therefore, countries that are not as dependent on high tech- nology within their military establishment consider such dependence a potential “Achilles heel” for their enemies.
Advanced, post-industrial societies and economies are critically dependent on linked computer information and communication systems. Sophistication has itself become a form of vulnerability for enemies to exploit. Disruption of civilian infrastructures is an attractive option for coun- tries and non-state actors that want to engage in asymmet- ric warfare and lack the capacity to compete on the tradi- tional battlefield. Indeed, so important are information infrastructures that more and more nations consider an attack against them the equivalent of a strategic strike.
Traditional lines between war and peace are becoming blurred. This development was presaged by the Cold War, but is even more obvious in the war against terrorism in the wake of the 11 September attacks on the World Trade Center and the Pentagon. It suggests that the computerised information systems of NATO member states are likely to be the continuing target of attacks by a non-traditional enemy, whose main goal is physical destruction and dis- ruption and who is likely to exploit vulnerabilities wherev- er they are to be found.
In this connection, it is worth emphasising that cyber war is not the defacement of web sites owned by a rival nation, organisation or political movement. Even when they accompany other tensions or hostilities — as they did during NATO’s Kosovo air campaign in 1999 — such attacks on web sites are best understood as a form of harassment or graffiti and not as cyber war per se. There are, nevertheless, several levels of cyber war, of which three stand out: cyber war as an adjunct to military opera- tions; limited cyber war; and unrestricted cyber war.
When modern military establishments are involved in military hostilities, a key objective is to achieve informa- tion superiority or information dominance in the battle space. This requires suppressing enemy air defences, blocking and/or destroying radar, and the like. The aim, in Clausewitzian terms, is to increase the “fog of war” for the enemy and to reduce it for one’s own forces. This can be achieved through direct military strikes designed to degrade the enemy’s information-processing and commu- nications systems or by attacking the systems internally to achieve, not denial of service, but a denial of capability. In effect, this form of cyber warfare focuses almost exclusive- ly on military cyber targets.
In a limited cyber war, the information infrastructure is the medium, target and weapon of attack, with little or no real-world action accompanying the attack. As the medium of attack, the information infrastructure forms the vector by which the attack is delivered to the target — often through interconnections between the enemy and its allies, using links for sharing resources or data, or through wide-area
COMBATING NEW SECURITY THREATS
network connections. Alternatively, an inside agent might place malicious software directly on the enemy’s networks.
As the target of attack, the infrastructure forms a means by which the effectiveness of the enemy is reduced. Networks facilitate organisational missions. Degrading network capacity inhibits or prevents operations that depend on the network. Degrading the level of service on the network could force the enemy to resort to backup means for some operations, which might expose additional vulnerabilities. Degrading the quality of the data on a net- work might even force the enemy to question the quality of the information available to make decisions. As the weapon of attack, the infrastructure could be perverted to attack itself — either via the implantation of multiple pieces of malicious software, or via deliberate actions that exploit weaknesses. Limited cyber war of this kind could be designed to slow an adversary’s preparations for military intervention, as part of an economic warfare campaign, or as part of the manoeuvring that typically accompanies a crisis or confrontation between states.
More serious, and perhaps more likely, than limited cyber war is what can be termed unrestricted cyber war, a form of warfare that has three major characteristics. First, it is comprehensive in scope and target coverage with no dis- tinctions between military and civilian targets or between the home front and the fighting front. Second, unrestricted cyber war has physical consequences and casualties, some of which would result from attacks deliberately intended to create mayhem and destruction, and some of which would result from the erosion of what might be termed civilian command and control capabilities in areas such as air-traf- fic control, emergency-service management, water- resource management and power generation. Third, the economic and social impact — in addition to the loss of life
could be profound.
An unrestricted cyber campaign would almost certainly be directed primarily against the target country’s critical national infrastructure: energy, transportation, finance, water, communications, emergency services and the infor- mation infrastructure itself. It would likely cross bound- aries between government and private sectors, and, if sophisticated and coordinated, would have both immediate impact and delayed consequences. Ultimately, an unre- stricted cyber attack would likely result in significant loss of life, as well as economic and social degradation.
Denial-of-service attacks would take on new meaning where the services do not simply provide access to the internet but are systems supporting critical, national infra- structures; systems that are not designed for prolonged out- ages. A chronic loss of power generation and transmission capabilities, for example, would have a major impact on medical and other emergency services, communications capabilities and the capacity to manage. A failure of emer- gency services in major cities would not only result in the
NATO review 17