In the future, the only weapons you'll need to bring the West to its knees will be a lap-top and a desire to create havoc. John Carlin reports on the threat of Information War, and discovers why the Pentagon is taking it very seriously indeed
Click to follow
The Independent Culture
FUTURE Saddam Husseins may have cause to reflect that there is a cheaper, stealthier, more effective way of striking at the heart of the Great Satan than biological, chemical or nuclear war. When the dust settles in Iraq, Saddam himself may be tempted to explore the opportunities for causing maximum chaos at minimum price afforded by information warfare, a peril that will increasingly concentrate the minds of Western defence experts as the 21st century looms.

The scene is a briefing-room in the Pentagon. Sitting in shirt-sleeves around a long, oval table are the best and the brightest in the American security establishment. CIA spies, FBI agents, White House foreign-policy analysts, Defense Department boffins, a general or two. They have been meeting almost around the clock for three days. With every passing hour the sense of crisis grows.

On the first day they met, the sceptics in the room had suggested it was merely a coincidence that, in the space of 12 hours, the telecommunications system in Texas had gone down; the signals on the railway track between Washington and New York had failed, precipitating a horrendous head-on collision; and the air-traffic-control system at Los Angeles International airport had collapsed, forcing planes to reroute to San Diego, Las Vegas and Salt Lake City, and setting off a chain of disruption that had led to delays and cancellations at every major American airport.

Misfortune or carelessness, the sceptics had said.

But by Day 2 they were beginning to have second thoughts. Could it be that the US was under concerted attack, as some of their younger, more zealous, less judicious colleagues had initially said? For things had suddenly gone from bad to very bad indeed.

The power had gone in four north-eastern states. Denver's water supply had dried up. The computerised records of all the patients in Chicago's biggest hospital had been lost, vanished from the screen, and doctors and nurses in the intensive-care wards were in a frenzy, unsure what medication to give to whom, fearing they were going to have a lot of dead people on their hands.

Now, on the third day, there is no further room for doubt. The power's gone in Kansas, Miami and Minneapolis. The traffic lights in Manhattan have packed up, causing the mother of all pile-ups. Simultaneously, word has come in from the State Department that the American ambassador in Addis Ababa has been kidnapped and that an American Airlines 747 from Heathrow to JFK has been hijacked and forced to reroute to Tripoli. The latest, fresh from the National Security Agency (NSA), is that America's spy satellites over the Middle East have gone blind ...

ALL OF THE above is a game, but a deadly serious game that engages the minds of deadly serious people. Officials from all branches of America's security establishment do meet in Pentagon briefing-rooms on a regular basis to play out scenarios much like those described. The game has a name, The Day After, and the objective is to weigh up the scope of the putative threat to the US and calibrate a response on which the President will be recommended to act.

What are we talking about here? How does all this work?

We are talking about what some call cyberwar; others, information warfare. To initiates, it is known as I-War. In order to wage it there are two minimum requirements: a laptop computer and the ability to operate on the Internet with devastating ingenuity and skill. The sense of clear danger underlying The Day After comes from the premise that somewhere, some day, a hacker of genius will emerge capable of penetrating, and severely disrupting, the heavily computer-reliant infrastructure of the US.

"God," said Voltaire, "is on the side of the great battalions." Not any more, he isn't. I-War is a great equaliser. The more technologically evolved you are, the more vulnerable you are. And no matter how backward your country may be, how unsophisticated your means of conveying utilities or waging conventional war, you can be David to the American, or the Western European, Goliath. This is a form of war that a Third World rogue state, or a small terrorist organisation, could wage against the mighty superpower and win - or, at any rate, not lose.

Saddam Hussein, for example, could save himself a great deal of money and grief were he to recruit the services of, say, a brilliant Russian or Chinese or, for that matter, British computer scientist, equip him (or her) with all the commercially available equipment he needs, and instruct him to set about figuring ways to steal into the electronic systems that run the power supply in Dallas, the water company in Miami, the spy satellites of the NSA. At a salary of one, two, three, 20 million dollars, plus productivity bonuses, the hired techno-nerd would be cheap at the price.

