The Difference Between Cyber and Information Warfare

“All warfare is based on deception. Hence, when we are able to attack, we must seem unable; when using our forces, we must appear inactive; when we are near, we must make the enemy believe we are far away; when far away, we must make him believe we are near.”
― Sun Tzu, The Art of War

On Friday, February 16, 2018, Deputy Attorney General Rod Rosenstein announced the indictment of 13 Russian officials related to Russian meddling in the 2016 Presidential election. The first charge, conspiracy to defraud the United States, is against all thirteen defendants. Specifically, “[t]he defendants allegedly conspired to defraud the United States by impairing the lawful functions of the Federal Election Commission, the U.S. Department of Justice, and the U.S. Department of State . . .” Other charges include conspiracy to commit wire fraud and bank fraud and aggravated identify theft. The full press release and the indictment are attached at the bottom of this post.

In his statement, Rosenstein explained that the Russians defined their operation as “information warfare.” The use of that phrase reminded me of an important distinction that was first brought to my attention this past fall – the distinction between cyber warfare and information warfare.

General Michael Hayden, former director of both the CIA and NSA, spoke at Syracuse University on Russia-U.S. relations in October.[i] In particular, Hayden focused on Russia’s interference in the 2016 Presidential elections and how those acts fit within Russia’s broader scheme of information warfare.

To provide context for Russia’s policies, Hayden explained the policy making process in the U.S, which he was a part of, when the U.S. was trying to define its own role in cyber space. At that time, the decision makers weighed two options. Option One was to focus on just cyber and try to “dominate” that sphere. Option Two was to enter the world of information warfare – a much more expansive and daunting task. Information warfare includes psychological warfare, disinformation, deception, and public diplomacy. The U.S. chose Option 1 while Russia chose Option 2.

In light of recent events, one must question whether that position is still the correct one today. Should the U.S. expand its capabilities in the cyber domain to include those related to information warfare? If the answer is yes, then who should be responsible for conducting those operations?

The Difference Between Cyber and Information Warfare

Information Warfare

Information warfare is not new. And it is not a uniquely Russian phenomenon. In fact, some say it is as “American as Apple Pie.”[ii] General Hayden’s comments that the U.S. does not participate in information warfare is misleading if removed from the contained discussion of cyber. Information warfare in the United States dates back to the Revolutionary War.[iii] From a broader standpoint, it has existed as long as war itself has.

It is not easy to find a widely accepted definition of information warfare, or as it is as frequently referred to, information operations. The Joint Chiefs of Staff defines “Information Operations” as “the integrated employment of electronic warfare, computer network operations, psychological operations, military deception, and operations security, in concert with specified supporting and related capabilities, to influence, disrupt, corrupt or usurp adversarial human and automated decision making while protecting our own.”[iv] Despite inconsistencies in definitions or even names, the key to understanding information warfare is that, at its core, the information or data itself is used as the weapon.[v]

The Joint Chiefs identify three main components of the information environment – the physical, the cognitive, and the informational.[vi] The figure below shows how these dimensions are influenced to achieve objectives.[vii]

The Joint Publication goes on to identify the extensive list of military capabilities that comprise Information Operations, including, but not limited to: strategic communications; public affairs; civil-military operations; cyberspace operations; information assurance; space operations; military information support operations; intelligence; military deception; operations security; special technical operations; and joint electromagnetic spectrum operations.[viii] A separate report defines Information Operations as being comprised of five major entities: (1) Psychological Operations; (2) Military Deception; (3) Operational Security; (4) Computer Network Operations; and (5) Electronic Warfare.[ix]

For example, psychological operations could include dropping propaganda leaflets or broadcasting demands to surrender to enemy troops to weaken their morale.[x] Deception might include moving dummy aircraft out to a tarmac of an Air Force base to signal potential movement.[xi] Typical cyber operations in the information warfare could include what Russia did to the U.S. last year. Russia utilized a complex system of involving several steps of filtering information through different mediums until it eventually made its way to U.S. based social media accounts where it was shared again and again.[xii] Regardless of exactly how Russia executed those operations, they demonstrate how cyberspace is a new and easily exploitable medium for information warfare.

Information warfare is a very broad and highly complex sphere. It is inherently multidisciplinary and multidimensional. Cyber is just one tool in the information warfare toolbox. However, given the rapid development of technology, they are an increasingly important tool. While the distinction between cyber and information warfare may be becoming finer, it has not been eradicated completely.

Cyberwarfare

Like information warfare, concepts of cyber warfare are vague and undefined. That is mainly a result of the fact that, unlike information operations, the notion of cyber warfare is very new. Commercialization of the internet and reliance on computers and other devices has exploded only in the last twenty to thirty years.

