"This statement reflects the opinions of the author and should not be construed as the official position of the US Government, Department of Defense, or National Defense University"

Before attempting to assess the nature of the potential threat to the US economy from intrusions and attacks via computer networks and cyberspace, it might be useful to briefly examine the context of the new geostrategic environment evolving in the 21st Century. This environment, which is shaping "national security in the information age", is dominated by four critical new developments: the emergence of cyberspace as an operational environment for business, politics, and warfare; the impact of digital convergence, in which essentially any form of information can be expressed digitally and then combined, changed and re-used in ways the originator has no control and little or no awareness of; the growth of global omnilinking; and the increasing control of key societal infrastructures by computerized systems. While these developments have been explored and explained in detail elsewhere,1 the result is that we live in a world that every day grows increasingly interconnected. Every day, more of the world--as individuals, as organizations (businesses, political movements, military forces), even entire societies and countries--plug into the global electronic, digital network because they have determined that they cannot be successful unless they are "connected". This condition offers both wonderful opportunities and dangerous vulnerabilities, and the needs of national security require the exploration and understanding of both.

In the not-too-distant-past (1980s), it was easy to quantify and categorize "the threat". Intelligence analysts could count the number and type of Warsaw Pact divisions facing NATO, or assess the performance characteristics of MIG fighters and bombers. Those metrics are useless for the cyberthreat to national security. In fact, the place where assessment of "the threat" must begin is at home...in our own vulnerability to cyberattacks and intrusions. Chairman of the JCS Instruction 6510.1, "Defensive Information Warfare", best states the dilemma..."use breeds dependence, and dependence breeds vulnerability."2 The United States uses more information technology than any other nation on the face of the earth. Paradoxically, this contributes both to our economic power and to our cyber-vulnerability, a condition that has received increasing recognition and understanding in the annual "National Security Strategy" statement sent to Congress.3 The US government has been at the global forefront of the effort to examine the strategic implications of cyberspace, and the 1990s saw a steady stream of studies and reports that called attention to the growing dependence of American society and infrastructures on computerized control and their concomitant vulnerability to intrusions and attacks mounted via cyberspace.4 These vulnerabilities create the battlespace in which cyber threats to the US economy and the infrastructures upon which it depend pose a strategic threat to US national security in the information age.

There are two aggregate groups of potential cyber threats to the US economy. The first is comprised of nation states; identifiable countries that could in certain circumstances pose a threat to the United States. The second group is comprised of non-state actors such as terrorists or criminal groups. While the means both groups would use are similar, perhaps identical--computer intrusions via cyberspace--their motivations would probably be quite different. Although the latter of these two categories pose a significant threat, the US response would be a law enforcement issue, whereas the response to the former would clearly be a national security issue. While analyses from the intelligence community regarding the information warfare capabilities of a wide range of nation states are of course highly classified, there is a growing body of open-source literature regarding the perspectives and potential from two nations in particular...China and Russia.

China:

While there is no official Chinese military doctrine for information warfare, such as the US military's "Joint Doctrine for Information Operations",5 there is a growing body of open-source literature the explores evolving Chinese concepts and perspectives on the subject. In the last two years, Mike Pillsbury, writing for the National Defense University's Institute for National Strategic Studies, has published two books exploring Chinese views on future warfare and the national security environment.6 The first is an anthology from Chinese military sources, while the second is an analysis of those and other publications. Both contain significant insights into that segment of Chinese military thinking that considers computer network attack--to use the US military term--as an important means for waging asymmetrical warfare in order to enable the "inferior to defeat the superior." References to using computer methods to "eliminate the enemy country's war-making material base" and to attacking "command centers, communications hubs, information-processing centers...and supply systems" hint at possible strategies in future conflict. Several Chinese analysts argue that the distinction between "strategic, campaign and tactical...[between] front and rear" will blur or even disappear, so that computer weapon systems will "reach over the horizon and cross national boundaries." In the event a future war is triggered by disruptions to the "network of the financial sector....information-related industries and domains will be the first to be mobilized and enter the war." What would form the target list of such a war? "Targets would be American electrical power systems, civilian aviation systems, transportation networks, seaports and shipping, highways, television broadcast stations, telecommunication systems, computer centers, factories and enterprises and so forth."7

