From: iw@all.net
Subject: IW Mailing List iw/951212
---------------------------------------------
Moderator's Note:
	Historical versions of the IW mailing list are now on-line and
	searchable at URL:	http://all.net/	under
		browse -> Info-sec gopher -> IW
		search -> Info-sec gopher
---------------------------------------------
Date: Mon Dec 11 21:28:46 1995
From: x85899c4@cadet2.usma.edu (Whyte Jesse CDT)
Subject: Re: IW Mailing List iw/951211

I think that alot of people are taking IW too far, too fast.  In Desert
Storm, or so the rumor goes, the United States Armed Forces pre-empted
their air barrage with coordinated Information-oriented strikes to take
out the C^3-I of the Iraqi military.  [see Campen - AFCEA Press - "The
First Information War" for examples] However, even with the IW attacks,
it still took a massively coordinated, well-prepared invasion by a
real-time military force.  IW is a powerful medium and surely is an
effective force in modern warfare, however it is not a solution to all
of our international troubles... 
---------------------------------------------
Date: Tue, 12 Dec 1995 02:46:35 -0500
From: boneill@mail.alliance.net

I've been researching IW as a side interest for a couple years, and I
find myself being dragged in deeper and deeper.  Initially stepped into
the whole IW field through a marriage of interests in
post-structuralism, international economics, cryptography, and sciences
of complexity.  To boil that down into something resembling context: I'm
interested in emergent media and the problems in defining informational
terrorism and security in such an environment. 
---------------------------------------------
Date: Mon, 11 Dec 1995 20:25:45 -0800
From: Joel McNamara 
Subject: Information warfare list

I provide computer security consulting services and am particularly
interested in the implications of information warfare being waged in the
corporate environment (ranging from mundane corporate espionage to more
sophisticated, computer-based attacks on the infrastructure).  My frame
of reference is oriented toward IW conducted by "hackers" (crackers,
etc.  - fill in the noun you're most comfortable using). 
---------------------------------------------
Date: Tue, 12 Dec 1995 11:22:39 GMT
From: Johann O Jokulsson 
Subject: Re: IW Mailing List iw/951211

>	weeks" policy.  The eyes of the list are upon you (O) (O)

My, what big eyes you have grandma :-)

I think that it's time I jumped into the fray with the following:

 "Anyone remember the Biafra children? Those images of starving children
 seen on the front page of almost every newspaper at the time? Well, it
 seems that one party in that civil war went and got themselves a London,
 England based advertising agency to handle their public relations and
 that was in the 60's or 70's.  This same agency has handled other
 clients as well, the latest among them being the Bosnian government."

I saw the above in a article in a reputable local newspaper, something
that they had gotten from Reuter, AP (or whatever), buried in the
innards where it's almost guaranteed to miss being noticed by anyone. 
Kind of makes you wonder how much of what the press publishes is _pure_
propaganda. 

Hows that for IW? Opinion shaping, information access control, let the
professionals handle it ;-)
---------------------------------------------
From: jdunnigan@genie.com
Date: Tue, 12 Dec 95 11:07:00 UTC 0000
Subject: IW Mailing List iw/951211

  > First, let me recommend Jim's new book (with Albert A.  Nofi, published
...
  > simulations fostered under him varied from -Harpoon-, the excellent
...

Nope, didn't do Harpoon, that was Larry Bond, but Larry was heavily
influenced by my work (and, of course, the century old field of naval
minatures wargames.) GDW published the first, manual, version of
Harpoon. 

...
  > take a small step back from the world of 'boys and toys,' I consider one
  > of the past masters of information warfare to be Gandhi.  He certainly
  > 'fought' one hell of a battle to gain self-rule for his people, possibly
  > the most successful one in history on a purely per capita basis.  During
  > the course of his long struggle, deception was not one of his tools--in
  > fact, if he had ever tried to deceive, it would have destroyed the
  > tremendous symbolic value he had to friend and foe alike.  [Any comments
...
  > Truth may not set you free, but it makes a damned fine weapon under the
  > right circumstance.  Is that deceit as well, or just conceit on my part?

