Close relationships in cyberspace, as in real life, can make either partner more vulnerable. A relationship, solely by virtue of the value it brings to its partners, may be attacked by competitors of each. Third parties can exploit weaknesses in one to get at others. More insidiously but, fortunately, less commonly, one partner may exploit the relationship to wend its way into – and from that vantage point, to assault – the systems of partners.

Love and war, so famously mated in fiction, find echo in cyberspace. Here one asks: by what means, and with what effect?

Do the Walls Really Come Down?

Two organizations that would exchange information on a continual basis can most seamlessly do so by merging their respective systems, thereby creating a common cyberspace so that members of one gain full access to the resources, data, and applications of the other.

Yet, with all the risks of intimacy that arise from unprotected networking, are enterprises so likely to lower their barriers entirely? Furthermore, is it that necessary? After all, internal barriers are routine even within single organizations. Rightly or wrongly, many organizations maintain a hierarchy of privilege with respect to seeing information. Others adopt compartmentation in the belief that any sufficiently interesting piece of information known to enough people within an organization is bound to be known to the wrong person outside of it. Similarly, any corruptible systems process accessible to enough people on the inside will eventually become corrupted.

Information at rest can be destroyed if its owners have failed to back it up. Information in motion can also be halted by attacks on communications system. There is yet one more way to destroy information, and that is by doing so indirectly. The bits, as it were, are untouched. But the credibility of the information is ruined by adding false information to it to the point where the victim must choose between misinformation (believing what is not true) or disinformation (being unable to believe what is true). Here, we argue, is the essential character of information warfare, something entirely consistent with the theory of information.

Information theory, for its part, was invented nearly sixty years ago by Claude Shannon asking how much information can be extracted from a signal. In digital terms, if every bit is guaranteed to arrive error-free, then every bit can contain information. If some known percentage of bits is randomly flipped, the amount of reliable information in the bit-stream would be reduced. There are techniques (such as trellis encoding) that can, by adding bits, increase the confidence that one can recover the original signal, but they reduce the ratio of signal to bits transmitted, cannot restore 100 percent confidence, and require that the distribution of flipped bits be random and their expected error rate be more or less known. Randomly flipped bits can be seen as noise.

Two thought experiments may help flesh out the idea that an enterprise – in these cases, a nation – can exercise great influence by creating an enterprise cyberspace that persuades others to link up, join in, and follow along. One is built around a U. S. database of geospatial data. The other is a global identification system, putatively motivated by the desire to detect terrorists.

In presenting these cases, we make no claim that U. S. influence on the world in these realms could or should be exercised solely through cyberspace. The general edge that U. S. companies have in the satellite construction, software, and even biometrics would lend them influence without it. The size of the U. S. economy and the size of its national security investments alone would lend it considerable influence in setting the patterns for such systems.

Nor is either prospect necessarily likely. Concepts of information sharing – that lately discovered virtue – that underlie the discussion about geospatial data run antithetical to the everyday norms of the intelligence community, which owns the data. Similarly, despite polls taken in the wake of September 11, 2001, that showed substantial majorities of the public in favor of a national ID system, opposition to such a notion is visceral and the Bush administration has gone out of its way to deny having any such thoughts.

Cyberspace lends itself to policy questions of the sort applicable to other media. How can one best use power in this medium to do unto others? How can one best maneuver in this medium to prevent being done unto? Insofar as conquest in cyberspace has hostile and friendly vectors, these two policy questions turn out to be four:

• How can the method of hostile conquest be used wisely?

• How can countries ensure that others cannot conquer those parts of cyberspace they deem worth protecting?

• How can a country best pursue its interests by exercising friendly influence through cyberspace?

• How can a country best resist the friendly accretion of unwarranted influence in cyberspace by others?

The first question can be interpreted as one of command and control, strategies, operations, techniques, and tools. Information warfare is not without its conceptual problems, such as the ability to define legitimate targets – but so are other domains.

The second question requires first determining what it is that must be defended and why. No one doubts that it is a government responsibility to defend Pittsburgh against Iranian missiles or chemical clouds; the good burghers are not expected to take this upon themselves. But, in cyberspace there are limits on what governments should be expected to contribute the common defense.

