Unleashing the U.S. Military’s Thinking about Cyber Power

In February 2021, a cyber attacker tried to poison the water in Oldsmar, Florida. The hacker gained access to a program used to control a water treatment plant and attempted to increase the amount of lye, which is used to regulate pH levels, in the water to unsafe levels. An alert plant operator saw his mouse moving on its own and stopped the attack. Similar unsuccessful attacks have occurred in Israel, the San Francisco Bay Area, and Ellsworth, Kansas. In October 2021, the Cybersecurity & Infrastructure Security Agency issued an alert regarding ongoing cyber threats to U.S. water and wastewater systems.

This is an example of a cyber attack with physical effects made possible by manipulation of computers that are increasingly used as controllers of machines, physical systems, and processes. Proof-of-concept “cyber-physical” attacks have been conducted on generators, cars, cranes, and satellites. Attackers can commandeer systems or cause physical damage, as demonstrated by the STUXNET worm, which was used to damage Iran’s uranium enrichment centrifuges and slow the enrichment process. And as the attacks on water systems illustrate, they could even cause bodily harm.

That computer controllers can be attacked is not news to the U.S. Department of Defense. A 1997 exercise demonstrated the vulnerability of critical infrastructure and military control centers to cyber attacks. The President’s Commission on Critical Infrastructure Protection warned in its follow-on report: “Today, the right command sent over a network to a power generating station’s control computer could be just as devastating as a backpack full of explosives, and the perpetrator would be more difficult to identify and apprehend.”

Military thinking about computers and networks began as part of a broader discussion of information in war that included both information for humans and signals for machines. Joint doctrine continues to tie cyber power to that discussion even as information was gradually narrowed to focus on information for humans, leaving cyber attacks with physical effects, like those on the water treatment plants, out of the discussion. Filing cyber power under “information” risks shaping how commanders understand what cyber power can do, how the military organizes itself to exercise cyber power, and where and how cyber power is included in planning and exercises. To ensure that the Department of Defense is poised to exploit and defend against the full range of cyber capabilities, cyber power should be considered independently of the broader discussion of information.

 Defining Information War

In the beginning, the discussion of “information” in “information war” included signals intended for humans and machines. In 1975, Thomas Rona, an electrical engineer for the Boeing Aerospace Company, wrote a paper for the Department of Defense’s Office of Net Assessment titled Weapons Systems and Information War. Rona explained that modern weapons systems were increasingly dependent on external communications links such as command and control links, navigation information, and sensors. These links were vulnerable to attack and the fight to protect or compromise them is what Rona termed “information war.”

Rona’s definition of “information” was an engineer’s, rooted in Claude Shannon’s information theory. He defined “information” as electrical, optical, acoustic, or fluid signals that “convey the state of, or the inputs available to, a given subsystem to others.” Information was an input to both human and “automated decision making,” in which a signal was processed to produce an output according to a set of rules — a definition that includes an analog electronic circuit. In “information war,” an attack could involve deceiving a human, spoofing or jamming a signal, or physically destroying a machine.

The Department of Defense formally introduced the idea of “information warfare” in a classified instruction in 1992. Its concept, like Rona’s, included information for both people and machines. A 1996 public brochure defined information warfare as involving “actions taken to achieve information superiority by affecting adversary information, information-based processes, information systems, and computer-based networks while defending one’s own.” Information warfare, in this understanding, “targets and protects information, information transfer links, information gathering and processing nodes, and human decisional interaction with information systems.”

From Systems and Processes to Decision-Making

In 1996, the Department of Defense replaced the instruction on information warfare with an instruction on “information operations” to widen the focus on information to other agencies and perhaps to assuage concerns that the Pentagon was seeking to militarize the Internet.

In 1998, the first joint doctrine on information operations was published. The doctrine stated that information operations seek to “affect the information-based process, whether human or automated. Such information dependent processes range from National Command Authorities-level decision making to the automated control of key commercial infrastructures such as telecommunications and electric power.” “Information warfare” was redefined as a special case of information operations during crisis or conflict.

Information operations protected or exploited “the information environment,” defined as “[t]he aggregate of individuals, organizations, or systems that collect, process, or disseminate information; also included is the information itself.” Although the internet had not yet been invented when Rona wrote, the doctrine recognized “computer network attack” as an important capability for information operations, as well as operations security, military deception, psychological operations, electronic warfare, physical attack and destruction, and special information operations.

