Strategic Warfare in Cyberspace, by Gregory J. Rattray. Cambridge, Mass.: MIT Press, 2001, 517 pp.
Several books about information warfare (IW) have appeared in recent years. Government officials and industry leaders are more concerned than ever about the vulnerability of the U.S. information infrastructure. Military experts fear that terrorist groups or hostile armies might attack U.S. computers and communications systems. The Department of Defense (DOD) reemphasized this concern as recently as October 2001, with the release of its Quadrennial Defense Review (QDR), its top-level planning guidelines for military spending. The QDR assigned a high priority to defending against possible IW threats and to exploiting the potential of attacking our adversaries’ own information systems.
Strategic Warfare in Cyberspace is different from most books on the subject. It is probably the first original book-length study about the topic written by someone who actually works in IW operations. Gregory Rattray, a lieutenant colonel in the U.S. Air Force, currently commands the 23rd Information Operations Squadron at Fort Meade, Maryland, where he is responsible for developing Air Force IW tactics. Previously, Rattray served as deputy division chief for Defensive Information Warfare at Air Force headquarters. These assignments have given Rattray a hands-on perspective from which to view the technology, politics, and wartime experience that have led to the current state of U.S. IW plans and policy.
Rattray reviews recent developments in information technology. He observes that, although the recent information age has created new products and businesses at an astonishing rate, it has also created new vulnerabilities. Advanced computers and communications systems have led to major advances in war-fighting capabilities, but they have also made military forces more vulnerable to attacks on these systems.
He also provides an overview of the main components of the civilian and government information infrastructure, pointing out how developments such as deregulation of the telecommunications industry have made the infrastructure harder to protect. On the one hand, the pressure to cut costs has led to systems that meet only normal operating demands and do not provide sufficient redundancy. (The loss of a single Verizon switching facility in lower Manhattan during the strikes on the World Trade Center caused major telephone tie-ups in the region; some glitches persisted for months.) On the other hand, the end of AT&T’s long-distance monopoly forced the government to deal with multiple operators in developing security measures.
The recent development of Internet-based industries has also created new vulnerabilities and problems for defense. Many of the new companies have little experience in cooperating with government, and the technology itself raises new issues. For example, defending against “denial of service” attacks requires all server operators to protect their systems; organizing such cooperation can be challenging. Perhaps the creation of the new Office of Homeland Security will improve this situation by raising the visibility of the problem and creating a single point in the government where the issue can be addressed.
From his post on the Air Force staff, Rattray has been in a position to see how DOD has tried to address these vulnerabilities. Indeed, most of the book is devoted to defensive IW, in part because the details of most offensive IW planning remain classified. Some infrastructure vulnerabilities he discusses are familiar to the public, such as the susceptibility of communications to jamming. Some are well known to specialists, such as the vulnerability of financial databases. Others are much less familiar, such as supervisory control and data acquisition (SCADA) systems that control transportation systems, pipelines, and other infrastructure components. These systems are all vulnerable to three kinds of IW attack: mechanical (bombing, for example), electromagnetic (jamming or frying circuits with transmissions), and digital (inserting bogus data into an information system to deceive the users or cause it to crash).
Much of the book is devoted to exploring the parallel between the development of strategic bombing and the development of IW. Both were made possible by the introduction of a new technology (long-range aircraft for strategic bombing; digital electronics for IW). Both were promoted as offering the possibility of a quick kill and a revolution in warfare. Both promised to allow armies to leapfrog the front lines and attack an enemy’s rear directly. It took nearly 50 years for the full potential of strategic bombing to be realized. Rattray implies that it might take as long for IW to become an effective weapon.
In making this argument, Rattray might also have noted that pundits, proponents, and theoreticians were way ahead of reality in assessing both the effectiveness and the threat of strategic bombing in the early 1900s; today’s enthusiastic IW proponents may be similarly overoptimistic. IW will be a key component of future military campaigns, if only because information technology is becoming pervasive. However, there are inherent limits to IW.
