Cyber Warfare versus Information Warfare: Two Very Different Concepts
Like most people, I have been watching, listening, and reading the news on the 2016 election (despite my best efforts, you really can’t escape it). Many of the reports I have seen seem to equate Information Warfare and Cyber Warfare, often using the terms interchangeably. I am fairly certain that most of our journalists and politicians don’t understand that these concepts (while often related) are in fact very different terms. My concern is to help non technical business people understand the differences, and how to mitigate the risks at a high level. After all, if the US and American businesses are to succeed in defending our systems and data from these types of attacks, we need to clearly understand their nature.
I will try to briefly explain and give practical examples of Information Warfare and Cyber Warfare attacks that are well known which illustrate the differences between the two warfare disciplines. I will also describe some of the skills that are used in Information and Cyber Warfare, and some ideas on how to defend against the emerging threats. My intent in writing this article is to generate discussion on this topic, to put information and security into our collective consciousness. The threats described here are very real, and can wreak havoc on businesses, sometimes with catastrophic consequences.
What are Cyber Warfare and Information Warfare?
Wikipedia defines Cyber Warfare as shown below:
“the use of computer technology to disrupt the activities of a state or organization, especially the deliberate attacking of information systems for strategic or military purposes.”
The way I like to think about Cyber Warfare is that it is an attack on systems. These attacks can range from annoyances to complete system shutdowns, with differing financial implications based on the extremity. It is also important to point out that systems attacked are not always computers. Cyber attacks could include attacks on power grids, or aircraft avionic systems. Typically, Cyber Attacks are intended to cause chaos.
Contrast the above ideas with the Wikipedia definition of Information Warfare:
“Information warfare (IW) is a concept involving the battlespace use and management of information and communication technology in pursuit of a competitive advantage over an opponent.”
At the heart of Information Warfare is that information or data is used as a weapon. While Cyber Warfare techniques are often employed to obtain the data, the analysis of the information and its use make it very different from Cyber warfare. Espionage or spying is an example of Information Warfare (with or without the use of information systems). I like to think of Information Warfare as being more of a “cloak and dagger” type of battlespace. It is designed to give an unfair advantage against an opponent to weaken or destroy them.
An example of an Information Warfare attack that could really be a case study on Information Warfare is the incident which occurred with Ashley Madison.com. Without going into too much detail, Ashley Madison was hacked – and data on the identity of it’s users was stolen. This data ended up being published on the Web… Based on the nature of Ashley Madison’s business, this proved to be embarrassing, and extremely costly for the firm, to say nothing of the PR nightmare and embarrassment to the user community.
Given the frameworks, we can create some examples of each to illustrate the terms. The table shown below is helpful in doing that:
Both Information warfare and Cyber warfare are disruptive and cost money. Both can cripple or even destroy a company or brand (don’t believe me? Go talk to Target or Sony).
Information and Cyber Warfare Skills:
The technology field has many specialized skill sets that go into sustaining the digital health of a given organization. Companies hire subject matter experts like Database Administrators, Network Operations Technicians, Statisticians, Data Scientists, Mobile developers, Quality Assurance Engineers, Programmers (name the language), Server Engineers, Storage Administrators, Usability Engineers… and oh yeah – Security specialists, which can be an entire ecosystem into itself. Where technologists sometimes miss the mark is explaining to non techies why these roles are necessary to the organization, and critical to IT objectives in support of the business.
The worlds of Information and Cyber Warfare also have specialization as far as skill sets needed. While not an exhaustive nor all inclusive list, some of the skills necessary include the following:
The key takeaway here is that the skill sets needed are based on the needs of the specific warfare area. Outside of financiers, the skills needed are very different depending on if you are doing Cyber or Information warfare. Additionally, there is not a whole lot of crossover between the skillsets; a linguist for instance will rarely also be a Network or System Administrator. To IT professionals, this should not come as a surprise; I often say that I have yet to meet the IT professional who knows everything about everything.
An additional takeaway is that these efforts are not cheap… Each of them take substantial financial resources over the course of years in some cases. When the money runs out, the warfare activities quickly cease. Defense against these threats is also not cheap.
Simple Steps to Defend Against Cyber and Information Warfare:
The next question is what can be done to mitigate and eliminate the threats. There are a few things that come to my mind on this subject which can help to deter against many of the threats. A short list of them is here (I am also interested in hearing what others think about this too):
1. First and foremost – understand the threats. One cannot effectively combat something they don’t understand… It’s just as true in Cyber space as it has always been on the battlefield.
2. Educate the workforce (employees and contractors) – security is something most of us take for granted, until something bad happens to us or to one of our friends. This must change. Corporate data and systems are far too valuable today to think of security only after something bad happens. Ask any Security professional how many security incidents does it take to kill a company, and almost universally you will hear the same thing – “Just one if it is bad enough.” Corporations implement workplace safety programs so as to avoid workplace injuries and corresponding workers comp lawsuits. It’s surprising how few have an ongoing technology security program to educate workers of these threats which can literally destroy a company in a few days. The human element is often times the weak link in terms of a corporation’s security posture; it’s important that companies educate the workforce to mitigate this.
3. Have an incident response plan which includes a communication plan. Most businesses instituted Business Continuity and Disaster Recovery plans after 9/11. I am less certain on corporate security incident responses being as nearly as robust.
4. Have information security policies in place – and audit them (a lot).
5. Encourage and enforce disciplined communications for employees. One of the shocking things from the DNC hacks last summer was the type of information being exchanged via unclassified email systems. In Information Warfare – information can be easily weaponized and used against you once it has been stolen from your adversary. Remember that before you send the angry text or inappropriate disparaging email.
6. Hire professionals in this field to help you. This is one of those areas where you really want to staff your team with experts in this field, and don’t make Information Security a collateral duty.
7. Finally – remember the Chief Information Security Officer (CISO) has a really hard job. I know that budgets are always tight, and often times we in technology are asked to do more with less. Remember the specialization in IT and more so in Security. If you ask for a 10% head count reduction from the CISO, a logical response will be “What risks do you want to be not mitigated?”
Conclusion:
I am a big fan of the Comedian, Bill Maher. In one of his comic routines, he said a line “The Riddler is not the Joker,” referring to super hero Batman’s enemies. I look at Information Warfare and Cyber Warfare through this lens – they are very different disciplines. While media sources don’t seem to care about confusing these terms – we can’t afford to. Cyber Warfare and Information Warfare can and will cause very real damage and cost a fortune if not dealt with effectively. This is no longer just an “IT Guy” problem; it’s a National Security issue and poses a substantial risk to corporations.
Good luck!
Data Scientist|Machine Learning| AI |Data Engineer|Data Modeller|Statistician
4 年Nicely described.Cleared my doubt.
US Naval Officer. Retired OpsTech LDO. Happily retired, living on a beach in the Philippines. Ultimate goal is to collect drift wood and sell it to tourists.
5 年Nicely done. Two terms easily confused. I would like your permission to quote your article in a paper I am writing? Thanks in advance/
Cybersecurity SME
7 年Great article! To go with your information security auditing recommendation, I'd say you need to ensure you have a robust auditing solution with the right permissions to the audit records in place. You also need to inventory what you have so you know what you need to protect, and to detect rogue devices (this was one of OPM's issues). Information Security needs to be tested, too. Bring in penetration testing teams. Send phishing attempts to employees and see if they respond to them or report them. Train personnel more often than once per year. I'll agree that Information and Cyber warfare are closely linked, and I'm glad you mentioned disinformation! That's been a primary theme lately. Nuff said.