Subject: IW Mailing List iw/960114
[Moderator's Note: This recent news story may have ramifications
relative to global use of cryptography.]

WASHINGTON (Jan 12, 1996 5:34 p.m. EST). 

Bloomberg, the business news agency, reports 01 12 96: 

The U.S.  Commerce Department will recommend easing export controls on
encryption software after a study by the department and the National
Security Agency found that American firms are being hurt.... 
The report's release came on the same day federal prosecutors dropped a
three-year investigation...of...Philip Zimmerman.... 
The government study comes a week after [the Computer Systems Policy
Project] released [its] own study showing ...American companies will
lose [maybe $60 billion] in U.S.  computer system sales expected in
The 13-member Project ...includes International Business Machines...and
[Easing export controls] may pit Brown's department a- gainst U.S. 
defense and spy agencies.... 

[Commerce Secretary] Brown said his department will pre- pare
recommendations for easing [ITAR] controls that should be forwarded to
the president "within a few months."
It's unclear if the NSA, the super-secret eavesdropping agency, endorsed
the Commerce Department's conclusions in the report it jointly prepared. 
...federal prosecutors dropped [the Zimmerman] investigation without
From: (Fred Cohen)
Subject:  Deceipt and IW
Date: Sun, 14 Jan 1996 12:40:31 -0500 (EST)

This extract from the Canadian Framework paper (Garigue) seems
particularly interesting to me when considering deception (note that
this description or variations on it have appeared elsewhere for some
time and I am only using this quote as an example):

"Information Warfare concerns itself with the control and manipulation
of information and information flows.  Specifically with the
acquisition, process, storage, distribution and analysis of data and
information.  At a conceptual level, IW consists of all efforts to
control, exploit, or deny an adversary's capability to collect, process,
store, display, and distribute information, while at the same time
preventing the enemy from doing the same.  The intent is to control,
manipulate, deny information, influence decisions, and degrade or
ultimately destroy adversary systems while guarding friendly systems
against such action."

Now contrast this to with a list of traditional deception techniques
taken from "Victory and Deceipt" (parens indicate my comments).

- Concealment (deny critical information from enemy)
- Camuoflage (deny critical information from enemy)
- False and Planted Information (control enemy collection)
- Ruses (control enemy collection)
- Displays (control enemy collection)
- Demonstrations (control enemy collection)
- Feints (control enemy collection and processing)
- Lies (control enemy collection)
- Insight (enhance own processing)

	It seems clear that a taxonomy of IW resulting from the cross
product of {acquisition, process, storage, distribution, analysis} and
{attain, control, exploit, or deny} covers all aspects of deception as
described by Dunnigan and Nofi.  In addition, there are aspects of this
taxonomy that appear to not be covered by the taxonomy of deceipt.  For
example, better data collection and increased tempo resulting from the
"attain" item.  From a point of view of theoretical understanding, it
would seem that the more general (and perhaps simpler) scheme would be
prefered as a standard of communication.

Looking at classical Meally/Moore models of computers and crossing it
with now-classical information security issues, with basic tenants of
conflict, and with Shannon's syntactic information theory, we might
create another taxonomy more like this one:

	{input, output, processing, storage} x
	{integrity, availability, confidentiality} x
	{enhance ours, reduce theirs} x {certainty}

A few notes:

Processing seems indifferentiable from analysis to me unless Garigue is
trying to differentiate human from artifact in transformation of
information.  I actually prefer the term analysis, but this is not the
word used by Meally, Moore, and others who likely used that term in
reference to specific mathematical techniques. 

Acquisition and Distribution seem to be more oriented toward networked
environments, but seem similar to input and output for any component
of an overall system.

The use of		{integrity, availability, confidentiality}
as contrasted to	{attain, control, exploit, deny}
seems particularly interesting to me.

	- Attain seems to have a meaning similar to input.

	- Deny is, as far as I can tell, identical to {reduce} x

Control and exploit seem far more interesting concepts and deserving of
a lot more attention. 

Control theory basically looks at feedback mechanisms and how to attain
particular overall system performance by using feedback.  In many cases,
this is done with a parameterized reference-model of the object under
control and uses mathematical analysis to attain various predictable
conditions with reference to that object.  Mathematical control theory
basically falls apart as the model becomes less and less certain about
the object under control.  Discontinuities also produce substantial
problems in analytical control.  So I think that control is a concept
that cannot be simlified or removed, and yet one that is particularly
difficult to analyze without a deep understanding of psychology and
other areas.

Exploit seems to deal with the mix of the capabilities of the parties to
the conflict.  In fact, exploit seems to be very closely linked to
control in this way.  For example, there are cases when a mismatch can
be created which, dispite the best intentions and great skill of select
players, simply cannot be overcome.  With enough certainty regarding the
situation, control and exploit seem to go hand in hand, but as situation
awareness decreases, control becomes far harder, and along with it, the
certainty associated with exploit.

I'll also throw in the term tempo to encompass time in a relational way
as an issue (although strictly speaking, I think I could encapsulate it
in control somewhere). 

So let me summarize and ask for comment on this variation on
understanding IW:

Top level definition - very general:

	Conflict where information or information technology is the
	weapon, the target, the objective, or the method.

One-level down taxonomy of IW:

	{gathering, distribution, analysis, storage} x
	{integrity, availability, confidentiality} x
	{enhance, reduce} x {ours, theirs} x
	{certainty} x {control} x {exploit} x {tempo}

If this is a good taxonomy, every example of IW should be described by a
combination of these factors with only detailing added (no new big
concepts).  Another way to think about is it that we could make a
sentence describing any IW activity by using these words with a few
conjunctions here and there. 

I would welcome comments and opinions on this including examples of how
well things fit or don't fit into it.