Ghandi is one of the more recent "Great Teachers" who have shaken the
world (or at least their part of it) with little beyond words and ideas. 
In the 19th century you had that fellow in China claiming he was the
brother of Jesus.  The resulting conflict killed over 20 million people
and brought down the monarchy (well, set it up for the pre-WW I
rebellions that did succeed.)

There have been many earlier religious, or quasi religious (like Master
Kung, or Confucius) leaders who have changed thier societies with words. 
Do we consider Confucius an InfoWarrior?

The Byzantines, some 1,000 years ago, were the masters of what you
describe as InfoWar, but they did it with words and deeds.  Their
opponents were often illiterate.  The Byzantines snookered the Europeans
with such regularity that, to this day, "Byzantine methods" is not taken
as a compliment. 

Ghandi used mass media because it was there and he was an educated
fellow who knew the impact of the mass media.  The mass media is a new
venue, not a new world. 
---------------------------------------------
Subject: information IN warfare and definitions
Date: Tue, 12 Dec 1995 06:41:40 -0500 (EST)
From: fc@all.net

I thought it might be helpful in understanding the definition of IW to
consider a distinction made in the 1994 DSB Summer Study on "Information
Architecture for the Battlefield".

In this study, they differentiate "Information Warfare" from
"Information In Warfare" as follows:

Information In Warfare is [something like] the ability of suppliers of
information to distribute necessary information to the warfighting
commander and to manipulate control of that which is available to the
enemy.  - and elsewhere as the "..information paradigm that [matches
the] concept of operations..."

Information Warfare is [something like] soft war against the "integrity
of information systems that are a key enabler of military superiority"

This may be a distinction without a difference, but I think it's worth
considering. 
---------------------------------------------
Date: Tue, 12 Dec 1995 08:18:21 -0500 (EST)
From: Sick Puppy 
Subject: Re: IW Mailing List iw/951211

> I am very skeptical about Information Warfare and whether it really
> exists. ... Is there really such a
> thing as information warfare or is it just unrestricted fantasy? ...

My site was "accidently" attacked by the Defensive Information Warfare
System.  We ended up with US Navy dudes in-house trying to trace who had
hacked their system and was now attacking us.  When they found out
who/what/where they were unable to tell us anything because their side
of the incident was classified.  All I found out was that (1) the US
Navy has an information warfare program, run out of San Diego and (2)
that their system cannot break through a TIS Gauntlet firewall. 

Yes, it really exists.
---------------------------------------------
Date: Tue, 12 Dec 95 09:10:44 EST
From: s.schuster@att.com (Steve Schuster)
Subject: Confused

I'm a little confused.  

Can someone please differentiate IW and good 'ole intelligence gathering
and propaganda? It seems to me, the US, and almost every other country,
has been involved in these two techniques of "warfare" for many years. 

New techniques are continually researched and new sources of information
are continually sought.  If a country exploits the information gathered
form one of these new sources, is this IW? If a government uses the
information gathered from an insider of a foreign banking establishment
to "guide" future investments strategies, is this IW?

Referring back to the CNN example of US flag burners, in my opinion and
in the opinions of some others on this list (I think) this is simply
media propaganda in a effort to raise support of US troops overseas. 
This is IW?

If all of the above examples are forms of IW, then what's new?

Is the term IW simply a new buzz word to include, but certainly not be
limited to, intelligence gathering and dissemination, propaganda to sway
public opinion, the ability to deny a potential enemy information
through various means, or the exploitation of internet protocol flaws to
gather foreign information or make that foreign information unusable for
a potential enemy?
---------------------------------------------
From: strategy@pop3.interramp.com
Date: Tue, 12 Dec 95 08:13:35 PST
Subject: Information Competition

From: Dan Meyer, General Counsel & Program Director, Asian Trade and
Advanced Technology, The Strategy Group (TSG). 
Subj: Creeping Metaphors

... On the subject of defining "information warfare," I think one has to
look to overall structural changes in the geopolitical order--economic,
social and political--to understand why information is an asset; an
asset to both protect and, if one choses the offensive, destroy.  The
notion of webs is useful in that they were, prior to the invention of
the telegraph, exceedingly local.  Before the creation of the common
carriage legal duty and the concurrent rise of a centralized
nation-state (needing the roads), all webs were local.  With no ability
to interact, the only assets in danger were at the periphery--usually a
herd or two in some distant pasture. 

