We don't know. In particular, we don't know what groups, with what technical skills, might be able to manipulate or disrupt the flow of information on which our society and our armed forces depend. Nor do we fully understand what the consequences of such acts would be. Our reliance on information technology has grown much faster than our grasp of the vulnerabilities inherent in the networks, systems and core technologies that knit the nation together. Last, we don't know enough about what we can do to prevent or neutralize hostile acts in cyberspace. But we do know that we are vitally dependent upon information systems and networks in most important aspects of American life. So we have to take this problem very seriously even though we are not now able to estimate its magnitude.
Should we be more concerned about vulnerabilities on the battlefield or on the home front?
There is more uncertainty and more potential for disruption in the domestic and economic spheres than in the military arena. Our military commanders are accustomed to dealing with changing threats, battlefield confusion and degraded operational conditions. Thus, they should be more resilient and more able to work around damage done by information warfare. Also, in combat, the military has a wide range of responses to any sort of situation, including infowar attacks. By contrast, we at home are not well rehearsed in defending ourselves. Americans are accustomed to things working--whether it's telephones, light switches, automatic tellers or air traffic control--and we give little thought to what could go wrong until it does. If the systems we take for granted start going haywire because someone or some group is tampering with them, we could be in for some very rude shocks. RAND's research and games are designed to raise and clarify the problems before a real crisis occurs.
Is there a role for the federal government in safeguarding the civilian information infrastructure, or should the private sector be left alone to deal with the inevitable problems?
The main burden must rest on the private sector, with government in a supporting role. Private providers and users of information technology have their own strong reasons to reduce vulnerabilities in cyberspace, not the least being that vital business and financial transactions are increasingly conducted there. Moreover, the expertise needed to improve network and computer security lies with the designers, developers and operators of commercial systems. The government can't--and shouldn't try to--replicate that massive capability.
It's important to remember that there is a certain self-healing potential in information networks--remarkable flexibility and redundancy that allow a given system to be bypassed and functions to be rerouted in the event of an accident or attack. I believe cyberspace security should be robust, not fragile. But the private suppliers and users of information technology will decide that, not the government.
What the government can do is understand where public interests are likely to be affected by vulnerabilities in these systems and then offer its encouragement, resources and organizing genius to guide the private sector toward a solution. This role assumes a high order of importance where national security initiatives are concerned, of course.
Some argue that only by exploiting America's overwhelming advantage in information technology can a much smaller Army meet the many challenges to national security in the 21st century. That is an appealing argument in an era of sharply reduced resources, but is it realistic?
The military potential of information technology is best understood in the context of U.S. strategy, which relies on the ability to project power--massively if need be--to distant parts of the world. Flexibility, speed, mobility, the utilization of long-range weapons, the ability to take the battle wherever we want when we want--these are all crucially dependent on forms of information technology. Our information advantage enables us to maintain that overall superiority at an affordable cost. I cannot say that the more we invest in information technology the smaller our forces can be. But I will say that these technologies are the essence of how we have achieved and will preserve global military superiority.
Some go further and suggest that, with its "gee-whiz" technology, information war may be able to avoid some of the battlefield's lethal, bloody and dirty consequences. Is that a reasonable hope?
It's not reasonable to hope that war will become anything less than "hell," as Sherman put it, because of information technology. I don't believe the day will come that the United States or its adversaries will be conducting battles with electrons instead of deadly force.
Information war offices are being set up in the Army, Navy and Air Force. In the scramble for budget and turf to pursue this hot new concept, is there a danger that existing, information-related problems will be overlooked? Should we be concerned that the preoccupation with information warfare might distort thinking about broad U.S. military policy and strategy?
We should not be concerned about the recent excitement over information warfare. Frankly, I think it's healthy and very American for numerous people and institutions to take initiative, even if they do not always move in exactly the same direction.
That is typical of any attempt to understand a new problem. At this stage the more ideas the better, the more analysis the better, the greater the awareness the better. I don't see any of these activities as being wasteful or distorting our thinking about more mundane and immediate aspects of American defense policy. We should have a high tolerance for the willingness of offices and people throughout the Defense Department and other parts of the government to take up a new challenge. Far better this than have people so stuck in the rut of conventional thinking that they are unable to see a new threat that requires new approaches.
As more and more nations "connect" to the world network and as individual connections within those nations become more common, threats in cyberspace are becoming transnational. The upshot is that no nation has sovereignty over cyberspace. How can the United States develop an effective strategy for protecting vital information in this environment?
By working with our existing friends and allies--who happen to be the very countries that have the most to gain from such cooperation and the most to lose by refusing. What's more, they are the same countries with whom we have a tradition of successful cooperation on common security problems. This is probably not the time for a major U.S. initiative, but some consciousness-raising and quiet activity with our friends might be timely at this stage.
RAND's Home Page