Opening Statement of Rand Waltzman
Senate Armed Services Committee Cyber Subcommittee
Cyber Enabled Information Operations
To start with, I would like to tell you a story. In March 2006 in Iraq, a battalion of US Special Forces fought with a Jaish al-Mahdi death squad. Our soldiers killed 16 of theirs, captured 16, destroyed a large weapons cache, freed a badly beaten hostage and headed back to base. Sounds like a successful operation except for one small detail. After our guys left the scene, the Jaish al-Mahdi fighters cleaned up the scene, arranged their fallen comrades on prayer mats and made it look like they were murdered unarmed and in the middle of prayer. They posted pictures of the scene together with press releases in Arabic and English on the Internet within an hour of our guys leaving the scene. By the time our troops got back to their base, it was a done deal. They were defeated by an information operation that resulted from quick and decisive action on the part of the remnants of the Jaish al-Mahdi death squad. Even though our soldiers filmed everything they did and had proof that the posted pictures and press releases were fake, it took the Army three days to post any kind of response. And in Internet time, it may as well have been a million years. It was game over – the damage had been done. The Army launched an investigation and for the 30 days the Special Forces unit was benched. This was a psychological defeat. The question you should be asking yourselves now is “how did these physically inferior forces manage to pull this off so quickly and manage to put our troops out of commission for a whole month?”
Operations in the information environment are starting to play a dominant role in everything from politics to terrorism to geopolitical warfare and even business – all things that are becoming increasingly dependent on the use of techniques of mass manipulation. These operations are complicated by the fact that in the modern information environment they occur at a speed and extent previously unimaginable. Traditional cyber security is all about defense of the information infrastructure. But that does not provide much help against use of the infrastructure to influence and manipulate entire populations. That problem requires a different approach and a different set of supporting technologies. I call these collectively Cognitive Security. To emphasize the difference, consider a classical denial of service attack. In this kind of attack, the object is to bring down a computer server by overloading it with a lot of content free messages. And there are known defenses against this type of attack. Compare this to a Cognitive denial of service attack. As an example, demonstrators in the 2011 Russian election were going to hold a demonstration in Triumfalnaya Square in Moscow. The plan was to organize the demonstration using Twitter. Demonstrators would know how to find the Tweets containing the organizers’ instructions because they contained the code word #Triumfalnaya. The pro government forces found out about this and using automated techniques began to generate 10 messages per second of junk Tweets using the same code word. There were not enough messages to overload the Twitter server, but it did produce a cognitive overload on the demonstrators bringing the whole process to its knees.
To make Cognitive Security a reality and counter the growing threat in the information environment, I suggest a strategy consisting of two basic actions. First is the establishment of a Center of Excellence in Cognitive Security. This would be a non-profit non-partisan non-governmental organization devoted to research, development and education in policies, technologies and techniques of information operations. The Center would not be operational, but rather set research and development agendas and provide training and advice to those of the communities it will serve. Second is a study conducted by an organization like the Office of Net Assessment. The study would answer three fundamental questions: (1) What are the laws and policies that currently make operations in the information environment difficult to impossible including problems of authorities? (2) How can those laws and policies be updated to support the realities of the modern information environment? (3) What kind of organizational structure is needed to manage Cognitive Security?
Further details are available in my written testimony at: