In February 2021, a cyber attacker tried to poison the water in Oldsmar, Florida. The hacker gained access to a program used to control a water treatment plant and attempted to increase the amount of lye, which is used to regulate pH levels, in the water to unsafe levels. An alert plant operator saw his mouse moving on its own and stopped the attack. Similar unsuccessful attacks have occurred in Israel, the San Francisco Bay Area, and Ellsworth, Kansas. In October 2021, the Cybersecurity & Infrastructure Security Agency issued an alert regarding ongoing cyber threats to U.S. water and wastewater systems.
This is an example of a cyber attack with physical effects made possible by manipulation of computers that are increasingly used as controllers of machines, physical systems, and processes. Proof-of-concept “cyber-physical” attacks have been conducted on generators, cars, cranes, and satellites. Attackers can commandeer systems or cause physical damage, as demonstrated by the STUXNET worm, which was used to damage Iran’s uranium enrichment centrifuges and slow the enrichment process. And as the attacks on water systems illustrate, they could even cause bodily harm.
That computer controllers can be attacked is not news to the U.S. Department of Defense. A 1997 exercise demonstrated the vulnerability of critical infrastructure and military control centers to cyber attacks. The President’s Commission on Critical Infrastructure Protection warned in its follow-on report: “Today, the right command sent over a network to a power generating station’s control computer could be just as devastating as a backpack full of explosives, and the perpetrator would be more difficult to identify and apprehend.”
Military thinking about computers and networks began as part of a broader discussion of information in war that included both information for humans and signals for machines. Joint doctrine continues to tie cyber power to that discussion even as information was gradually narrowed to focus on information for humans, leaving cyber attacks with physical effects, like those on the water treatment plants, out of the discussion. Filing cyber power under “information” risks shaping how commanders understand what cyber power can do, how the military organizes itself to exercise cyber power, and where and how cyber power is included in planning and exercises. To ensure that the Department of Defense is poised to exploit and defend against the full range of cyber capabilities, cyber power should be considered independently of the broader discussion of information.
Defining Information War
In the beginning, the discussion of “information” in “information war” included signals intended for humans and machines. In 1975, Thomas Rona, an electrical engineer for the Boeing Aerospace Company, wrote a paper for the Department of Defense’s Office of Net Assessment titled Weapons Systems and Information War. Rona explained that modern weapons systems were increasingly dependent on external communications links such as command and control links, navigation information, and sensors. These links were vulnerable to attack and the fight to protect or compromise them is what Rona termed “information war.”
Rona’s definition of “information” was an engineer’s, rooted in Claude Shannon’s information theory. He defined “information” as electrical, optical, acoustic, or fluid signals that “convey the state of, or the inputs available to, a given subsystem to others.” Information was an input to both human and “automated decision making,” in which a signal was processed to produce an output according to a set of rules — a definition that includes an analog electronic circuit. In “information war,” an attack could involve deceiving a human, spoofing or jamming a signal, or physically destroying a machine.
The Department of Defense formally introduced the idea of “information warfare” in a classified instruction in 1992. Its concept, like Rona’s, included information for both people and machines. A 1996 public brochure defined information warfare as involving “actions taken to achieve information superiority by affecting adversary information, information-based processes, information systems, and computer-based networks while defending one’s own.” Information warfare, in this understanding, “targets and protects information, information transfer links, information gathering and processing nodes, and human decisional interaction with information systems.”
From Systems and Processes to Decision-Making
In 1996, the Department of Defense replaced the instruction on information warfare with an instruction on “information operations” to widen the focus on information to other agencies and perhaps to assuage concerns that the Pentagon was seeking to militarize the Internet.
In 1998, the first joint doctrine on information operations was published. The doctrine stated that information operations seek to “affect the information-based process, whether human or automated. Such information dependent processes range from National Command Authorities-level decision making to the automated control of key commercial infrastructures such as telecommunications and electric power.” “Information warfare” was redefined as a special case of information operations during crisis or conflict.
Information operations protected or exploited “the information environment,” defined as “[t]he aggregate of individuals, organizations, or systems that collect, process, or disseminate information; also included is the information itself.” Although the internet had not yet been invented when Rona wrote, the doctrine recognized “computer network attack” as an important capability for information operations, as well as operations security, military deception, psychological operations, electronic warfare, physical attack and destruction, and special information operations.
The doctrinal definitions of “information” and “data” were drawn from the Department of Defense dictionary. These were also double-barreled, applying to humans and machines. The Department of Defense dictionary defined “information” as follows: “1. Facts, data, or instructions in any medium or form. 2. The meaning that a human assigns to data by means of the known conventions used in their representation.” Data was defined as a “[r]epresentation of facts, concepts, or instructions in a formalized manner suitable for communication, interpretation, or processing by humans or automatic means. Any representations such as characters or analog quantities to which meaning is or might be assigned.”
In 2006, joint doctrine on information operations was revised. The term “information warfare” was removed from joint doctrine altogether. “Information operations” were redefined to focus on human and automated decision-making, rather than systems and processes. “Computer network operations” were listed as a “core capability” of information operations along with electronic warfare, computer network operations, psychological operations, military deception, and operations security. This revision subordinated computers and networks to information operations.
Information Operations: Now Just for Humans
But computers and networks began to take on a life of their own. In 2000, the Joint Chiefs of Staff named “information” as a “domain” of warfare, but the 2004 National Military Strategy listed “cyberspace,” rather than “information,” as a “domain” of conflict, referencing “threats in cyberspace aimed at networks and data critical to [U.S.] information-enabled systems.” In 2008, the White House produced the Comprehensive National Cybersecurity Initiative to coordinate cyber policy across the interagency process. The Department of Defense dictionary defined “cyberspace” as “[a] global domain within the information environment consisting of the interdependent network of information technology infrastructures, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers.” In May 2010, the National Security Strategy listed “secure cyberspace” among the nation’s security objectives and identified “cyber” as a “domain,” along with land, air, sea, and space, pointing to the cyber vulnerabilities of critical infrastructure such as electric…