WARNING!

The views expressed in FMSO publications and reports are those of the authors and
do not necessarily represent the official policy or position of the Department of the Army, Department of Defense, or the U.S. Government.


Information Security Thinking: A Comparison Of U.S., Russian, And Chinese Concepts

by Mr. Timothy L. Thomas, Foreign Military Studies Office, Fort Leavenworth, KS.
July 2001

This article was previously published in
The Science and culture Series
Nuclear Strategy and Peace Technology
International Seminar on Nuclear War and Planetary Emergencies

August 2001
Pages 344-358

Introduction

The advent of the information age forced many nations to reexamine their security procedures. As a result of the new and overwhelming dependence of critical infrastructure on information systems, information security is a priority concern to governments everywhere. However, not every nation has interpreted this concern in the same fashion, nor at the same pace.

Russia, for example, is ahead of everyone. It has produced an Information Security Doctrine that includes the security of the state, society and the individual in its evaluation of information security threats. This paradigm allows Russian security managers to consider information threats to citizens (their cultural, spiritual and psychological well-being) as well as to critical technologies and resources. Perhaps for this reason Russia’s military doctrine lists external threats as information-psychological and information-technical issues. China has also been affected by the information age. It is concerned with influential technologies that might be used as a form of virtual deception or influence. The Internet is the focus of most of China’s concern, most likely because it offers information that the Chinese government cannot control completely at this time. At the same time, China has an information technology security plan known as Plan 863, and established a Ministry of Information. China has not produced an information security doctrine or related document of which the author is aware. The U.S., while considering psychological operations as a key sub-element of information operations, relegates less attention to the information threat to the minds of its citizens. Rather, U.S. legislation and rights/acts (human rights, freedom of the press, speech, etc.) provide cover for its citizens in this field. The U.S. focuses on critical infrastructure protection instead of technologies and resources as the Russians. The U.S. seldom uses the term “information security” when discussing cyber-based threats in official documents.

A brief look at how these three nations define information security supports this broad overview. The U.S. published two Presidential Decision Directives (PDDs) to counter information age threats to U.S. systems and its population, PDD-63 and PDD-68. PDD-63 focuses on critical infrastructure protection. The 22 May 1998 PDD-63 White Paper describes the growing vulnerability to U.S. cyber-based systems, and establishes a series of steps to counter this vulnerability. These steps are to be in place by 2003, and include the analysis of foreign cyber/information warfare threats. The directive mentions the term information security only twice, and then only in regard to public outreach programs.[1] PDD-68 coordinates U.S. efforts to promulgate its policies and counteract bad press abroad. This directive created the International Public Information (IPI) group to coordinate the identification of hostile foreign propaganda and deception techniques that target the U.S., according to the group's charter.[2] The focus is hostile information programs that might not be truthful. The directive does not characterize its actions as information security related. To find a U.S. definition of information security, one must turn to the military. Joint Publication 3-13, Joint Doctrine for Information Operations, defines information security as “the protection and defense of information and information systems against unauthorized access or modification of information, whether in storage, processing, or transit, and against denial of service to authorized users. Information security includes those measures necessary to detect, document, and counter such threats. Information security is composed of computer security and communications security. Also called INFOSEC.”[3]

Russia has a number of definitions for information security, perhaps because they have thought more about this subject than other nations due to their loss of ideology when the Soviet Union dissolved in 1991. Russia's September 2000 Information Security Doctrine defines information security as "the state of protection of its national interests in the information sphere defined by the totality of balanced interests of the individual, society, and the state." Just a few months earlier, in a May 2000 United Nations resolution, Russia defined information security somewhat differently as the "protection of the basic interests of the individual, society and the state in the information sphere, including the information and telecommunications infrastructure and information per se with respect to its characteristics, such as integrity, objectivity, availability, and confidentiality." The Russian Academy of Natural Sciences defined the term as “the protection of the information medium of the individual, society and the state from deliberate and accidental threats and effects.”[4]  Information security, yet another source adds, is connected with information and its material carriers: the mind of a person and other carriers of information (books, disks, and other forms of “memory”).[5] Thus, differently than the U.S., Russia views both the mind and information systems as integral parts of its concept of information security.