The doctrine’s definitions of “information” and “data” were drawn from the Department of Defense dictionary. These were also double-barreled, applying to humans and machines. The Department of Defense dictionary defined “information” as follows: “1. Facts, data, or instructions in any medium or form. 2. The meaning that a human assigns to data by means of the known conventions used in their representation.” Data was defined as a “[r]epresentation of facts, concepts, or instructions in a formalized manner suitable for communication, interpretation, or processing by humans or automatic means. Any representations such as characters or analog quantities to which meaning is or might be assigned.”

In 2006, joint doctrine on information operations was revised. The term “information warfare” was removed from joint doctrine altogether. “Information operations” were redefined to focus on human and automated decision-making, rather than systems and processes. “Computer network operations” were listed as a “core capability” of information operations along with electronic warfare, computer network operations, psychological operations, military deception, and operations security. This revision subordinated computers and networks to information operations.

Information Operations: Now Just for Humans

But computers and networks began to take on a life of their own. In 2000, the Joint Chiefs of Staff named “information” as a “domain” of warfare, but the 2004 National Military Strategy listed “cyberspace,” rather than “information,” as a “domain” of conflict, referencing “threats in cyberspace aimed at networks and data critical to [U.S.] information-enabled systems.” In 2008, the White House produced the Comprehensive National Cybersecurity Initiative to coordinate cyber policy across the interagency process. The Department of Defense dictionary defined “cyberspace” as “[a] global domain within the information environment consisting of the interdependent network of information technology infrastructures, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers.” In May 2010, the National Security Strategy listed “secure cyberspace” among the nation’s security objectives and identified “cyber” as a “domain,” along with land, air, sea, and space, pointing to the cyber vulnerabilities of critical infrastructure such as electric grids. U.S. Cyber Command became operational the same month. In 2011, the Department of Defense released a strategy for operating in cyberspace. It explicitly referenced the dependence of the “security and effective operation of U.S. critical infrastructure” on “cyberspace, industrial control systems, and information technology that may be vulnerable to disruption or exploitation.”

Between 2012 and 2014, joint doctrine on information operations was revised and information operations and cyberspace operations were differentiated. In 2012, joint doctrine on information operations, which the Pentagon felt had proved to be too broad, was revised and the concept narrowed. References to “automated decision making” were dropped. The doctrine now focused on operations to influence human “target audiences,” such as “allies, multinational partners, adversaries, or potential adversaries.” (Although this is often the ultimate objective of warfare, which would suggest that everything done in war and much of what is done in competition is an “information operation,” the doctrine appears to focus on more proximate effects.)

The doctrine also revised the relationship between computers and networks and information operations. “Computer network operations” were no longer listed as a core capability. Instead, they are one of many “information-related capabilities” that are integrated to influence target audience decision-making by shaping the information provided to them or from them. Other capabilities include strategic communication, interagency coordination, public affairs, civil-military operations, information assurance, space operations, military information support operations, intelligence, military deception, operations security, special technical operations, electromagnetic spectrum operations, and key leader engagement. In a tacit recognition of non-informational cyber effects, the doctrine stated that cyberspace operations “when in support of [information operations], deny or manipulate adversary or potential adversary decision making.”

The glossary offered no definition of “information,” and the definition of “information” was also removed from the Department of Defense dictionary. The definition of “data” would be gone by 2013. But in the doctrine on information operations, “information” was redefined as “data in context to inform or provide meaning for action,” while “data” was defined as “interpreted signals that reduce uncertainty or equivocality.” Consistent with influence operations, these definitions suggest that information and data are for human audiences who are informed, find meaning, interpret, or are uncertain or equivocal. The redefinition of “information operations” as operations designed to influence human decisions, maintained in revisions in 2014, and the deletion of the double-barreled definition of “information,” left a doctrinal vacuum with respect to cyber-physical effects.

Cyber-Physical Effects as Afterthought

In 2013, the first joint doctrine for cyberspace operations was issued. It was declassified and published in 2014 and revised in 2018.

