Third-degree conflicts: information warfare

The concept of the Internet as a potential military battlefield is not particularly new. The Internet itself is rooted to the military notion of a bomb-proof defense network. Similarly, the feasibility of attacking information systems across this network was proven in the 1980s by the Morris Worm. This Internet worm brought an early lesson: The seemingly obvious defense of network disconnection was an extremely poor defensive maneuver (Spafford, 1989).

The information security community was already developing communications-network-based defenses and controls before the Morris Worm (e.g., Baskerville, 1988). These defenses were extended against potential Internet-based attacks, together with newly designed controls like virus protection software.

Information warfare, in the sense of limiting an adversary's information capabilities while improving friendly capabilities, is indeed ancient (cf. the types of ‘spies’ in Sun Tzu, 1995). The ability to misguide an adversarial decision-maker can result in misdirected assets and efforts that can be highly favorable for the side that controls information. Even the notion of conducting battles that take place entirely within networks of information systems has been a popular scenario for science fiction writers (e.g., Gibson, 1984). However, the reality of battles in information networks is relatively recent.

Information warfare certainly encompasses Internet-based espionage. Most Internet-based attacks, at least among those that are suspected of being sponsored by nation-states, have been directed toward espionage. Recent examples include the interception of drone videos and the compromise of defense plans through network hacking.

Information warfare also encompasses disabling or disfiguring attacks on Internet-based resources. Such attacks can compromise network-based operations, for example, by hacking into servers or shutting servers down with denial-of-service attacks. Most of the known instances of this sort of network-based battle have been conducted by unruly groups of hackers from one country who engage in grass-roots, online gang fights with hackers from another country. These ‘hacker wars’ have tended to erupt in the shadow of more explicit conflicts between nation-states, such as military confrontations (Baskerville, 2005).

Whether online attackers have the capability to seriously disrupt civil or military infrastructures beyond the network itself is debatable. Suspicions of online attacks eddy in the wake of almost every major power outage, such as the recent blackouts in Brazil (actually attributed to lightning Lyons, 2009). These recurring suspicions make it difficult to unseat the notions that information attacks could (or have) shut down control networks for utilities, interrupt financial transactions, or shut down telecommunications.

While it is not clear that such attacks are immediate threats to national infrastructures, the prospects are rather severe. The agility that comes with Internet access is luring increasing connectivity. Electricity supervisory control and data acquisition systems ‘SCADA’ , once air-gapped (physically isolated) from the Internet, are gaining Internet connection (Berkowitz, 2003). There are great control benefits that result, such as the ability to manage non-essential electrical loads for conservation. However, with the risk of attack through the Internet, susceptibility increases. The electricity utilities are acting responsibly. For example, in the U.S., compliance with a new version of security standards (North American Electric Reliability Corporation's Critical Infrastructure Protection) becomes mandatory in 2010 (Smith, 2009).

Such security standards, along with those that are already in place in financial systems and communications networks, should provide adequate protection against the known threats from the hoards of independent Internet hackers. However, can this security stand up against a determined, well-financed attack by a cyber corps of military-trained hackers? Perhaps not. However, perhaps this prospect is not the unbearable, repressive future it seems.

Military theorists have a pretty solid grasp on potential strategies for future information battles (e.g., Denning, 1999; Berkowitz, 2003; Hall, 2003; Armistead, 2004). It is also unlikely that there is anything particularly more unlawful about information battles vs other kinds of battles (Darnton, 2003). But it may be too new for us to have developed solid political theory about conducting battles in cyberspace. There is too little experience with such phenomena.

You may find this opinion (from a security old-timer) surprising, but the political availability of information warfare, in its Internet-battle form, is not entirely unattractive. At present, there are essentially three degrees of conflict between powers. The lowest degree of conflict is a political conflict (a cold war). This first degree conflict involves political pressure and politically driven military and economic tension. ‘Information operations’ (a term preferred when there is not a declared war) can play a part is such political conflicts especially through their usage for espionage, disinformation and propaganda purposes.

Powers can escalate a political conflict to an overt economic conflict. An economic conflict goes beyond background economic tensions and imposes embargos, boycotts, and trade sanctions. Unlike political conflicts, which can be quite sub-rosa, true economic conflicts are blatant. As such actions are both blatant and inflict measurable harm on an adversary, the degree of conflict can be considered higher than a political conflict.

A conflict can be escalated to the highest degree as a ‘kinetic war’. In a kinetic war, powers unleash their military units into armed conflict. Kinetic wars are also blatant. As people in kinetic battlefields suffer casualties, the degree of conflict is clearly higher than an economic conflict.

