Information Warfare and Cybersecurity Are Different, Related and Important

Herb Lin, Paul Rosenzweig
Wednesday, January 17, 2018, 7:00 AM

Susan Landau pointed last week to a disagreement between the two of us, saying that current definitions of cybersecurity (such as the HSPD-54 that Herb quoted) are outmoded and a new definition is necessary. We agree with Susan, and as we discussed the matter, we find that we are in fact much more in agreement than disagreement. At least part of Susan’s perception that we disagree is understandably rooted in the titles of our respective pieces.

Published by The Lawfare Institute
in Cooperation With
Brookings

Susan Landau pointed last week to a disagreement between the two of us, saying that current definitions of cybersecurity (such as the HSPD-54 that Herb quoted) are outmoded and a new definition is necessary. We agree with Susan, and as we discussed the matter, we find that we are in fact much more in agreement than disagreement. At least part of Susan’s perception that we disagree is understandably rooted in the titles of our respective pieces.

Herb was trying to argue that the disruption to the election of 2016 was not primarily the result of poor cybersecurity practices or technologies—as most of the nation currently understands cybersecurity vulnerability. As a variety of hearings and investigations are starting to make clear, the disruption resulted mostly from cyber-enabled Russian information warfare practices and activities that have been entirely legal under U.S. law and that have used information technology products and services in exactly the way they were designed to be used—to spread uncensored information rapidly to selected groups of people.

Paul was trying to argue that the election infrastructure—electronic vote counting systems, voter registration systems, and so on—was vulnerable in the 2016 election (even if not much seems to have happened to it). Those vulnerabilities remain for the 2018 and future elections to such an extent that warrants serious national attention to fix them. Left unfixed, major hacking efforts may be able to take advantage of these problems and cause a kind of disruption to the 2018 election that we have not yet seen.

We agree with each others points. We also both contend that treating the information warfare dimensions of the problem, like other cybersecurity problems, will do little to remediate the vulnerabilities of U.S. society to information warfare. Last, we agree that the danger of putting them in the same box is that neither the information operation vulnerabilities nor the cybersecurity vulnerabilities will be adequately addressed.

Susan’s contention that a new and broader definition of cybersecurity should include information warfare as a threat is thus conceptually correct. Ironically enough, 30 years ago, the term “information warfare” did include, and arguably focused on, what we understand today as cybersecurity. But both of us have been around government long enough to believe that redefining a term that defines important budget categories is fraught with danger and likely to further confuse the debate.

We have different enough perspectives that they will disagree on many things (with the utmost respect, of course). But both believe that both information warfare problems and cybersecurity problems afflict U.S. elections and the infrastructure that supports it. And we look forward to working together on appropriate solutions.


Dr. Herb Lin is senior research scholar for cyber policy and security at the Center for International Security and Cooperation and Hank J. Holland Fellow in Cyber Policy and Security at the Hoover Institution, both at Stanford University. His research interests relate broadly to policy-related dimensions of cybersecurity and cyberspace, and he is particularly interested in and knowledgeable about the use of offensive operations in cyberspace, especially as instruments of national policy. In addition to his positions at Stanford University, he is Chief Scientist, Emeritus for the Computer Science and Telecommunications Board, National Research Council (NRC) of the National Academies, where he served from 1990 through 2014 as study director of major projects on public policy and information technology, and Adjunct Senior Research Scholar and Senior Fellow in Cybersecurity (not in residence) at the Saltzman Institute for War and Peace Studies in the School for International and Public Affairs at Columbia University. Prior to his NRC service, he was a professional staff member and staff scientist for the House Armed Services Committee (1986-1990), where his portfolio included defense policy and arms control issues. He received his doctorate in physics from MIT.
Paul Rosenzweig is the founder of Red Branch Consulting PLLC, a homeland security consulting company and a Senior Advisor to The Chertoff Group. Mr. Rosenzweig formerly served as Deputy Assistant Secretary for Policy in the Department of Homeland Security. He is a Professorial Lecturer in Law at George Washington University, a Senior Fellow in the Tech, Law & Security program at American University, and a Board Member of the Journal of National Security Law and Policy.

Subscribe to Lawfare