Computer hacking exists and its effects are not always trivial. Writers of viruses and worms can also annoy a great number of people. Authors of similar malware have succeeded in collectively turning millions of computers into zombies, programmed to spam Web sites or mailboxes on command. Hackers have stolen such personal information as credit-card or social security numbers from feckless owners of databases. Intelligence agencies have registered a fair amount of success trolling in files and pulling out interesting albeit generally random pieces of information. Indeed, one can state with a great deal of confidence that any information system connected to the Internet that gives access to enough trusted people, such as employees, can be tricked into giving the same access to a hacker; it only takes one sloppy user to open the door inadvertently. As long as hackers are not terribly fussy about who they annoy, whose machine they take over, or whose identity they acquire, they can always find some weak links out there.

All this, though, remains a far cry from getting a specific system to do what you want it to do, which is the sine qua non of using information warfare for strategic effect. Granted, the ability to exacerbate the usual chaos in an adversary's economy or military can be advantageous only if used sparingly and wisely. But if that were all one could expect from information warfare, it would hardly rate the attention it has received both in the press and in the Pentagon.

Does cyberspace matter? Can societies deprived of their ability to use the commons of cyberspace (such as the routing infrastructure and standard software) nevertheless thrive unbowed?

It may be silly to conjure images of the horrors that would attend seeing the United States suddenly being thrown back to the primitive conditions of 1995, or, for most of the rest of the world, 2005. Yet, any topic that deals with war must be accorded at least a moment of seriousness. To ask whether cyberspace is the new high ground is just the latest version the age-old question: which medium dominates war? For example, did Britain's control of the seas prove decisive in World War I against a continental Germany? Does air superiority win ground campaigns?

The best answer to corresponding questions about cyberspace is neither “yes” nor “no” but “more so every day.” This appendix lays out some key vectors of technology to illustrate both the changing nature of cyberspace and its increasing pervasiveness in the real world. Understandably, the tendency to extrapolate infinitely from the bright past has gotten many people into financial trouble, especially those invested in dot-coms. Yet, while stock markets rise and fall, and consumer tastes can be fickle, technology is well nigh inexorable.

Even in the highly unlikely event that microprocessors never get faster (and they have not gotten much faster since 2002), the eventual retirement of all slower microprocessors in favor of new ones will raise the average speed of the entire stock of computers.

Information systems, the basis of cyberspace, are powerful and hence valuable. But they are also complex and hence often incomprehensible. As tools they should be subject to our mastery. But do we really control them? Even our stand-alone systems may arrive corrupted or may become corrupted through something they ingest. Connect them to the world, whether by yesterday's floppy disks or today's networks, and our fears multiply – and not without justification. Will these systems be available to do our bidding when asked – or will they sicken with viruses or drown in spam? Will information we entrust to our systems stay put or follow some Pied Piper out of town? Can we even be sure that the information they present to us has not been tampered with?

This combination of growing dependence and ever-shaky confidence in our control over information systems has given rise, since the early 1990s, to a new type of threat, and conversely and consequently a new branch of the military art: information warfare. Information warfare is often epitomized by hostile operations in cyberspace although, as explained shortly, it can take place in other ways.

This, the first of four chapters on hostile operations in cyberspace, builds an archetype of information warfare and then works backward to its epitome – computer network attack. Embedding computer network attack within a broader context of information warfare provides a sense of where it stands within the whole military milieu.

In these early decades of the information age, the flow of information is becoming more and more central to our daily lives. It has therefore become important that information transmission be protected against eavesdropping (as, for example, when one sends credit card information over the Internet) and against noise (which might occur in a cell phone transmission, or when a compact disk is accidentally scratched). Though most of us depend on schemes that protect information in these ways, most of us also have a rather limited understanding of how this protection is done. Part of the aim of this book is to introduce the basic concepts underlying this endeavor.

Besides its practical significance, it happens that the subject of protecting information is intimately related to a number of central ideas in mathematics and computer science, and also, perhaps surprisingly, in physics. Thus in addition to its significance for society, the subject provides an ideal context for bringing ideas from these disciplines together. This interdisciplinarity is part of what has attracted us to the subject, and we hope it will appeal to the reader as well.

Among undergraduate texts on coding or cryptography, this book is unusual in its inclusion of quantum physics and the emerging technology of quantum information. Quantum cryptography, in which an eavesdropper is detected by his or her unavoidable disturbance of delicate quantum signals, was proposed in the 1980s and since then has been investigated and developed in a number of laboratories around the world.

