attacks that

would “do great harm to the United States. Destruction of the systems that control systems in key industries and leave them so

they cannot be repaired promptly.”⁷ Wheatley and Hayes are the most thorough of any authors in defining deterrence and the

necessary components for it to function. They also entertain the broadest scope for information warfare, but in doing so, do

not deliver a succinct definition. They do, however, clearly state where information warfare applies to deterrence and limit

their discussion to three areas: (1) IT-based civilian attack, (2) media war, and (3) augmented conventional attack.

Augmented conventional attack (or “offensive information warfare,” of which DESERT STORM is an example) is seen as a

deterrent to other nations, and given relatively little discussion. They include media war—“the use of television images to

change or modify the political will of an opponent”—to be thorough in their discussion of information warfare, but

acknowledge that it has minimal relationship with deterrence. Although the authors emphasize that information warfare takes

many shapes depending on the actors, their relationship, and the substantive domain in which they interact, IT-based civilian

attack is discussed the most (and the reader can assume given the most weight).⁸

Wheatley and Hayes acknowledge that the United States is the largest target for information warfare, and deterring a

potentially strategic attack on civilian infrastructure targets should be a high priority. They argue that this type of attack is

deterred by robust computer security⁹ and diplomatic or military intervention. “Some information warfare attacks on the

United States,” they state, “are deterred by the same policy that deters other types of attacks.” The core conclusion,

therefore, is that IT-based civilian attacks can be deterred and that the United States “already has basic policies in place that

serve as effective deterrents in many circumstances.”

Like Thomas, above (see IT-Based Civilian Attack), Richard Harknett (1996) addressed both deterrents to attacks on

military targets (“connectivity on the battlefield”) and civilian targets (“societal connectivity”).¹⁰ Whereas Thomas gave more

weight to the consideration of military targets when considering deterrence, Harknett argues that the civilian targets are more

important in terms of deterrence. Military networks should be built with robustness and redundancy in mind, giving them

greater sustainability in the face of an attack. Societal connectivity, on the other hand, is more vulnerable at three levels: “the

personal, the institutional, and the national.” An adversary might attack a single person, through his or her electronic records,

or a single institution, such as a business or an industry. More worrisome are attacks on a region’s or nation’s infrastructure: its

transportation, communication, or financial systems.

But just as deterrence has a strained relationship with IT-based military attack (the ability to absorb the attack makes it less of

a threat, and less punishable), deterring a civilian attack is also problematic. Although an adversary might be deterred by the

interconnected nature of modern infrastructure (see Thomas above and Devost below), the possibility of undertaking an attack

without being identified may be incentive enough to attempt an attack. The most significant problem in basing defense of

information warfare on deterrence is that “the attack may not emanate from a state at all.” If terrorists or organized crime, for

example, attack U.S. infrastructure, few courses of action are available, and fewer still for military retaliation. Ultimately, the

United States will be better served by developing an “imposing offensive capability and a formidable ability to defend” rather

than tailoring a deterrence strategy to specific adversaries.

Matthew Devost (1995) addressed deterrents to attacking the U.S. infrastructure in his thesis “National Security in the

Information Age.” Although he uses a broad definition for information warfare—destroying information, reducing information

flows, reducing the reliability of information content, and denying access to services—Devost identifies three deterrents to

waging information warfare: economic interdependence, fear of escalation, and lack of technical expertise. Of these, he names

the first as the most significant, and it clearly applies to attacks on civilian (in this case financial) infrastructure. As the

economies of nations become increasingly interdependent, the more likely it is that “nations will feel the economic aftershocks

of economic instability,” especially sudden, drastic effects that could follow a strategic information attack. For countries that

are part of the global market, an IT-based civilian attack may be too costly to undertake.

The reverse of this—the use of IT-based civilian attack as a deterrent—was obliquely discussed by Leonard Sullivan in 1994.

Although it was questionable to include his paper in this review (he never uses the term information warfare), he does describe

all the essential elements of a IT-based civilian attack and argues for its use in deterring aggressive behavior. The paper

addresses the effects of the end of the Cold War on regional security and calls for regional security apparatuses (RSAs) to

enforce international law and oppose aggression or gross violations of human rights within their communities or geographic

area. Each RSA would have a collective foreign policy and take collective measures to check and then correct the aggressive

party. It is in his description of “nonlethal ‘persuasion’” that he lays the groundwork for IT-based civilian attack as a deterrent.