We've been "crowding out" since the late 17th century and
"concentrating" since the late 19th century (see F.  Jackson Turner's
thesis).  What the technology enthusiasts mistake as "new" forms of
warfare are really, in a mature sense, refinements of greater trends. 
The "information highway" may be a creeping metaphor; but it is largely
correct from the structural point of view.  What we forget when we get
on I-70 is that the interstate was modeled after Roman, German and
Italian predecessors; a means of moving armed forces from the juridical
center to the march.  For a rather haunting reminder, pull a dime out of
your pocket and look at the torch flip-side to FDR; that's a burning
fasces, the classical symbol of the Roman republic "bound" together by
that uniquely Roman talent for law.  It is also the derivative root for
"fascist".  Prior to the Second World War, there were common themes
(uncomfortable to us now) binding together the modern states of Europe,
the United States and Asia.  One of these was "infrastructure"; another
was an acceptance of "conquest by war".  One of these is now
unacceptable, as Saddam Hussein was shown.  He broke the rules of the
accepted game. 

If you accept the parallel between physical and virtual space, the age
old concerns over the protection of assets at a society's periphery is
inevitable.  What is not inevitable is the incorporation of total
warfare into the information paradigm.  Legally, we talk of "domestic
crime", not "domestic warfare" (unless you are looking for votes or
money).  This argument in extremis is restorted to when we feel weak
under the competitive rules in play.  We become, in other words, a
virtual Iraq sulking under our debts to Kuwaiti bankers; tempted by the
easy analysis, or solution. 

The American contribution is, of course, our tradition of peacable
commerce; though that is culturally confined to those accepting our
Commerce Clause and its economy as "peacable" (as I do).  But even the
Commerce Clause is predicated on notions of carriage; highways and the
reduction/protection of assets at a "frontier"--be it physical, as in
1789, or virtual, as in 1989. 

What concerns me is the rather sloppy importation of military doctrine
into a field rich with economic, social and political opportunities. 
And I am no "dove"; as a former gunnery officer and Desert Storm
veteran, I understand the use for force is required in order to maintain
that periphery.  I also understand the costs associated with total
warfare.  CNN gave only representations of the war; the realiity
actually had a smell, a taste, a feel that an electron can not carry. 
Warfare is a total evolution; it is an act of destruction. 

I suggest that "competition" is more appropriate for those understanding
the post--industrial economy as rearranging the existing pecking order. 
The rules in warfare are much more permissive because we are not
interested in the enemy's final position in the international order;
ideally, the enemy will have no place because it was destroyed. 
Competitive rules, however, seek to allocate rankings by standards which
ensure that everyone plays to the fullest.  The "fullest", of course,
being the example set by our own Commerce Clause tradition. 

The difference between "competition" and "warfare" is evident in many
areas.  The telecom reform before Congress has pulled back from complete
deregulation largely in fear of "unfettered" competition, which could
resemble J.  Schumpeter's prediction of capitalism consuming itself; the
United States carefully balances its tradition of multilateral trade
with "get tough" unilateral efforts to remind competitors that war is
still possible. 

Regretably, no single "methodology" can hold the crossroads in the post-
industrial economy (though an engineer with a juris doctrate based on
the law and economic movement would be pretty close).  ... We use
game theory and other methodologies to attack problems on a case-by-case
basis.  But the game and its needs changes for every application.  The
danger under such a process is that "rigor" is sacrificed to "breadth";
forming a weak pseudo-science.  One best know the impact of
incorporating metaphors on all facets of the problem; better to limit
the metaphor and scruntize the assumptions lying beneath the language
used. 
...
---------------------------------------------
Date: Tue, 12 Dec 1995 12:59:50 -0500
From: mdj@pegasus.attmail.com (mdj)

What is information warfare all about?

