Computer Forensics: Computer Crime Scene Investigation (With CD-ROM) (Networking Series)

This chapter has considered the application of civilian information operations (CIO’s) to the conventional warfare environment. Although the array of CIO tools and techniques has been presented as discrete elements in a schematic diagram, the CIO environment is complex, multidimensional, interactive, and still developing. Accordingly, the introduction of a CIO capability into an existing military force requires careful consideration and adherence to a series of principles espoused within this chapter. These principles are defined within a framework of concepts including Information Assurance, Information Superiority and Information Dominance. This framework can be applied to both the introduction of a CIO capability and the application of CIO’s in information warfare.

CIO’s will change the nature of future wars and will eventually evolve into a separate paradigm of warfare—IW. However, CIOs can be applied to today’s conventional environment and it is within this context that more urgent attention from military planners is required. CIO’s offer both a support capability to existing arms of the military and also an additional dimension to conventional warfare. They may be used to strike enemy systems, control the overall information environment, deter enemy aggression, or support either themselves or other military strategies. Regardless of which tasks they are employed for, CIO’s offer a significant addition to the conventional inventory and should be developed as a matter of priority as an essential Joint Force operational capability in dealing with the civilian casualties of information warfare, as follows.

Conclusions Drawn from Civilian Casualties of Information Warfare

• Information warfare (IW) is the latest development in a long list of revolutions in military affairs based on new technology (other examples include the introduction of airplanes, the atom bomb, and long-range missiles).

• IW is defined as an attack on information systems for military advantage using tactics of destruction, denial, exploitation, and/or deception.

• Information systems are so critical to military operations that it is often more effective to attack an opponent’s information systems than to concentrate on destroying its military forces directly.

• In the civilian context, the U.S. economic, social, and political structures are increasingly dependent on complex and extensive systems for financial transactions, telecommunications, electric power, energy distribution, and transportation. Because these systems rely on each other, a serious disruption in any one system will cascade quickly through the other systems potentially causing a national security crisis. Under these circumstances, the ability of the government to respond will be interrupted and severely constrained.

• In addition to outages caused by natural disasters and accidents, these systems present a tempting target for IW attack to those contemplating an action against U.S. interests.

• IW provides a new context for the application of ethical theories.

• The ethical questions about IW are not meant to be a complete set of ethical questions, but rather a subjective assessment of what are the ethical questions derived from the most important issues exposed by IW.

• New unforeseen ethical questions will inevitably arise from IW in the near future.

• It is hoped that this research will begin a dialog on the issues and lay a framework for more substantive work by ethicists.

• IW and its complement (protection from IW) require important new research efforts from both the technology and ethics research communities.

• The threat of IW raises the following ethical challenges: (1) What constitutes an act of war in the information age? (2) What are the ethical implications of the blurring distinction between acts of war from acts of espionage from acts of terrorism? (3) Can IW be considered nonlethal? (4) Is it ethical to set expectations for a “bloodless war” based on IW? (5) Is it ethically correct to respond to IW tactics with IW tactics? (6) Can protection from IW take place in United States, given our democratic freedoms?

An Agenda for Action in Preparing for Civilian Casualties of Information Warfare

Three policy questions dominate the issue of critical infrastructure protection for civilian casualties of information warfare—how limited should the government’s role be; what is adequate infrastructure security and how will appropriate standards be determined; and what data does the government need from business and why. None seems fundamentally settled if only because policy continues to develop. There are more questions than answers. Nonetheless, a few basic principles are emerging that should guide infrastructure protection efforts.

The United States government needs to set an agenda for action that goes beyond the work already done in preparation for civilian casualties of information warfare. Action steps should include, but not be limited to the following 6 areas:

1. General or centralized monitoring of communications need not and should not be a chief or central component of the government ‘s response to computer security. There are other activities (notably the identification and closing of existing vulnerabilities) that should be given higher priority.

2. Authority for increased monitoring of information systems is not required and should be rejected. Rather, the underlying laws for monitoring communications systems and accessing stored data should be strengthened.

3. The role of the FBI and the NSA in computer security should be carefully limited: it has been demonstrated that their surveillance agendas trump their protective missions, and their activities are often so cloaked in secrecy as to generate understandable suspicion.

4. Oversight of infrastructure protection should be institutionalized within the Executive Branch and should be accessible to the public. There should be established within the Executive Branch appropriate mechanisms for oversight of computer security issues, involving both industry representatives and privacy advocates.

5. Congress must follow this issue carefully, and should insist on periodic reports on the status, scope, and effectiveness of critical infrastructure activities, with special focus on monitoring and intrusion detection initiatives and the protection of privacy.

6. Although the cyber masses acknowledge the need for government participation, especially in educating society about what is at stake, the government’s role in private sector infrastructure protection should be limited and largely advisory. The private sector should set information security standards, and the government should clearly define and limit what information it seeks from businesses and how that information will be used.