For the foreseeable future, IW is most likely to be used to facilitate conventional warfare. For example, the ultimate achievement of strategic bombing, Rattray writes, was the ability to target a bomb with such precision and reliability that specific buildings or military facilities could be destroyed with virtually no collateral damage. The United States achieved this goal during the Balkan air campaigns of the mid-1990s. It will take some time before an information system can be controlled with such precision and reliability that the military can use it to “break things and kill people.”
Much of Rattray’s analysis deals with how the armed services adopt a new form of warfare. Change must proceed in a step-by-step process. First a technology emerges. Then someone proposes a concept for how it might be used to fight wars. Eventually, at least one branch of the armed services develops a doctrine explaining how it would organize itself to use the technology. Commanders translate this doctrine into specific weapons requirements. The weapons are developed and deployed. With experience, refinements are made in tactics and strategy.
This process may seem arcane to the average reader, but it is all too familiar to anyone who works on IW issues at DOD. It is also essential for understanding the difficulties of military reform and why bureaucracies are so resistant to change. The ability of an organization to move successfully from one stage to another depends on many factors. Rattray discusses several of them, including whether the organizational environment rewards innovation, whether an organization has innovative managers and the required technical expertise, and whether regulation inhibits investment. These factors are, in effect, leverage points that officials can influence to encourage reform.
IW policy evolves
The best and most original parts of the book, from a historical perspective, are the last 100 pages, which cover the development of IW policy during the 1990s. Rattray shows how thinking about IW went from existing work on traditional forms of electronic countermeasures to more sophisticated ideas about influencing and manipulating an adversary’s information systems. He recounts how the government inched forward to develop doctrine, policies, and programs.
Despite much detail, there are several developments that Rattray should have included but did not. He does not cite some of the earliest work in IW thinking, sponsored by DOD’s Office of Net Assessment in the late 1970s and throughout the 1980s. As part of its mission to compare U.S. and Soviet forces, the office discovered that the Soviets were concerned about U.S. “radio electronic combat” efforts. In fact, these efforts were negligible, but the fact that the Soviets seemed to be concerned spurred some of the first studies leading to IW efforts. The book also seems to have an Air Force-centric view of IW (the extensive work by the Navy during the 1980s is hardly mentioned), although this probably stems from Rattray’s background rather than bias.
Also, the book’s cutoff date appears to have been late 1999, which should have given Rattray time to analyze IW efforts in Operation Allied Force, the NATO military campaign to force Serbian troops out of Kosovo. DOD’s own analysis concluded that IW efforts in Allied Force were a failure. According to official reports, attempts to shape Serbian perceptions were “amateurish.” The United States also entered the war without having resolved many of the policy and legal issues that are raised in targeting enemy computer systems. These missteps led to major changes in how DOD has organized itself for IW operations. For example, it was partly because IW was so ineffective during the Kosovo operation that DOD decided to consolidate responsibility for offensive and defense IW planning in the U.S. Space Command.
One recurring theme in the book is that effective defense against IW attack will require closer cooperation among organizations that traditionally have not worked together effectively. Rattray explains the connections required among the military services, law enforcement agencies, industry, and regulatory bodies. He notes that these organizations made considerable progress when preparation for the Y2K rollover compelled them to work together. At the same time, he writes, the various virus attacks that tied up portions of the Internet in early 2000 demonstrate that more effort is required. Although these attacks were not earthshaking, they exposed vulnerabilities that could be exploited by a more sophisticated adversary with more people and funding.
In all, this is a useful book that explains both the principles and politics of a form of warfare that will continue to be important as long as people use information technology. Rattray concludes that the longer we wait to adopt policies to prepare for cyber attack, the more difficult it will be to do so–words worth keeping in mind as terrorists prove more innovative and determined than ever.
Bruce Berkowitz (email@example.com) is a research fellow at the Hoover Institution in Stanford, California.