Following closely on the heels of these publications was perhaps the most intriguing insight into one of the evolving Chinese perspectives, a book written by two colonels in the Peoples Liberation Army, Qiao Liang and Wang Xiangsui and published by the PLA Literature and Arts Publishing House in early 1999. Sometimes called More correctly called"Go Beyond the Limits of Warfare" or "Go Beyond the Bounds of Warfare", the Foreign Broadcast Information Service has recently issued a full translation under the title "Unrestricted Warfare". While the reader should fully realize that this book should not be considered official Chinese military doctrine or strategy, and that it reflects China's 2,500 year history of viewing everything external to it as a potential threat to its unity and existence, it is a penetrating insight into the thinking of a new and younger generation of Chinese military theorists. Early on the authors warn that the "first rule of Unrestricted Warfare is that there are no rules, with nothing forbidden....strong countries make the rules while rising ones break them and exploit loopholes." Future types of war may include "trade wars, financial wars...defeat on the economic front precipitates a near collapse of the social and political order." After posing the same sort of target list as cited above, the two Chinese colonels state "If we want to have victory in future wars, we must be fully prepared intellectually for this scenario, that is, to be ready to carry out a war which, affecting all areas of life of the countries involved, may be conducted in a sphere not dominated by military actions." Again, it must be emphasized that while this is not to be taken as a window into current Chinese military planning, it may very well be a window into a vigorous and ongoing debate within the Chinese military about the future direction of warfare, a debate that may shape future national security policy and strategy on both sides of the Pacific Ocean. It should also be pointed out that this view of "beyond the limits of warfare" has been advocated by Machiavelli and practiced by most nation states and great powers over the past several centuries.

Russia:

Much of the best open source literature on Russian information warfare concepts can be found in the Journal of Slavic Military Studies, which has contained a series of penetrating analyses over the past few years.8 Much of the open source literature by Russian experts is extremely dry and technical, focused on quantitative efforts to develop algorithmic approaches to modeling information systems.9 A persistent theme that cuts across virtually all writings on Russian IW is the criticality of perception management as a prime objective, although that is not the focus of this paper. One of the earliest and most well known examples of Russian actions in the economic realm came not from a state-sponsored action, however, but rather old fashioned bank robbery, albeit executed via the new medium of cyberspace. This was, of course, the cybertheft of several million dollars from Citicorp, in which remote computer access originating from a Russian individual in St Petersburg resulted in the largest and best-known case on record.10 Russian organized crime has followed this lead and has drawn the interest of the international law enforcement community, although this also is outside the parameters of this paper. One of the leading Russian IW theorists, Vitaliy Tsygichko from the Institute of Systems Analysis, is attempting to develop a "coefficient of information security" analysis for the Central Bank of Russia, which would seem to reflect their understanding of the vulnerability of financial systems to cyberattack. Information weapons could be used to "destroy data banks, software, telecommunication systems, computer systems, energy blocks, the systems of state administration, in short, the entire range of high-tech support of society's existence and state functioning....to put out of commission civilian objects and life-support systems, disorganize state administration...set economic chaos and sabotage; to damage national financial systems based on information-computer networks."11 Tsygichko argues that IW can be conducted during both peacetime and wartime. During peacetime, a phase that interestingly has been called "the initial period of war", information actions would seek to undermine the adversary's information security at all levels, individual, societal, and state, with operations focused on the armed forces, civil populace, and systems needed to administer research, production, and civil society. Another Russian theorist suggested that the potential "psychological impact on the U.S. would be huge if the financial markets go down". There is a clear sense in these Russian writings that the adversary's economic system is both a viable and valuable target for cyberattack.

Conclusion:

Interestingly, both the Chinese and Russians have expressed interest in some form of international effort to place curbs on such attacks.12 The Russians have gone so far as to formally propose via the Secretary General of the United Nations the development of "an international legal regime" to combat information crime and terrorism. Since the organizational viaduct for this proposal was the UN's First Committee, however, whose charter is disarmament rather than counter-terrorism, one is tempted to suspect that this effort was intended to curb state-conducted IW rather than the activities of individual criminals. On December 4, 1998 a slightly differently-worded resolution on "Developments in Telecommunications and Information in the Context of International Security" was adopted by the General Assembly by unanimous consensus, which has been merely a prelude to further efforts along these lines. 13 Other efforts, focused on developing the basis for enhanced international cooperation against criminals and terrorists, have been initiated by the Council of Europe and academic groups such as the Center for International Security and Arms Control at Stanford University. Perhaps the actual content of these efforts is less important than the apparent realization that the vulnerabilities of national infrastructures and economic systems, rooted in our growing reliance and dependence on those systems, makes their protection a matter of societal safety and national security.