Sullivan describes “confidence-destroying measures” as means that could become “acceptable forms of persuasion at the

national level” whose purpose is to “reduce the assurance of the perpetrators or their followers that their actions or cause can

produce the desired results.” More specifically, they might “convince their publics that their leaders can no longer keep their

national infrastructure operating at tolerable levels.” To achieve this, the RSA engage in “very specialized high-tech covert

activities.” Unfortunately, the author does not get much more specific about these activities. Although he does state that

“dependence on high-tech electronic systems” is a considerable vulnerability, and names financial systems, mass

communication systems, and the electrical grid as potential targets, he is unclear about the methods of attacking them in

non-physical ways. These targets, for example, “can be rendered inoperable without destroying them,” a task to be

undertaken by “high-tech special forces” who “‘get into’ any or all of these systems and sow confusion or doubt.” Beyond

that, the reader can only guess what activities are included in Sullivan’s term “dirty tricks” that “could become an essential

element” in this form of deterrence. Regardless, Sullivan has laid out the argument that (1) a nation’s critical infrastructure is a

viable target not only in battle, but in a time of latent hostility and (2) that the willingness to use a IT-based civilian attack could

be a powerful deterrent.

Robert Critchlow (2000) addressed the concept more directly, arguing that the threat and use of information warfare could

supplant the U.S. nuclear deterrent in military and foreign policy. Critchlow states that both the “utility and credibility” of U.S.

nuclear weapons as a deterrent have been called into question at a time when the United States faces more adversaries with

nuclear, biological, or chemical weapons. This situation of having increased need for deterrence and questionable means to

provide it emphasizes the need for a new alternative. Information warfare—specifically, “the use of computer network attacks

and electronic warfare techniques against the military systems and, especially, the national information infrastructure of an

antagonist”—can provide that alternative.

Potential adversaries (the former rogue states) are very susceptible to information warfare attacks, Critchlow posits, because

their infrastructures (both civilian and military) are not as well developed as those of the West. Although he does discuss

strikes on enemy command and control, Critchlow directs most of his attention to civilian targets. With fewer redundancies,

those systems (such as the electric power grid, telecommunications, and air traffic control) are more likely to fail if attacked.

Oil refineries and nuclear reactors could also be potential targets. These well focused attacks should be a very valuable

deterrent. Information warfare attacks present a “range of options for threatening punishment against the targets adversaries

may well value, and they can help to limit the ability of an enemy to strike at U.S. forces or allies.”

Perfect Intelligence

Another view of information warfare is that information itself might be enough to prevent conflict. This was one definition that

was presented in a 1995 article in the Economist. It stated that if information warfare “means something new, it is the use of

information as a substitute for traditional ways of fighting, rather than as an adjunct to them. . . . [namely,] by the

high-technology equivalent of brute force; by subversion; and by a new form of deterrence.” The first of these definitions

matches closely to the concept of IT-based civilian attack detailed above. As the article states, information infrastructure

would become a military target and attacked by cyber means, “destroying information systems with weapons of pure

information.” The second is very much in line with the combat networks interpretation, one in which information

technology—specifically, improved communication and organization—makes the “greatest contribution to [an insurgent’s]

struggles against the status quo.”

It is the third, however, that is tied to deterrence, and introduces another spin on the possibilities of information warfare in the

form of perfect intelligence. The argument is based on the increased abilities of both sensors and simulators to detect and

predict conflicts in the short-term future.¹¹ By detecting military build-ups and disseminating that intelligence, for example, the

United States could eliminate strategic surprise in a region with rising local hostilities. Similarly, the prediction of losses that

both sides would suffer could well convince them to search for a peaceful solution. This could be done not only “locally or

regionally, by establishing monitoring zones,” the article states, but also globally. The logical conclusion of this line of reasoning

is that conflicts between regional powers could be detected and deterred with the help of the United States and that greater

conflicts, including those involving the United States, could be demonstrated to be pointless, and thus deterred.

CONCLUSIONS

In the ten publications reviewed in this paper, five different concepts of information warfare were explored. These ranged from

the relatively simple (augmented conventional attack) to the complex (combat networks). Of these, four hypothesized that the

United States can (or does) use information warfare as a deterrent. Two of these (Der Derian, 1994; Mahnken, 1995),

however, see information warfare as little more than a conventional attack, albeit a much more effective form that the United

States would be comfortable using. The third (Economist, 1995) has a number of dependencies. Sensors, for example, have

finite capability, and it is possible to deceive them. Although the article does call for humans to be a component of the

monitoring networks, people can be deceived, or bought, in other ways. Politics will also affect how the information is given

and received. Only Sullivan (1994) and Critchlow (2000) outline the use of IT-based attacks as a deterrent. In these

discussions, the use of IT-based attacks against the United States is barely addressed. Critchlow merely states that “as in the

nuclear era, political decision makers must consider carefully how close to the brink to go” to avoid retailiation in kind. In

addition to these uses as a deterrent, Arquilla and Ronfeldt (1993) argue that the United States could reap the benefit of

information warfare and use it as a deterrent by reorganizing the military.