Well, whatever it HAS been about is likely to change dramatically
through the proliferation of network computing resources.  I do not
believe we can anticipate the issues because of the technology changes
and potential for new applications. 

In the language today (at least English), we have many terms used for
types of warfare: naval warfare, highlighting the location and types of
transport used to conduct battles; nuclear warfare and germ warfare,
highlighting the type of weapons used to inflict damage; industrial
warfare, highlighting the combatants or targets. 

The term "information warfare" can highlight the target or the weapon. 
I engage in "information warfare" to obtain information or I engage in
"information warfare" by using information to gain some other type of
advantage or acquisition.  I think many situations will blur the role of
information as the target and the weapon. 

Movement of information is important from both perspectives.  Hence the
importance of telecommunications and networked computing technology.
---------------------------------------------
From: peter@nmti.com (Peter da Silva)
Subject: Re: IW Mailing List iw/951211
Date: Tue, 12 Dec 1995 11:47:39 -0600 (CST)

> ... I forsee a day when some corporations may begin to inflict IW
> against each other, as one more way of competing. 

I think it's reasonable to argue that the standard IBM/Microsoft/Sun/... 
FUD style attack as Information Warfare, if you consider all electronic
deception to be IW.  I'm particularly thinking of the attack on Samba by
Microsoft, when it was found that Samba was able to go through a
previously unknown security hole in Windows 95. 
---------------------------------------------
Date: Tue, 12 Dec 1995 16:33:12 -0500
From: AlanC3398@aol.com
Subject: Re: IW Mailing List iw/951211

For useful insights into IW during the Cold War, read The Very Best Men:
Four Who Dared: The Early Years of the CIA, by Evan Thomas.  (Author
will be interviewed by Brian Lamb next Sunday night on BookNotes on
C-Span.) Book is about the "pitfalls of hiring lawyers and investment
bankers" to become "cat burglers." I hope this book is read by those
with plans to re-invent the Operations side of the CIA. 
---------------------------------------------
From: hocka@carlisle-emh2.army.mil
Date: Tue, 12 Dec 95 16:53:46 EST

In the narrow sense, I view IW as EW by another name, and as an Army
communicator, I am concerned about any threat to battlefield
communications.  In the broader sense, I view IW as use of information
and information systems as tools against adversaries and by adversaries
against us.
---------------------------------------------
Date: Tue, 12 Dec 95 11:41 EST
From: Michael Wilson <0005514706@mcimail.com>
Subject: RE: IW Mailing List iw/951211

If anyone would like copies of the earlier articles of mine that have
passed across the list, drop me a note (put IW in the 'subject:' line so
I can filter your mail). [Moderator's note - or look on the gopher server]

I thought I would add more chum to the water and remark about some of
the phenomenological aspects of IW.  Feel free to borrow with
attribution (or learn the hard way that I make a dandy carbomb; nothing
personal, strictly business). 

As I have stated previously, I define IW as attacks related to the
informational value chain, be it a civilian or military dependency
infrastructure.  Let me throw out a few lovely quotes from Sun Tzu to
start:

[Moderator's note: Sun Tzu - The Art of War - available on http://all.net/]

"To secure ourselves against defeat lies in our own hands, but the
opportunity of defeating the enemy is provided by the enemy himself..."

"...the skillful leader subdues the enemy's troops without any fighting;
he captures their cities without laying siege to them; he overthrows
their kingdom without lengthy operations in the field."