Ironically, the most likely source of cyber-intrusions into and attacks on the US economy is not the most dangerous. The incidents of the past few weeks, in which a diverse set of American businesses suffered intrusions and damage from cyberspace, were the kind that may become increasingly frequent but that pose little likelihood of causing serious damage to the national or even international economy. When the investigations are complete and the miscreants apprehended and prosecuted, we will in all probability see that for all of their bluster and noise, they posed no real capability to cause long-term harm or damage to our economy. This is not true, however, for the potential damage that could result from state-sponsored attacks. States that are willing to devote the time and resources towards developing the technological capability and intelligence base necessary for a cyberattack on an economic system pose the greatest danger to those systems. While this author is skeptical of claims that entire national electric grids, transportation systems, or financial markets could be "collapsed in thirty minutes by half a dozen hackers", our very reliance on computer networks and control systems for the functioning of those infrastructure elements creates a vulnerability that a determined opponent with sufficient organization, resources, discipline and planning skills could exploit. The very same means that the cybervandals used a few weeks ago could also be used on a much more massive scale at the nation-state level to generate truly damaging interruptions to the national economy and infrastructure.14 The potential is there for the creation of strategic effects via cyberattacks on specific systems or locations, and the creation of strategic economic, political or even military advantage via such attacks. While we have not seen such attacks from a nation state, that is solely because no state or non-nation state actor has yet seen sufficient strategic advantage to be gained by doing so, and this condition will not last indefinitely.15 It does not prove the negative - that no state or non-nation state actor is organizing, training or equipping itself to do exactly that kind of attack on one or more of its adversaries. Eventually, a nation state will determine that the potential gains of a strategic cyberattack on U.S. economic systems--or those of our Allies and/or neighbors--outweigh the potential risks of such actions. It's apparent that several nations that the U.S. does not number among its Allies--and not only the two cited earlier in this paper--are giving serious thought and debate to the strategic advantages to be gained by using cyberspace to attack the economic component of U.S. national power. The time to prepare defenses against such an event is now, and the first and most important step is to continue to raise the awareness and understanding of all members of the partnership, government as well as private sector, as to the reality of our vulnerabilities and the threat created by those vulnerabilities. It may be the most important partnership we can develop to ensure the future security of the United States.

1 See, for example, the Author's "Strategic Information Warfare: a Concept", a white paper published by the Australian National University in 1998.

2 Chairman of the JCS Instruction 6510.1, "Defensive Information Warfare"

3 "A National Security Strategy for a New Century", the White House, December 1999.

4 See, for example, "Cybernation: The American Infrastructure in the Information Age", a short primer published by the White House's Office of Science and Technology policy in 1997. The US is not the only nation to study this issue, however. The Australian Parliament, for example, sponsored a study in 1998 on high-tech threats to Australian security, and other technologically advanced countries, such as Norway and Sweden, are conducting similar efforts.

5 See Joint Doctrine Publication 3-13, "Joint Doctrine for Information Operations"; for Service-specific perspectives also see the Air Force's publication "Air Force Doctrine Document 2-5, Information Operations", and the Army's "Field Manual 100-6, Information Operations."

6 See Chinese Views of Future Warfare, published in 1998, and China Debates the Future Security Environment, published the following year, both by the National Defense University Press. Both are available electronically at the NDU Press portion of the NDU website, www.ndu.edu .

7 Pillsbury, China Debates the Future Security Environment, pg. 296.

8 See, for example, Timothy L. Thomas, "Dialectical Versus Empirical Thinking: Ten Key Elements of the Russian Understanding of Information Operations", in Journal of Slavic Military Studies (Vol 11, #1, March 1998), or Timothy L. Thomas and Lester W. Grau, "A Russian View of Future War: Theory and Direction", in Journal of Slavic Military Studies (Vol 9, #3, September 1996).

9 See, for example, S.P. Rastorguev's Information Warfare (in Russian "Informatsionnaya Vojna"), published by the Radio I Svyaz' Press, and running to 415 pages filled with formulas and diagrams of how generic information systems interact. Read it carefully, and with plenty of aspirin.

10 All but about $400,000 was recovered.

11 A. Krutskikh, "Information Challenges to Security", in International Affairs (Vol. 45, #2, 1999).

12 This author has vivid memory of a December 1998 meeting with two Chinese officers--one a colonel in the PLA, the other a navy captain--at our National Defense University, during which the subject of the desirability of an international agreement to protect civilian infrastructures from cyberattack was raised no less than three times.

13 A. Krutskikh, "Information Challenges to Security".

14 These intrusions utilized a tactic called a "distributed coordinated attack" in order to generate an effect known as "denial of service". To deny the customers of Amazon.com or LL Bean access is of a different order of impact from denying the users of a key infrastructure element from the use of that infrastructure.

15 See, for example, Anthony Kimery, "Moonlight Maze", in Military Information Technology (Vol 3, #6), which is available online at www.MIT-kmi.com .This author would not categorize the so-called "Moonlight Maze" intrusions already described in the open press as a cyberattack or cyberwar. These intrusions, reportedly coming from quasi-official academic and research institutions in Russia, would be better described as espionage or intelligence gathering. While the difference between intelligence collection and overt offensive action could be something as simple and instantaneous as a single keystroke, the fact remains that incidents such as "Moonlight Maze" are intelligence operations that exploit computer networks and databases instead of spies, reconnaissance satellites, and cameras, and are not an activity that under current internationally-recognized legal concepts could be characterized as an "attack" or "war". For further information on this issue see Lawrence T. Greenberg, Seymour E. Goodman and Kevin J. Soo Hoo, Information Warfare and International Law, (Washington, DC: National Defense University Press, 1998), available online at www.dodccrp.org ; or Walter Gary Sharp, Sr., Cyberspace and the Use of Force (Falls Church, VA: Aegis Research Corporation, 1999).