The possibility of information battles gives potential for a new degree of conflict. It is one that is blatant (like economic or kinetic wars). It is one that inflicts measurable harm on an adversary. However, as its casualties are more often information, computers and networks (and the infrastructures these control), it is not quite the high degree of conflict that a kinetic war involves. Yet an information war may include attacks, defenses, and battles. It can temporarily disable national infrastructures, reduce military capability, and impair the ability for governments to govern. It is not quite the same as setting off a bomb, but the effects, at least temporarily, are similar (except there may be no direct casualties). It is a higher degree of conflict than an economic war. See Table 1.

Table 1 Four degrees of conflict between powers

Degree of conflict	Type of conflict
First	Political
Second	Economic
Third	Information
Fourth	Kinetic

These degrees are necessarily cumulative, in the sense that economic conflicts are also necessarily political, and information conflicts are necessarily political and economic. The distinction is in the overt escalation from a degree to a higher degree. Trade sanctions are overt. Information attacks, where these are acknowledged by the attacker, are overt. There is currently no history of ‘declared’ third-degree conflicts simply because powers have not publically admitted making attacks. Accusations abound, but actual admissions are rare, if there are any at all.

Why should the availability of information warfare be attractive? Quite simply, it provides an alternative to kinetic warfare when a struggle between powers becomes too compelling for first or second degree conflict. It could provide a vehicle for conflict escalation that is severe and dramatic, but does not directly involve killing and maiming.

The obvious drawback to the availability of a third degree of conflict is the possibility of the deeper psychological commitment to the conflict that may follow repeated escalation. In other words, taking a third escalation step might so deeply entrench the powers that de-escalation becomes impossible. The antipathy that follows an information war could make escalation to fourth-degree conflict inevitable.

Military strategists tend to operate in terms of an abstract ‘battlespace’ rather than a physical battlefield. It is not difficult to conceive of extending a battlespace into the Internet such that one power executes an overt information attack on another power. While it is certainly appropriate to be concerned about such possibilities, an Internet-based information battle could offer a political alternative to a shooting war. If the world cannot be a place without conflict, then the availability of new alternatives to kinetic warfare might offer some positive value to civilization. Perhaps the information attacks we dread will prove to embody the greatest information systems contribution yet.

In this issue

Six EJIS Associate Editors join me in presenting this issue of EJIS. Editors responsible for leading the peer review panels for this work include Pär Ågerfalk (Uppsala University), Bernd Carsten Stahl (De Montfort University), Gerald Grant (Carleton University), Iris Junglas (University of Houston), Nancy Pouloudi (Athens University of Economics and Business), and Marinos Themistocleous (University of Piraeus).

Three papers in this issue are about information systems planning, while five take on a user or customer perspective. We will offer the three planning-oriented contributions first.

We begin with ‘The Effects of Infrastructure and Policy on E-Business in Latin America and Sub-Saharan Africa’, which regards national IT planning. In this paper, Chitu Okoli of Concordia University, Victor Mbarika of Southern University and A&M College, and Scott McCoy of The College of William and Mary, empirically examine the impacts of national policies and commercial infrastructure on e-business. These impacts, particularly in areas where communications technology is limited and economies are emerging, are often proposed but rarely (if at all) studied empirically. Can efforts at the nation-state level really affect national competition across the Internet? The answer is, of course, ‘yes’, but at the detailed level there are some surprises. For example, it appears broad technology policies are not enough. Policies and infrastructure must focus specifically on e-business to have serious impact.

We will follow with two papers that provide insights from a social-technical perspective on information systems planning. The first of these, by Nicholas Berente of the University of Michigan, Uri Gal of Copenhagen Business School and Youngjin Yoo of Temple University is an interpretive, ethnographic case study. ‘Dressage, Control, and Enterprise Systems: The Case of NASA's Full Cost Initiative’ leads us to recognize that organizational behavior that represents ‘controlling’ and ‘being controlled’ can easily be anticipated with Foucault's concept of dressage. Given that the two fundamental management activities supported by information systems are planning and control. This fascinating study shows how highly sophisticated organizations operate and respond socially to control strategies. This social behavior becomes more evident upon the introduction of an IT artifact meant to improve organizational control (viz, an enterprise system).