A number of list members have commented on the existence of IW--does it
really exist? Let me paraphrase a commentary by Simpkin in his classic
"Race to the Swift"; technical innovation may greatly precede doctrinal
adaptation to new conditions, both in potentials and limitations. 
Simpkin presents a detailed breakout of the '50 year cycle'
(controversial as it is) between the incept of an innovation and the
full impact of the technology (his analysis of tanks and helicopters is
quite telling).  We are all quite aware that whomever develops a new
technology, technique, or doctrine first can have a distinct advantage;
we are all equally aware that military and intelligence organizations
have the problems of most bureaucracy--they destroy initiative and
innovation, and creativity is dangerous to those already in the command
structure.  I would be willing to bet that most of the list membership
are known mavericks; once again, we are ahead of the loop.  Take heart. 

Many of the 'new' elements of IW require an advanced economy as a
target, although it does teach new strategies and tactics that apply
beyond proper IW.  Most of the fun, really 'blue sky' kinds of things
however are fairly recent.  Core wars moves into computer viruses moves
to...  ?

[Moderator's note: Viruses actually came before core wars.  Viruses was
first published in Cohen, "Computer Viruses - Theory and Experiments"
(IFIP TC-11 conference - Toronto in April 1984 and first presented at
UCLA in December 1983), while Core Wars was first published in Dewdney,
Scientific American "Computer Recreations", (250, 5, 14-22, May, 1984). 
Very close though!]

Military IW allows the use of technology to directly take advantage of
the blunders of the opposition, create active deception operations (have
to watch the media though--Americans are so media savvy that lying with
a camera is dangerous), and transform the game of surprise. 

Why is IW possible?  Why will it be -increasingly- possible? (A few 
suggestions...)

	-- While the real world has inherent constraints and limitations,
	the digital world is infinitely malleable (Nixon yanking the
	Gold Standard pushed money into virtuality a long time ago). 

	-- In the infosphere, constraints are of interpretation; the
	'reader makes right' problem translates to the observer having a
	greater burden than they likely suspect.  Question your assumptions. 

	-- We seem to have abandoned the engineering rigor (ala RISKS). 
	This means not trusting you can do something until you have
	actually -done- it.  So, without such testing, society has given
	trust to things that have no defined reliability, safety, or
	security.  System design doesn't even seem to impose forcing
	factors--elements of the system that require a confrontation
	before interaction of any sort is permitted.  Auto ignitions
	require a key; nobody seems to have built a PC with hardwired
	code requiring special confirmation before something as simple
	as disk initialization.  Or if they did, David Kahn got the only
	desktop model.  Engineers of all sorts have adopted the ethic
	that you do something because you can, not because it makes sense. 

[Moderator's note: RISKS (I think) refers to the Risks forum
(risks@csl.sri.com) while David Kahn probably refers to David Kahn's
book "The Codebreakers", The MacMillan Company, 1967]

	-- The battle of heterogeneous vs.  homogeneous substrates to the
	infosphere.  Variety provides vigor, competition, cross
	fertilization, selection, and a special resistance to problems
	of many sorts.  Standards provide uniformity, predicability,
	exchangeability, replacement, cohesion, and a host of other
	fatal flaws.  The success of Microsoft may be the downfall of
	the infosphere some time soon. 

IW has a lot of people 'hot and bothered' because computer-based attacks have 
-so many- attractive points:

	-- IW can be immensely leveraged; hit the right points and the
	bang-for-your-buck is quite impressive. 

	-- Speaking of cost, the entry cost for IW is so small, it wouldn't
	even register as the cost of rounds for small arms practice. 
	The continuing costs of running an IW shop are humorously small
	(but certain to get way out of hand as the U.S.  military gets
	involved [anyone in the military, feel free to contact me, I
	won't fight a handout !]). 

	-- Recruiting inside the 'virtual' community is about as hard as
	tossing a grenade; a bit of care is all it takes.  Remember, the
	biggest hurdles are literacy and a reasonable IQ, which luckily
	are becoming prerequisites for entry into cyberspace (oh how I
	hate that term). 

	-- IW can serve strategic and eventually tactical ends.

	-- What an IW organization lacks in numbers or resources, it can
	make up in time.  The window of opportunity for IW attacks is
	-opening-, not closing. 