It would be a mistake to imagine that such a prospect is merely the over- wrought fantasy of professionally paranoid Pentagon minds. The digital winds are blowing an icy chill through Washington, dampening the spirits of the previously complacent Cold War victors.

Consider this litany of woe. From former National Security Agency director John McConnell: "We're more vulnerable than any other nation on Earth." Or former CIA deputy director William Studeman: "Massive networking makes the US the world's most vulnerable target." Or former US Deputy Attorney General Jamie Gorelick, speaking at a Senate hearing: "We will have a cyber equivalent of Pearl Harbor at some point, and we do not want to wait for that wake-up call." And, Gorelick added, I-War "can disable or disrupt the provision of services just as readily - if not more than - a well-placed bomb."

The Rand think-tank, a venerable Washington brains trust, issued a report on what it called "strategic information warfare" for the Office of the Assistant Secretary of Defense for Command, Control, Communications and Intelligence. It based its findings on the outcome of a series of Day After games.

"Information warfare has no front line," the report said. "Potential battlefields are anywhere networked systems allow access. Current trends suggest that the US economy will increasingly rely on complex, interconnected network control systems for such necessities as oil and gas pipelines, electric grids, etc. The vulnerability of these systems is currently poorly understood. In addition, the means of deterrence and retaliation are uncertain and may rely on traditional military instruments in addition to I-War threats. In sum, the US homeland may no longer provide a sanctuary from outside attack."

One man who is trying to come up with some good ideas - indeed the US government is depending on him to come up with them - is Howard Frank. The director of the Information Technolo-gy Office at the Defense Department's Advanced Research Proj-ects Agency (Darpa), Dr Frank is a member of the Pentagon team which 25 years ago invented the Internet, originally known as Arpanet. The Dr Frankenstein who invented the monster, he has now been charged with leading the effort to bring it under control.

In an interview last year at the Darpa office, a forbiddingly secured, anonymous-looking building in Arlington, Virginia, Dr Frank, one of the Day After players, revealed that these fantasy games have been going on since 1995 and will continue for the foreseeable future.

He was disarmingly, disconcertingly candid. The games did serve the useful purpose of alerting people to the magnitude of the dangers that loom, he said, but, the problem identified, no one seemed so far to have much clue what the solution might be.

"What you find the first day you play the game is that you really can't figure out what's going on," Dr Frank said. "You don't have enough time. Some people think this is the most heinous thing that's happened, other people say, 'We just have to wait, it could have been accidental, it could have been terrorists, it could have been a hacker' - and every opinion in between, from nuclear war to business as usual.

"Then you get the next briefing two days later, 'Here's what's happened, the situation has gotten much, much worse, and it's now correlated with other things, the Iraqis have done this, someone else has done that ... ' Now all of a sudden it seems to be correlated with geopolitical events and it seems to be: 'US, if you intervene in a conventional military way we can now strike you in the homeland.' But there is no evidence of who did it. You can't trace it back! And that's really a problem."

So how do you fight back? How, for that matter, do you know when the attack is over, or whether there is more to come?

"You don't know. You don't know," Dr Frank replied. "This could be all they got." They? "Oh yes, there is a 'they' - but you don't know who it is, including it may be a third party who, under the cover of these world events, is trying to push the United States into a different direction. So we move in because we think the Iraqis are doing it, or the Soviets are doing it, and it's really not them at all. It's someone trying to take advantage somewhere else. But it's big stuff, it really is big stuff."

The point of the exercise, Dr Frank said, was to anticipate through scenarios "that are plausible and cannot be ignored" what the response should be when the real thing happens, when a successful computer penetration of America's vital infrastructure systems has been achieved. The outcome, however, had been disheartening. "What was quite clear was that we didn't have enough time, we didn't have enough knowledge and we didn't really have any traceability. What should we be doing now in order to avoid that lack of knowledge situation in the year 2000? That's the game."