The simplest way of thinking about cyber warfare is that it consists of attacks on systems.[xiii] This is a broad definition and includes actions such as a standard distributed denial of service (DDoS) attack, ransomware, malware, and the like. Perhaps the goal is to temporarily shutdown a system, or maybe it is advanced enough to wipe out an electrical grid, or, in the case of Stuxnet, to overload nuclear reactors.[xiv]

Information warfare involves using the information itself as the weapon. Cyber capabilities are just one of many tools used to carry out that task. Cyber warfare, on the other hand, focuses on disrupting and disabling the computer or cyber systems themselves. The chart below demonstrates some of the simple differences in types of activities between the two.[xv]

Should the U.S. develop Cyber Capabilities for Information Warfare?

The manner in which General Hayden framed that decision suggests that the U.S. decided not to engage in information warfare. I believe this is misleading. One can safely assume that, at some level, the U.S. does engage in information warfare. The question being considered here is how the U.S. defines its own role and function in cyberspace. Is the U.S. best suited by focusing on being able to defend its own and attack other nations’ cyber systems? Or is it worth expanding its cyber capability to include functions that fall into the information operations sphere?

The next decision is who should have responsibility for this capability to if the U.S. were to develop it. The ability to disseminate information in a way that will influence world events is very powerful. What government agency do we trust enough with this power? Is there any?

There are several benefits to being able to engage in information warfare in cyberspace. The first and most obvious benefit is that the U.S. could provide foreign citizens of authoritarian regimes with information that their governments do not allow them to have. Imagine the impact that it would have if the U.S. could explain to North Koreans what the world is really like. Regimes like China, Russia, and North Korea all depend on controlling the narrative in their homelands. Adequate cyber information warfare capabilities could undermine this ability.

Second, the U.S. could develop means by which to defend information operations from other nations. For example, maybe the new capabilities would involve ways to mitigate attempted Russian influences during an election cycle. Finally, fully developed capability would act as a deterrent to other nations.

The downside of trying to expand cyber capability is that the government’s already limited resources are spread too thin. In the years since Gen. Hayden, et al.’s decision to pursue cyber “dominance,” the U.S. government has barely been competent and consistently struggles with cyber security issues. It may be a wise to focus on completing one task before taking on new, larger challenges.

Another drawback that decision makers must consider is the potential affect that U.S. information operations could have on its own citizens. Given the interconnected nature of the world and how quickly information travels on the internet, it is not farfetched that U.S. controlled narratives set forth overseas would ultimately make their way back to U.S. The U.S. should not, and cannot,[xvi] be in the business of information warfare and propaganda against its own citizens – whether intentional or unintentional.

The Scope of Cyber Capabilities[1] [2]

The first option that policymakers could take is to do nothing. The decision could be made that opening “Door 2,” as General Hayden labeled it, is simply too big of a task. The benefit of this decision would be that the United States could dedicate all of its resources to securing its cyber systems defensively while fine tuning its offensive ability to disrupt enemy systems. It could pursue the true “dominance” that Gen. Hayden claimed decision makers were seeking then.[xvii] If the U.S. chooses not to pursue this route, it loses out on a major opportunity to fundamentally alter how our enemies operate. But if the U.S. is going to develop its cyber arsenal for some purposes, why not develop it for all purposes? Information warfare could be crippling to a number of our adversaries who control the world their citizens live in. This is a huge price to pay for simply not wanting to engage in a more daunting challenge.

The second option is to develop the cyber capability to carry out information operations but limit its use to military conflicts. As explained previously, this is the traditional sense in which information operations are carried out. Fully developing the capability to do so in cyber space just strengthens the military. The drawback, again, is that the U.S. would forego an opportunity to develop an incredibly versatile tool in its toolbox. The use of such capability is not limited just to actually disseminating information, but it can also be a deterrent to nations, such as Russia, who realize that they have more to lose than gain by engaging in information warfare with the U.S.

The third option is to develop the cyber capability but expand use beyond military objectives to achieve broader policy goals. This essentially would open the door to using that cyber capability for purely political agendas. The benefits of this are boundless. The U.S. would have the ability to influence the flow of information and way of thinking in our adversaries’ homelands at any time. The dynamic would be considerably different than if our enemies knew our use of information operations was limited to the military sphere. Again, it is worth reiterating that the U.S. does carry out information operations and always has. The key here is to develop the ability to do so via cyber means.

The final option is to engage in full scale information warfare. This involves utilizing all facets of the information operations sphere, not just cyber. This option is beyond the scope of this post but needs to be mentioned for the sake of completeness.