Chinese academician Shen Changxiang, of the Chinese Academy of Engineering, defined information security in the People’s Liberation Army’s (PLA) newspaper of the General Political Department (the PLA Daily): “[information security] refers to the prevention of any leakage of information when it is generated, transmitted, used, and stored so that its usefulness, secrecy, integrity, and authenticity can be preserved; and so that the reliability and controllability of the information system can be ensured.”[6]  State Council member Shen Weiguang notes that information warfare (IW) is brain warfare. According to official Chinese sources, the Internet has the capability to manipulate information, the truth, and the moral-psychological state of Chinese citizens. China realizes that the Internet cannot be controlled, and is thus a concern to the government. Thus China appears more like Russia than the U.S. in its understanding of information security, with its emphasis on the mental aspect of information security and its extended use of the term itself.

This paper briefly examines the information security policies of the three countries noted. There are both narrow and broad approaches to the subject, and situational context, culture, and history are the real forces that differentiate national approaches. An understanding of each country’s concerns and their paradigm for interpreting information security can potentially alleviate misunderstanding in future international discussions among nations over this concept.

U.S. Views on Information Security

With regard to information technology and critical infrastructure protection, PDD-63 demonstrated that the U.S. is very interested in establishing an “infrastructure to protect the infrastructure.” The document builds on the recommendations from the October 1997 President’s Commission on Critical Infrastructure Protection. PDD-63 opens by describing the growing potential vulnerability to America’s cyber infrastructure, and then states the President’s intent, the national goal, and the public-private partnership to reduce these vulnerabilities. Next general guidelines are issued, and then a structure and organization to meet the challenge are introduced (which included lead agencies for sector liaison, lead agencies for special functions, interagency coordination, and the appointment of a National Infrastructure Assurance Council). Tasks included:

A National Coordinator for Security, Infrastructure Protection, and Counter-Terrorism is responsible for coordinating the implementation of the directive. This person will also chair the Critical Infrastructure Coordination Group (CICG). Further, the President authorized the FBI to create a National Infrastructure Protection Center (NIPC). This organization shall serve as a national critical infrastructure threat assessment, warning, vulnerability, and law enforcement investigation and response entity. Finally, the national coordinator will encourage the creation of a private sector information sharing and analysis center (ISAC). The center would be the mechanism for gathering, analyzing, appropriately sanitizing and disseminating private sector information to both industry and the NIPC, and could transmit NIPC information the other way.[8] However, throughout the PDD-63 White Paper, only twice (and not in the main section) is the term “information security” used.

U.S. civilian agencies seldom use the term “information security.” For example, in a computer search of Congressional committees and bills produced by the 107th Congress, there are four hits for the term “information security”: the Computer Security Enhancement Act of 2001; the FBI Reform Commission Act of 2001; the E-Government Act of 2001; and the bill “To revise, codify, and enact without substantive change certain general and permanent laws, related to public buildings, property, and works, as title 40, United States Code, ‘Public…”.  None of these address psychological security or manipulating the emotions or logic of individuals via information. Searches for the terms information-psychological security, and psychological security in the 50 bills of the 107th Congress resulted in zero hits.

Again, one has to turn to the military to find the use of the term “information security.” The U.S. General Accounting Office report of March 2001 (GAO-01-341) is titled “Information Security: Challenges to Improving DOD’s Incident Response Capabilities.” The contents of this document demonstrate that, to the authors of this report anyway, information security is a computer and information system related problem. No reference is made to the individual, just to technical systems. The definition from the Joint Publication noted above emphasized the computer security and communications security aspects of information security.

PDD-68, mentioned above, discusses the requirement to identify hostile propaganda and deception targeted against the U.S.. However, PDD-68 apparently does not address information security. The actual document has still not been released. Even though the U.S. does not mention information security in terms of mental activity, other western nations do. Sweden, for example, has a psychological defense department that aims to uphold for every Swedish citizen a constitutional right to correct, clear and complete information on what is happening in society and in the world at large, especially in times of stress or crisis, or in times of particular importance.[9]

Most Americans realize that the issue of the influence of information on the minds of Americans is covered by different terminology than “information security.” Advertising agencies are forbidden to persuade citizens using certain technology such as the infamous “25th frame effect” demonstrated in the 1950s at one theater. The mind reportedly can process 24 frames of film a second, and a 25th frame becomes a subliminal message. The movie theater in question sold popcorn and drinks by inserting this extra frame. This was ruled unconstitutional and other restrictions on media advertising are written into U.S. law to protect human rights and privacy. Thus American citizens are protected from “mind attacks” by different segments of legal code using different terminology.

The U.S. has not had to consider the human aspect of cyber-based operations nor the loss of an ideology as some nations have faced. In the affected countries consideration was given to the “information-psychological security” factor as a result to a much greater degree than in the U.S., which did not lose its democratic ideology. Russia lost an ideology and is working hard to ensure that Russian culture, identity, and spirit do not also disappear along with it. 