But what if disaster struck before the year 2000, right now - today, tomorrow - while America's defences remained virginally unprepared and unaware? It was a possibility Dr Frank was not prepared to rule out. At one point in the interview he let slip a remark so melodramatic, so out of tune with his otherwise mild professorial demeanour, that it might have come straight out of the script of Independence Day. He was talking about a string of power cuts on the West Coast following heavy rain storms.

"When I read in the newspapers and listened on TV that eight states were blacked out, each time I said to myself, 'Okay, it's started!' Each time it doesn't turn out that way but, last year, there were two of those in the West, and though there were storms they were related to a few things they never really quite figured out. But I say to myself, 'It's started!' and when I find out it really didn't I just think we've bought some additional time, but it will start."

It? What was this "it", exactly? "What I mean is that there are a bunch of people out there who are bad guys, like people who create viruses - and probably every computer on Earth has been hit by a virus at one time or another. The point is that if you can do that for fun someone's going to figure out that it would be fun to take down the power system. And this means that here you have a way to attack us right in the homeland."

It's an alternative threat that will not go away for a while to come. As Dr Frank - soberingly, gravely - put it, "We've created a technology over a period of 20 or 30 years: it's going to take 10, 20 years to create an alternative technology that allows us a more sophisticated set of defences."

Dr Frank was one of 6,000 scientists, academics and experts of all descriptions who provided input to a body called the President's Commission on Critical Infrastructure Protection, created by executive White House order in July 1996. Jamie Gorelick described the commission as "the equivalent of the Manhattan Project", the top-secret scheme devised during the Second World War to build the atom bomb. The commission, which sought to liaise between the government and the private-sector companies which run 90 per cent of the vulnerable infrastructure points, was chaired by a retired air- force general, Robert Marsh, and included senior officials from all the national security agencies as well as the departments of commerce, energy, transportation and the treasury. The commission's task, completed at the end of last year, was to combine data gleaned from inter-agency research and a series of public hearings around the country, and come up with a report for the president evaluating the scope of the "cyber threat" and recommending strategies to counter it.

Introducing the report to the Senate Subcommittee on Tech-nology, Terrorism and Government on 5 November, General Marsh had to acknowledge that the President's commission had come up with more problems than solutions.

The general told his senatorial audience that the first thing they had to do to have any chance of understanding the nature of the I-War threat was to remove from their minds conventional notions of the art of war. The "geography" in which the commission had focused its efforts, he explained, was "a new geography ... a borderless cyber geography whose major topographical features are technology and change." The fast pace of technology, he gravely added, "means we are always running to catch up".

Besides, the fast flow of information through the Internet means that knowledge of the infrastructure's vulnerabilities is widely accessible, most of it being unclassified. But even when that knowledge is classified, it can never be entirely secure. The truly valuable spies, double agents, or paid informers in the I-War world will be those who can obtain secret information about how to access top-secret, heavily protected computer files. Top prize for today's Smileys and Karlas, the Mission: Impossible crews, will be to recruit agents who know the password that will unlock the keys to the electronic systems on which sophisticated societies run. "Common to all threats is the insider. We could spend millions on technology to protect our infrastructures, but a well-placed insider or disgruntled employee could render nearly all protection useless."

As to the identity of those who could pose an I-War threat General Marsh preferred, in his public testimony, to be vague. "The opportunity to do harm is expansive and growing," he said. "The threat is a function of capability and intent ... These tools recognise neither borders nor jurisdictions. They can be used anywhere, anytime, by anyone with the capability, technology, and intent to do harm. And they offer the advantage of anonymity."

That is true. One of the attractions of information warfare for the aggressor who wishes to sow chaos without being found out is that he can be based anywhere in the world - be it the Serengeti plains, the Sinai desert or a basement in Clapham - and cover his tracks in such a way that both his identity and location will remain a mystery to his victims.