Three of the authors examined the threat of information warfare to the United States and concluded that the United States can

(or does) deter information warfare attacks. Wheatley and Hayes (1996) see this achieved primarily through military means,

whereas Devost (1995) identifies economic interdependence as another key factor. Thomas (1996) adds that international

law could be an effective deterrent force. In addition to those three, Barnett (1998) argues that the United States has the

potential to deter information warfare with thought and effort from political and military leadership. Only one author—Harknett

(1996)—feels that information warfare has little to no interaction with deterrence and does not encourage U.S. leaders to

pursue a deterrent strategy. Table 2 summarizes the authors’ conclusions.

This review of the literature, however, illuminates other conclusions about information warfare in general and its relationship

with deterrence in particular. First, the lack of generally accepted definitions clearly demonstrates the immaturity of the field.

The lack of taxonomy reflects how little progress has been made in the theory of information warfare, even though some claim

that it is not a new phenomenon at all. Second, discussion of deterrence relies on high-level discussions about information

warfare and official policy. These, too, appear to be lacking and this helps explain why so little of the discussions of

information warfare and deterrence build upon one another. Finally, the literature clearly demonstrates that a conceptual

field—regardless of how poorly articulated—is developing. Whether information technology simply allows militaries to

operate better or is ushering in a new era in military affairs, the issues technology brings do exist, and the need to address

those issues is becoming increasingly urgent.

ENDNOTES

¹ Geoffrey French is an Operations Coordination Manager for Veridian-Trident Data Systems and an Associate of the

Information Warfare Research Center.

² The most common term for this is cyber war, but the phrase can also indicate an attack on military connectivity (see

Harknett, 1996), among other definitions.

³ Some authors use the phrase information operations to describe this aspect of information warfare.

⁴ Net war or network-centric warfare are common descriptors of this interpretation. Box 1, however, describes the other

ways authors have employed the phrase.

⁵ Some analysts refer to this as a strategic information attack or as strategic information warfare.

⁶ Arquilla and Ronfeldt use netwar to refer to “information-related conflict at a grand level between nations or societies.”

They define cyberwar to mean “conducting military operations according to information-related principles.” Because of the

emphasis on networked organization in the text, however, this paper categorizes the authors’ paper by the definition of

combat networks outlined above.

⁷ Information Warfare and Deterrence represents the work of a roundtable organized by the Institute for National Strategic

Studies Directorate of Advanced Concepts, Technologies, and Information Strategies. A full list of participants can be found

in Appendix A of that publication.

⁸ Although Wheatley and Hayes use cyber war to mean “attacks directed through computers and their connectivity.” The

highest level of this type of attack is a “strategic (catastrophic) attack” that includes targeting key industries.

⁹ The workshop also stated that a robust defensive computer security posture could also serve as a challenge to individual

hackers.

¹⁰ Harknett used the term cyberwar to indicate attacks on connectivity on the battlefield and netwar to mean attacks on

societal connectivity.

¹¹ Michael O’Hanlon reviews the capabilities and limitations of both sensors and predictive military algorithms in

Technological Change and the Future of Warfare.

BIBLIOGRAPHY

Arquilla, J. J., and D. F. Ronfeldt. 1993. Cyber war is coming. Comparative Strategy 12:141–165.

Barnett, R. W. 1998. Information operations, deterrence, and the use of force. Naval War College Review 51(2):7–19.

Critchlow, R. D. 2000. Whom the gods would destroy: An information warfare alternative for deterrence and compellence.

Naval War College Review 53(3):21–38.

Der Derian, J. 1994. Cyber-deterrent. Wired 2(9):116–122; 158.

Devost, M. G. 1995. National security in the information age. Thesis. University of Vermont. Posted on the web site of the

Terrorism Research Center.

Economist. 1995. The ties that bind. Economist 335:Special Sup 18–20.

Harknett, R. J. 1996. Information warfare and deterrence. Parameters 1996 (Autumn):93–107.

Joint Chiefs of Staff. 1998. Joint Pub 3-13: Joint Doctrine for Information Operations. Washington D.C.: U.S. Department of

Defense.

Libicki, M. 1995. What Is Information Warfare? ACIS Paper 3. Washington D.C.: National Defense University Press.

Mahnken, T. G. 1995. War in the Information Age. Joint Force Quarterly 1995–96 (Winter):39–43.

O’Hanlon, M. 2000. Technological Change and the Future of Warfare. Washington D.C.: Brookings Institution Press.

Sullivan, Jr., L. 1994. Meeting the Challenges of Regional Security. Carlisle, Penn.: Strategic Studies Institute, U.S. Army

War College.

Schwartau, W. 1994. Information Warfare: Chaos on the Electronic Superhighway. New York: Thunder’s Mouth Press.

Thomas, T. L. 1996. Deterring information warfare: A new strategic challenge. Parameters 1996–97 (Winter):81–91.

Wheatley, G. F., and R. E. Hayes. 1996. Information Warfare and Deterrence. Washington D.C.: National Defense

University Press.