	-- IW is non-local; inside the infosphere, reality and all the
	things connected to it (x,y,z,t) have eroded.  As technology
	improves, all points will essentially be coincident.  What
	becomes important? How fast are you, how dense? What are your
	throughput, bandwidth, and interactivity?

	-- IW allows targets of opportunity and custom attacks to specific
	objectives. 

	-- IW can be undetectable in advance.  Military and intelligence
	organizations have proceeded on the assumption that technology
	has eliminated the opportunity for surprise.  Wrong. 
	Clandestine work is the next wave of deception operations, in
	the sense of moral surprise (they don't know you're coming) and
	material surprise (they know you're coming but can't do anything
	about it).  Readiness becomes a very difficult concept to evaluate. 

	-- IW isn't covered by any treaty or regulatory agency; even if it
	were, it would be meaningless. 

	-- Synchronization and timing are the very essence of large-scale
	IW attacks; they operate inside the decision loop of the
	opponent, breaking tempo.  IW moves faster than the enemy can
	respond--how can they when the mechanism of response itself is
	the target, and it happens at the speed of an electron at the
	start of the conflict?

	-- The psychological value of IW attacks will be the back-end,
	collateral issues of a lack of trust or control for technology,
	information, or channels. 

Massive IW denial-of-service attacks will be able to impair or destroy:
phone service; police, fire, and emergency medical services; alarms go
with the phones; power transmission; water and sanitation; access to
currency; credit cards; financial markets; electronically dependent
sectors of the economy; media services; technologically augmented
businesses (poor Doug Engelbart); social programs; organized,
centralized government and intelligence.  IW will have limited impact on
transportation, supply situations, or back-up communication paths such
as radio.  The main threat of such attacks will be the isolation
created--will it be enough to damage or destroy the social contract that
holds the political economy together? Limited use IW, tactical or
retributive can focus on smaller sections of this laundry list. 

IW has some real problems:

	-- Once again, you haven't done it until you've done it.  Will any
	of this really work? On a small scale, a variety of test runs
	have been made.  We won't know the answer until after the First
	Information War.  Be sure to send me a message; the pigeon knows
	the way. 

	-- No plan survives contact.  Whomever pulls the plug first is
	going to want to be certain that the first is also the last
	encounter.  As IW seems to be the lovechild of Murphy's Law, it
	may be a stillbirth. 

	-- The bleed, spread, collateral damage from a 'successful'
	information war (oh how I hate that term) may well take out the
	very organization that lights the fuse.  Obviously you don't
	shut off the phones -before- you put in place all the other
	parts of the plan. 

	-- Military command-and-control is made to operate in exactly this
	sort of situation.  Oops, the lights went out, the phone went
	dead, the ATM stopped working, but the well prepared warrior is
	able to last until someone flips the switch and reboots the
	damned hardware.  As long as the AA cells are in lootable
	locations (have to keep the walkman running), peace may prevail. 

What is that IW technology that we have now, and will certainly be
looked back on like the first tank or combat aircraft? A menagerie of
electronic critters (lions, and tigers, and bears, oh my!).  Viruses. 
Worms.  Trojans.  Morphing systems that change their code to avoid
'scanners.' Binary (as in, two parts) attacks (data viruses). 
Polymorphic systems that transform for cross-platform mobility.  Factory
systems geared for geometric growth.  Cryptographic worms and viruses. 
Envoys, expert systems built for penetration.  Who knows, someone may
try to execute a graphics file and wipe out Western Civilization. 
Random path evolution took a long time to develop our complex biological
lifeforms, but the sheer volume of data on the net might make up for it. 

Well, that looks like enough chum to get a conversation rolling;
remember, I take a far wider view of this sort of war than just the
technology, but I thought it would be worthwhile to bear down on the
nerd-side of the issue for a few minutes.  Don't forget the other words
of Sun Tzu: "Only a sage can utilize espionage." MW
---------------------------------------------