Yet, had General Marsh been more candid, less attentive to diplomatic niceties, he might have drawn the attention of the senators to the potential threat from within the Chinese military establishment. For a crisp, succinct, summary of I-War - not to mention a taste of the threat's cold reality - one place to turn to is the Chinese army newspaper, Jiefangjun Bao. Here is a summary, as carried by the newspaper, of speeches delivered at the founding ceremony for Beijing's new Military Strategies Research Centre in May 1996:

"After the Gulf War, when everyone was looking forward to eternal peace, a new military revolution emerged. This revolution is essentially a transformation from the mechanised warfare of the industrial age to the information warfare of the information age. Information warfare is a war of decisions and control, a war of knowledge, and a war of intellect. The aim of information warfare will be gradually changed from 'preserving oneself and wiping out the enemy' to 'preserving oneself and controlling the opponent'. Information warfare includes electronic warfare, tactical deception, strategic deterrence, propaganda warfare, psychological warfare, network warfare, and structural sabotage.

"Under today's technological conditions," the summary continues, "the 'all-conquering stratagems' of Sun Tzu more than two millennia ago - 'vanquishing the enemy without fighting' and subduing the enemy by 'soft strike' or 'soft destruction' - could finally be truly realised."

No talk here, it will be noted, about defending the homeland. As a largely agrarian, predominantly poor nation, China does not have to worry nearly so much as the US about the prospect of its infrastructure coming under attack. The Chinese take on I-War, by contrast to that of General Marsh's commission, is not timorous. The object is to vanquish, conquer, destroy - as deviously and pervasively as possible.

Against such an enemy the traditional military response is redundant. Destroying Saddam's weapons stockpile presents problems enough, smart bombs or no smart bombs. But who do you bomb when you are under I-War attack? Where do you send your aircraft carriers, your nuclear submarines? What do you do with your super-trained special forces units, your SAS's and your US Navy Seals, if their target is not only elusive but utterly unidentifiable? The exasperating thing about I-War is that it does not take a nice, fat sitting duck of a factory to manufacture software bombs; any laptop, anywhere, will do.

Which suggests that General Marsh's recommendation in his report for a doubling of the budget dedicated to infrastructure protection research and preparedness, from $250m to $500m, is an absurdly modest request in the light of the $50 billion currently spent on conventional warfare by the Pentagon. John Arquilla, a professor at the Naval Postgraduate School in Monterey, California, and a leading Pentagon I-War thinker, made the point bluntly: "We have spent billions in the last few decades on large, expensive aircraft carriers, strategic bombers, and tanks. The information revolution suggests nothing less than that these assets have become much more vulnerable and much less necessary."

Part of the $500 million, General Marsh suggested, might be spent on alerting the population at large to the danger of I-War, on what he called "a nationwide public awareness campaign". He might have described such a campaign, but he did not, as an exercise in pre-emptive mass therapy. For while war as it has always hitherto been fought - employing swords, spears, bullets or bombs - has a physical objective, is an assault, quite literally, on the body, I-War's target is pre-eminently the mind. As General Marsh noted, those who would attack the infrastructures would do so to weaken America's sense of its own power, to ask severe questions of the economy and generally "to erode public confidence".

The best response to such attack, in the event that the technology fails to provide adequate protection, is strength of mind, resolve, doughtiness of character - commodities in wider supply in nations like Iraq and China, where people are accustomed to living with hardship, than in America and the generally pampered West, where the prospect of doing without running water and electricity, even for a day, would assume calamitous proportions.

All of which sounds much like what the Chinese military strategists have in mind when they describe the charms of "soft destruction". For I-War is, in essence, a form of psychological war, a war of perceptions. It leaves the body intact but it attacks the soul, the weakest link in the superpower's armour. !

An earlier article written by John Carlin about information war, which appeared in Wired magazine in May 1997, is now being developed into a major motion picture and is expected to be released by 20th Century Fox during the summer of 1999.