Joint doctrine continues to subordinate thinking about cyberspace to the concept of information although it offers no definition of “information.” It defines cyberspace as “a global domain within the information environment.” Cyberspace is “wholly contained within the information environment” because “all [cyberspace operations] require the creation, processing, storage, and/or transmission of information.” It is a “medium through which other information activities and capabilities may operate,” including supporting automated decision-making. It refers to cyberspace operations as an “information activity and capability.” However, it also notes that cyberspace operations are not limited to information-specific objectives, but they can produce physical effects, including affecting weapon systems and command and control processes, and may rise to the level of use of force. This is hard to square with current definitions. It may harken back to a pre-2012 understanding of “information” and “information operations.”

In short, cyber power in joint doctrine is tethered to information operations and filed under the conceptual header of “information,” but “information” is no longer defined to include signals intended for machines. Cyber-physical effects are acknowledged in joint doctrine on cyberspace operations but receive comparatively little attention.

The Department of Defense is still using “information” as a unifying concept, although there is no consensus on what the word means. In 2017, the Joint Chiefs of Staff named information as a “joint function” to encourage the grouping of functionally related capabilities. The services have their own organizations under “information” headings, although the emphasis appears to be less a top-down exercise in conceptual purity than a bottom-up effort to eliminate stovepiping and capture the benefits of tighter integration of various capabilities — including cyber power. The Air Force defines “information warfare” as “the employment of military capabilities in and through the information environment to deliberately affect adversary human and system behavior and to preserve friendly freedom of action during cooperation, competition, and armed conflict” in order “to influence or change perceptions, actions, and behaviors in a manner that is consistent with [U.S.] interests.” The Sixteenth Air Force seeks “convergence” of weather, public affairs, cyberspace operations, electronic warfare, information operations, and intelligence, reconnaissance, and surveillance. The Navy stood up the Information Warfare Enterprise to “advance, align, deliver, support and sustain [information warfare] capabilities.” It defines “information warfare” as “[t]he integrated employment of the Navy’s information-based capabilities (communications, networks, intelligence, meteorology, oceanography, cryptology, electronic warfare, cyberspace operations, and space) to degrade, deny, deceive or destroy the enemy’s warfighting capabilities, or to enhance the effectiveness of friendly operations across all domains.” The Marine Corps created Marine Expeditionary Force Information Groups, integrating cyber, signals intelligence, electronic warfare, and information operations. The Army moved away from “information warfare” and is developing the concept of “information advantage,” currently considered to include five major tasks: “enabling decision-making; protecting friendly information; informing and educating domestic audiences; informing and influencing international audiences; and conducting information warfare.”

No More Cyber Football

Doctrine is a jump-off point for military thinking, not a limiter. It can lag rather than lead. But it is a mistake to underestimate its importance as both a record and driver of concepts and organization. In this case, it chronicles more than 20 years of Department of Defense efforts to make the intellectually useful concept of “information” into one that is organizationally useful. Overbroad concepts and the organizations built on them are unwieldy. But narrowing the scope risks excluding capabilities. Thinking about cyber power has historically been hostage to this discussion.

Rather than insisting that cyber is an information-related capability in the information environment, it might be better to untether cyber power from the broader conversation about information. This is especially true because the everyday use of the term “information” is narrower than Rona’s and may lead commanders to overlook cyber-physical capabilities.

Then it should be possible to take a fresh look at the full range of cyber capabilities and effects to develop concepts for them and consider how they are best organized and manned, and how and where they should be integrated in planning and exercises. Cyber-physical operations may differ from cyber influence operations, including the circumstances under which they are likely to be used, the risk they pose to civilians, their legal implications, the way in which they would be integrated into planning and exercises, and their staffing (e.g., perhaps electrical engineers and scientists rather than psychologists or public affairs specialists). It may be that they require different specializations and enabling organizational structures.

Joint doctrine is ever evolving and new doctrine on information may soon emerge. It should not inadvertently create blind spots by marginalizing thinking about cyber-physical effects.

M.A. Thomas is a research professor of cyber warfare and strategy at the Air Force Cyber College. She holds a B.A. in computer and information science from the University of California, Santa Cruz, a J.D. from the University of California, Berkeley, and a Ph.D. in political economy and government from Harvard University.

Opinions, conclusions, and recommendations expressed or implied within are solely those of the author and do not necessarily represent the views of the Air University, the United States Air Force, the Department of Defense, or any other U.S. government agency.

Photo by J.M. Eddins Jr.