The early twentieth century was a revolutionary time in the history of physics. People often think of Einstein's special theory of relativity of 1905, which changed our conceptions of time and space. But among physicists, quantum mechanics is usually regarded as an even more radical change in our thinking about the physical world. Quantum mechanics, which was developed between 1900 and 1926, began as a theory of atoms and light but has now become the framework in terms of which all basic physical theories are expected to be cast. We need quantum ideas not only to understand atoms, molecules, and elementary particles, but also to understand the electronic properties of solids and even certain astronomical phenomena such as the stability of white dwarf stars. The theory was radical in part because it introduced probabilistic behavior as a fundamental aspect of the world, but even more because it seems to allow mutually exclusive situations to exist simultaneously in a “quantum superposition.” We will see later that the possibility of quantum superposition is largely responsible for a quantum computer's distinctive advantage over an ordinary computer. The present chapter is devoted to introducing the basic principles of quantum mechanics.

There are essentially four components of the mathematical structure of quantum mechanics. We need to know how to represent (i) states, (ii) measurements, (iii) reversible transformations, and (iv) composite systems. We will develop the first three in stages, starting with a very simple case – linear polarization of photons – and working toward the most general case.

Recall that in the Bennett–Brassard key distribution scheme, after Alice and Bob have obtained bit strings that ideally are supposed to be identical, they have to do some further processing to make sure they end up with strings that really are identical. Our first goal in this chapter is to show how they can do this.

As you might expect, we will use error-correcting codes of the sort we have been discussing in the preceding chapter. However, the way we use error-correcting codes in quantum key distribution is not quite the same as in classical communication. Normally, one corrects errors by encoding one's message into special codewords that are sufficiently different from each other that they will still be distinguishable after passing through a noisy channel. But in quantum key distribution the “noise” of the channel might actually be the effect of an eavesdropper who is free to manipulate the signals sent by Alice. Ordinary error correction is not designed for such a setting. So instead of using codewords to encode the original transmission, we wait until all the bits have been sent and then use an error-correcting code after the fact. In this respect error correction in quantum key distribution is similar to the use of an error-correcting code in the “hat problem” discussed at the end of Chapter 4. There also, the error-correcting code is applied only after all the data – in that case the vector of hat colors – has been generated and conveyed to the participants.

In the preceding chapter we mentioned the inevitable errors that occur when one tries to send quantum signals over, say, an optical fiber, even when there is no eavesdropper. But errors in transmission are not a problem just for quantum cryptography. For this entire chapter we forget about sending quantum information and instead focus on simply transmitting ordinary data faithfully over some kind of channel. Moreover, we assume that the data either is not sensitive or has already been encrypted. Unfortunately, many methods for transmitting data are susceptible to outside influences that can cause errors. How do we protect information from these errors? Error-correcting codes provide a mathematical method of not only detecting these errors, but also correcting them. Nowadays error-correcting codes are ubiquitous; they are used, for example, in cell-phone transmissions and satellite links, in the representation of music on a compact disk, and even in the bar codes in grocery stores.

The story of modern error-correcting codes began with Claude Shannon's famous paper “A Mathematical Theory of Communication,” which was published in 1948. Shannon worked for Bell Labs where he specialized in finding solutions to problems that arose in telephone communication. Quite naturally, he started considering ways to correct errors that occurred when information was transmitted over phone lines. Richard Hamming, who also worked at Bell Labs on this problem, published a groundbreaking paper in 1950 on the subject.

As we have said, quantum mechanics has become the standard framework for most of what is done in physics and indeed has played this role for three-quarters of a century. For just as long, physicists and philosophers have, as we have already suggested, raised and discussed questions about the interpretation of quantum mechanics: Why do we single out measurement as a special kind of interaction that evokes a probabilistic, irreversible response from nature, when other kinds of interaction cause deterministic, reversible changes? How should we talk about quantum superpositions? What does entanglement tell us about the nature of reality? These are interesting questions and researchers still argue about the answers. However, in the last couple of decades researchers have also been thinking along the following line: Let us accept that quantum objects act in weird ways, and see if we can use this weirdness technologically. The two best examples of potential uses of quantum weirdness are quantum computation and quantum cryptography.

One of the first quantum cryptographic schemes to appear in the literature, and the only one we consider in detail in this book, was introduced by Charles Bennett and Gilles Brassard in 1984. Their idea is not to use quantum signals directly to convey secret information. Rather, they suggest using quantum signals to generate a secret cryptographic key shared between two parties. Thus the Bennett–Brassard scheme is an example of “quantum key distribution.”