Who should wield this power?

The first option for who should wield this cyber information operations power is an agency in the intelligence community, such as the CIA. This may seem like an obvious choice as that agency’s core business is foreign intelligence. The authority to set information operations in motion would likely reside with the President. This power is too vast to be unchecked, and the CIA’s oversight mechanisms are insufficient. Moreover, the CIA is prohibited from domestic operations and the potential flow of information back to the U.S. would be problematic.[xviii]

The second option is to give the authority to the military. This makes perfect sense if you are limiting the scope to military operations. It appears somewhat problematic, however, if the plan is to utilize the tool for broader policy objectives as well. There is a notion that the military should only be operating in times of war, which means the military would not be a great choice if you want the ability to use the cyber information operations mechanism at any time.  There is, however, an alternative view that the binary view of peace or war with nothing in between must be reconsidered. If one finds this argument persuasive, then doubts about peacetime military operations are eliminated. The military is built around transparent decision making through the chain of command with the President at the top. Further, to increase accountability, a reporting mechanism could be established where the President is required to notify (note: not seek approval from) certain Congressional committees, such as the “Gang of 8,” when he is deploying these capabilities. The NSA is a natural fit for these capabilities given its expertise in the area.[xix]

The final option is anyone else. This might mean creating a new agency, but that would be duplicative and very costly. It could also mean a domestic, law enforcement type agency, which would have transparency and accountability but would not have operational authority or the institutional knowledge to operate overseas.

The Author’s View

The U.S. should develop its cyber arsenal so that it can fully execute any information operations for both military and political objectives. In fact, one can argue that if the U.S. wants to continue any functional capability for information operations, it must develop its cyber capability as that is the main medium in which information flows today. The numerous benefits far outweigh potential drawbacks. There is simply no compelling reason not to develop such a powerful, influential tool. This is especially true when one considers the fact that resources are already being committed towards developing cyber capabilities for other purposes.

The U.S. military, specifically the NSA, is best suited to develop and deploy the cyber information warfare mechanisms. While it may seem counter intuitive to give such a powerful tool to the military, no other entity has the institutional knowledge to deploy the tool while being held accountable. Fear and distrust of the military exists, but this can be better mitigated with the military than the CIA.

[1]  The author recognizes that the options provided in this section are a very simplified list. In fact, the number of options given all combinations of various relevant considerations is extensive. The development of every possible choice is beyond the scope of this post. An appropriate consideration of every option would likely include the development of a matrix to properly account for all elements of the policy – its goals; whether it is offensive, defensive, or both; which agency should run it; the true breadth and depth; etc.

[2]   In all of these options, the decision is to develop the capability. Individual decisions as to when, or if, to utilize that capability are fact-specific analyses that must be conducted within the confines of those individual situations.

Grand Jury Indicts Thirteen Russian Individuals and Three Russian Companies for Scheme to Interfere in the United States Political System _ OPA _ Department of Justice
indictment_russia_0

[i]               Gen. Michael Hayden lecture titled “Cold War Revival?” at Syracuse University, Maxwell School of Citizenship and Public Affairs, (Oct. 20, 2017). All references to General Hayden and his comments are from this lecture, hereinafter referred to as “Hayden Lecture.”

[ii]               David V. Gioe and Erick Waage, “Information Warfare isn’t Russian – It’s American as Apple Pie” The Bridge, (Mar. 8, 2017), https://thestrategybridge.org/the-bridge/2017/3/8/information-warfare-isnt-russian-its-american-as-apple-pie.

[iii]              Id.

[iv]              Kevin Coleman, “When Do Information Operations Become Cyber Warfare?” Defense Tech, (Aug. 31, 2010), https://www.defensetech.org/2010/08/31/when-does-information-operations-become-cyber-warfare/ (quoting Joint  Chiefs of Staff Joint Publication 3-13, http://dtic.mil/doctrine/new_pubs/jp3_13.pdf).

[v]               Rex Mbuthia, “Cyber Warfare versus Information Warfare: Two Very Different Concepts,” (July 16, 2017), https://www.linkedin.com/pulse/cyber-warfare-versus-information-two-very-different-concepts-mbuthia/.

[vi]              Joint Publication 3-13 at I-2, supra note 4.

[vii]             Id. at I-7.

[viii]             Id. at II-10.

[ix]              “Information Operations, Cyberwarfare, and Cybersecurity: Capabilities and Related Policy Issues,” CRS, (Mar. 17, 2009), https://www.everycrsreport.com/files/20090317_RL31787_291375f13deb5a3f48da06b5c443d1ed18686524.pdf.

[x]               Brian Nichiporuk, “U.S. Military Opportunities: Information Warfare Concepts of Operations,” Rand Corporation, https://www.rand.org/content/dam/rand/pubs/monograph_reports/MR1314/MR1314.ch6.pdf.

[xi]              Id.

[xii]             Hayden Lecture. The exact details of every step taken that General Hayden provided are missing from this author’s notes.

[xiii]             Mbuthia, supra note 6. Rand also utilizes a similar definition which can be found at https://www.rand.org/topics/cyber-warfare.html.

[xiv]             https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/

[xv]             Mbuthia, supra note 6.

[xvi]             22 U.S.C. § 1431 et seq., available at https://www.law.cornell.edu/uscode/text/22/1431, commonly known as the Smith-Mundt Act

[xvii]            Hayden Lecture.

[xviii]           Hisotrical abuses by CIA power domestically are evident by the findings of the Church Committee issued in its 14 reports. Those can be found at http://www.aarclibrary.org/publib/church/reports/contents.htm.

[xix]             https://www.nsa.gov/what-we-do/

Tags:

One Response to “The Difference Between Cyber and Information Warfare”

  1. […] few weeks ago, I wrote a post on the difference between cyber and information warfare and U.S. policy in this sphere. The idea was sparked by a lecture from Gen. Michael Hayden this […]

Leave a Reply

You must be logged in to post a comment.

Authors

Untitled Document
Professor William Snyder

Professor William C. Snyderis a member of the faculty of the Institute for National Security and Counter-terrorism at Syracuse University after fifteen years with the United States Department of Justice.

Ryan D. White

Ryan D. WhiteRyan is currently a third year law student at Syracuse University College of Law, and is also pursuing a Master of Public Administration degree from Syracuse’s Maxwell School of Citizenship and Public Affairs. Ryan spent time with Homeland Security Investigations while pursuing his undergraduate degree at Wesleyan University, and spent his first summer of law school as clerk for the U.S. Attorney’s Office in the Western District of New York. He is a member of Syracuse Law Review, the Journal on Terrorism and Security Analysis, and participates in the Veteran’s Legal Clinic. Full biography

Shelby E. Mann

Ryan D. WhiteShelby is a second year law student at the Syracuse University College of Law. She is the 2018-9 Editor in Chief of the Syracuse Law Review, as well as a member of the Journal on Terrorism and Security Analysis, and the senior editor for the Syrian Accountability Project. During her final year at the University of Missouri, she served as a full-time news producer for ABC 17 News. Shelby spent her first summer of law school at the Shelby County District Attorney General's Office in Memphis, Tenn., in the Public Corruption and Economic Crimes Unit. Full biography

Christopher w. FolkChristopher W. Folk

is a 2017 graduate of SU College of Law. A non-traditional student, Christopher returned to academia after spending nearly twenty years in the high tech industry. Christopher served in the Marine Corps, graduated from Cornell University with a B.S. In Applied Economics and Business Management, attended Northeastern University’s High-Tech MBA Program and received a M.S. In Computer Information Systems. Christopher previously worked in Software Engineering. Christopher is currently serving his second term as Town Justice for the Town of Waterloo. Christopher externed with a Cybersecurity firm in the Washington, D.C. area between his first and second year at SU College of Law. Full biography

Anna Maria Castillo

Anna Maria Castillois 2016 graduate of Syracuse College of Law. She also holds a Master of Arts in International Relations from Syracuse University's Maxwell School of Citizenship and Public Affairs. She has interned at a London-based think-tank that specializes in transnational terrorism and global security and at the legal department of a defense contractor. She served as an executive editor in the Syracuse Law Review. Full biography

Jennifer A. CamilloJennifer A. Camillo

is a 2015 graduate of Syracuse College of Law and is a prosecutor. She has served as a law clerk in the United States Attorney’s Office for the Northern District of New York and the Cayuga County District Attorney’s Office and as an extern in the Oneida County District Attorney’s Office. She was a member of the Syracuse National Trial Team and was awarded the Tiffany Cup by the New York Bar Association for her trial advocacy achievements.

Tara J. PistoreseTara J. Pistorese

holds Juris Doctor and Masters of Public Administration degrees from Syracuse University's Maxwell School of Citizenship and Public Affairs and its College of Law. She wrote for this blog when a student. She is now a member of the U.S. Army Judge Advocate General's Corps.

Benjamin Zaiser

is both a scholar and a Federal Agent of the Federal Criminal Police Office of Germany. (Opinions expressed here are his own and not any part of official duty.) Full biography

Categories