Cyberterrorism and cyberwarfare thus become a plausible alternative

Summary of Recommendations

Explain the threat

The most important step U.S. officials can take is to articulate and explain to the leaderships of critical infrastructure providers and major, dependent users the nature of the strategic information warfare (SIW) threat, the threat's significance, and the need to prepare for it. The public develops its perceptions of threats from many sources, but the public is more likely to take these threats seriously if leaders demonstrate their seriousness by implementing effective organizational reforms and resource allocation priorities.

Develop national security policies for the Information Revolution

A policy to protect the United States against an information warfare (IW) attack should be part of a broader strategy that addresses the total impact of the Information Revolution on U.S. national security. To date, no U.S. policy review has considered how the Information Revolution has affected the country's beliefs about security or proper preparations for dealing with such threats.

The president should issue an executive order (EO) establishing U.S. policy and explaining U.S. national security objectives vis-a-vis the SIW threat.

The EO should go beyond recent directives and should address the threat of a concerted IW attack by a sophisticated, determined opponent.

The EO should require a top-down review of existing organizations assigned responsibilities related to IW, information security, security policy, and cybercrime. The review should result in recommendations ensuring that organizations' roles are consistent, do not overlap, and do not leave gaps and specifying how and under what conditions they will interface with each other.

The EO should establish U.S. policy and guidance for the use of offensive IW; this policy should address U.S. strategic doctrine and several objectives in the use of offensive IW:

Identify the officials who will have the authority to approve the use of offensive IW under various specified conditions; Draft guidelines for acceptable and prohibited targets under specified conditions;
Define roles and responsibilities of the White House, the national security agencies, and the intelligence community under various specified forms of offensive IW;
Determine procedures for approval and oversight of the use of offensive IW (including congressional oversight);
and Identify high-priority functions for maintaining national defense, rule of law, emergency preparedness, and continuity of government, and ensure that these functions can be sustained in the face of SIW.

Make strategic information dominance a national security objective

Currently the United States is a leader in the development and application of information technology, and it is important that the United States maintain this strategic information dominance (SID).

To retain leadership in the development and application of information technology and the dominance of U.S. firms in the computer, communications, and media industries, the United States must maintain a friendly environment for businesses in the information industries. The United States should undertake a review of policies and statutes that affect the ability of the United States to maintain its SID; areas to be reviewed should include antitrust policies, trade policies, technology export controls, and other regulations that affect the business environment and U.S. competitiveness.

Adopt policies that ensure critical government services

Federal, state, and local governments have unique roles in ensuring vital government services — national defense, rule of law, and emergency services readiness — even under the stressful conditions of IW attack. Maintaining continuity in these areas can prove challenging and expensive. Government officials need to identify those functions that only government can perform and ensure that government has secure information systems and processes to maintain these functions. This requires updating and expanding government plans for the Information Age and securing the essential infrastructures upon which all levels of government depend.

Understand and work with the private sector

Most experts agree that commercial telecommunications and information systems supporting critical infrastructures will likely be the primary targets in preparation for an IW strike against the United States. Cooperation by industry will be critical to the ability of the United States to defend against, detect, and contain such attacks. Reports by industry leaders suggest that the federal government mind-set still is "government leads, industry follows."

Indeed, government and business have different objectives and operating modes and often have good reasons to limit their cooperation. The cultures of government and the U.S. telecommunications and information industries are very different. The private sector will need to assume much of the responsibility for protecting itself. Government can help in specific, but limited, areas:

Provide information on the nature and extent of the IW threat. The government still has some sources of intelligence about the threat that private companies cannot obtain on their own, but analysts and law enforcement officials may not be able to recognize the evidence of IW aimed at the telecommunications and information systems of the critical infrastructures. Recent policy directives, including the establishment of the National Infrastructure Protection Center under the Federal Bureau of Investigation, aim to improve information sharing, but some legal barriers still need to be overcome and officials in the law enforcement and intelligence communities need to cooperate for these measures to be effective.

Raise the visibility of the threat to the leadership of critical infrastructure providers and major, dependent users.

Support private sector efforts (for example, the Information Systems Security Board [ISSB] proposed by the National Security Telecommunications Advisory Committee) to improve information security.

Review the adequacy and effectiveness of privacy laws, property laws, antitrust laws, and liability issues that are the legal foundation of the private sector's ability to maintain its integrity and protect itself from intrusion.

Provide incentives to the private sector so that it takes measures that not only improve its own security against SIW threats but also benefit the country as a whole. Prepare U.S. military for Information Age conflict

U.S. officials should review the role of IW in U.S. military policy to ensure that U.S. military forces are prepared:

Assess the overall role of IW in U.S. defense policy. The major-regional-conflict standard on which the U.S. military currently bases its planning is increasingly irrelevant as information systems become the more likely target of attack. Traditional weapons systems and force structure that dominate debates on defense spending may become less relevant as IW capabilities develop.

Clarify U.S. policy on deterrence with respect to IW. Policy should articulate the linkage between IW and other forms of power projection.

Ensure effective oversight with respect to offensive IW. Because much offensive IW could be covert, U.S. leaders need to ensure that effective oversight procedures exist.

Overcome legal obstacles with respect to red-team exercises. Prepare U.S. intelligence for Information Age threats

Information warfare threats, which can be generated quickly and from many sources, will require the United States to rethink many of its most entrenched concepts about how intelligence is supposed to work. U.S. officials should develop new intelligence methods necessary to monitor SIW threats:

Revamp the U.S. intelligence organization and process to adapt to a less hierarchical, less rigidly knowledge-based approach. More effective methods for working cooperatively with the law enforcement community and the industry supporting and building the critical infrastructures platforms and technologies also are needed.

Provide indications and warning of possible attack by working more closely with the private sector as a source of expertise and information.

Mandate high-priority intelligence collection requirements concerning IW. The intelligence community must re-examine and coordinate its collection methods and requirements.

Develop plans for recruiting and outsourcing for the special talent needed to analyze the SIW threat.

Designate a national intelligence officer (NIO) whose portfolio is dedicated to offensive and defensive IW.

Source: www.csis.org