The second of these social-technical papers is, ‘When is an information infrastructure? Investigating the emergence of public sector information infrastructures’, by Federico Iannacci of Canterbury Christ Church University and the London School of Economics. Iannacci conducted a case study that involves a recent episode of institutional change within the criminal justice system of England and Wales. Iannacci argues that institutional facts play an important role in the development of information infrastructure. Socio-technical factors such as data standards have long been considered to account for the emergence of information infrastructures, however Iannacci argues that institution facts, such as the shared cognitive frames and imageries have influence on information infrastructure and create iterative sets of constitutive rules jointly with socio-technical factors. This research shows that organizations need to consider institutional context as well as socio-technical factors in development of information infrastructure, which in return produces technology-enabled policymaking that is more clearly and fully aligned with technology lifecycles.

The five papers that regard users operate from various perspectives, including user involvement in design, user adoption, and information consumers.

One paper investigates user involvement in system design. In ‘Eliciting Tacit Knowledge about Requirement Analysis with a Grammar-targeted Interview Method (GIM)’, Michele Zappavigna and Jon Patrick of the University of Sydney, report on an in-depth field study of the aftermath of content management restructuring in an Australian media organization. One important insight from their work is the misplaced value attached to the information systems conceptualization of ‘system requirements’. Their study simply finds the concept is fundamentally flawed, and is more appropriately replaced by ‘users’ requirements’.

Two papers are more oriented toward user adoption. In the first, ‘User Experience, Satisfaction and Continual Use Intention of IT’, Liqiong Deng, Douglas Turner, and Brad Prince of University of West Georgia and Bob Gehling of Auburn University at Montgomery provide a survey study that investigates how user experience with the use of IT affects user satisfaction and continued usage intention of IT. User satisfaction is an important factor that affects the continued usage decision and user retention of IT; nonetheless, there are multiple dimensions, the paper argues, which drive user satisfaction, such as perceived utilitarian performance, expectation disconfirmation, and perceived hedonic performance. Continued usage decision is affected by not only instrumental qualities (e.g., functionalities) but also non-instrumental qualities (intrinsic pleasure). Cognitive absorption, a positive and highly enjoyable experience immersed in the interaction with IT, represents an overall post-adoption experience and use of IT. Cognitive absorption is an important antecedent of the determinants of user satisfaction and also has a direct influence on user satisfaction which eventually positively affects continued usage decision.

The second paper with an adoption orientation is ‘Continued Use of Process Modeling Grammars: The Impact of Individual Difference Factors’. Jan Recker of Queensland University of Technology investigates the factors that influence the continued usage of process-modeling grammars. A theoretical model that incorporates determinants of continued usage behavior as well as key antecedent individual difference factors is tested through a global survey of 529 process-modeling grammar users. Post-adoptive usage behavior of process-modeling grammars is explained by the determinants drawn from the Technology Acceptance Model and the Expectation Confirmation Theory. Furthermore, this study manifests the individual differences as key antecedents that affect the determinants of post-adoptive usage behavior arguing that individual differences, such as modeling experience, modeling background, and perceived grammar familiarity have a significant influence on the users’ willingness to continue to use a process modeling grammar after its initial adoption.

Our final two papers regard users who are also consumers of online services. The first of these is ‘Expectations and Outcomes in Electronic Identity Management: The Role of Trust and Public Value’, by Philip Seltsikas and Bob O’Keefe of the University of Surrey. They explore the identity management problem confronting governments today. In their study, they collected data from 270 respondents from 17 European governments plus the U.S., Canada, and New Zealand. They found that trust is a central goal and risk mitigation is a central activity. However, it was clear in this study that sustaining the trust of the citizenry is made more critical because there are no alternative service providers (there is only one government).

The last paper in this issue is ‘My Social Networking Profile: Copy, Resemblance, or Simulacrum?’ In this paper, David Kreps of the University of Salford creates a stimulating essay in which the newest socially technological revolution, that of social networking, is presented as a philosophical revolution as well. Kreps argues that an individual user is not a being represented in an online social network. Rather, multiple beings are present: each shaping and being shaped by its possible forms; each shaping and being shaped by the others; each emerging as a social stream of change. A society is composed of beings that are different in many ways. This difference itself may be socially shaped. This raises the rather satisfying notion that the being that inhabits social networking sites like facebook socializes with other beings in facebook, shaping and being shaped by its society. Moreover, this socialization of social network beings extends to the beings beyond the network context; beings we might think of as the ‘real person’. Indeed, the concept of a real person has only a debatably marginal claim to the status of being ‘more real’ than the beings inhabiting the social networks.

This is an exciting collection of papers, and I trust you will enjoy reading them.

Acknowledgements

I would like to thank Jong Seok Lee of Georgia State University who helped me with writing the summaries of the papers in this issue.