Russian Views on Information Security

The approved Russian Federation’s information security document represents the purposes, objectives, principles, and basic directions of Russia’s information security thought. The document is divided into eleven sections. They are:

The security doctrine's sections are further subdivided into three or four recognizable areas. First, there are some general principles associated with the section. Then the external and internal threats to that section's principles are listed, and this is followed by a list of measures to be taken to offset these threats. A look at the section on "subjects of the information security of the Russian Federation in the sphere of defense" follows to examine this methodology.

There are four general subject areas listed under this section. These are the information infrastructure of the central elements (the branches of the armed forces and scientific research institutions of the Ministry of Defense) of military command and control; the information resources of defense complex enterprises and research institutions; software and hardware of automated command and control systems; and information resources, communication systems, and the information infrastructure of other forces and military components and elements.

External threats to the Defense Ministry make up the next section. They include the intelligence activities of foreign states; information and technical pressure (electronic warfare, computer network penetration, etc.) by probable enemies; sabotage and subversive activities by the security services of foreign states using information and psychological pressure; and the activity of foreign political, economic, and military entities directed against the defense interests of the Russian Federation. Internal threats include the violation of established procedures for collecting, processing, storing, and transmitting information within MoD; premeditated actions and personal mistakes with special information and telecommunications systems, or with the latter's unreliable operation; information and propaganda activities that undermine armed forces prestige; unresolved questions about protecting intellectual property of enterprises; and unresolved questions regarding social protection of servicemen and their families.

The final section of the defense discussion outlines the main ways to improve the system of information security for the armed forces including the systematic detection of threats and their sources; structuring the goals and objectives of information security; certifying general and special software and information-protection facilities in automated military control and communications systems; the improvement of facilities and software designed to protect information; improvement in the “structure of functional arms” in the system of information security; training of specialists in the field of information security; and, most important in light of the Russian military doctrine's views on information security, the refinement of the modes and methods of strategic and operational concealment, reconnaissance, and electronic warfare, and the methods and means of active countermeasures against the information and propaganda and psychological operations of a probably enemy.

Interestingly, this discussion of the information security dimension of the defense sphere varies from the military doctrine of the Russian Federation. The latter states quite specifically that information-psychological and information-technical matters are the two external threats to Russia, and disruptive plans or technologies are the greatest internal threats. That these two important terms are not used in the information security doctrine is probably due to the fact that military people advised but did not write it. However, the two sections on the spiritual and cultural sphere, and the section on the scientific research sphere cover the military's information-psychological and information-technical concerns from the military doctrine. While not citing information-psychological activities directly, several sections imply this is a concern. For example, under constitutional rights, it notes that a threat is the unlawful use of special techniques influencing the individual, group, and social consciousness, as well as the disorganization of the system of cultural values. Under foreign policy concerns, an internal threat is the propaganda activities of political forces, public associations, the news media, and individuals who distort the strategy and tactics of the foreign policy of the Russian Federation. An important spiritual concern is the prevention of unlawful information and psychological influences on the mass consciousness of society and the uncontrolled commercialization of culture and sciences. Thus, information security in Russian is focused on both the mind and on technical systems. The impression is that internal threats are more real and consequential than external threats.

The information security doctrine uses the term "information-protection" quite often, and this term is the one item that the state could put on a par with the military's information-psychological and information-technical issues. Another area of obvious emphasis is the formation of a legal base for information security. The laws on "State Secrecy," "Information, Computerization, and Information Protection," "Participation in International Information exchange," and "Essentials of Legislation of the Russian Federation on the Archive Collection of the Russian Federation and Archives" are specifically mentioned. Legal issues are one of three methods of information security mentioned in the doctrine, with organizational-technical and economic the other two. The threat of information weapons to Russia's information infrastructure and the threat of foreign governments using information warfare techniques against Russia were also mentioned. Special concern focused on the inadequate development of telecommunication systems, the integrity of information resources, space-based reconnaissance, and electronic-warfare facilities.

On an international level, the doctrine is designed to do several things. These include:

Near its end the doctrine notes that the "implementation of the guarantees of the constitutional rights and liberties of man and citizen concerning activity in the information sphere is the most important objective of the state in the field of information security." While this sounds pleasant enough, Russian citizens are concerned over the interpretation of this notion. Some citizens fear the fact the government was concerned about two issues: conveying RELIABLE information to the Russian and international community, and NOT ALLOWING propaganda that promoted the incitement of social, racial, national, or religious hatred and animosity. Measured against the government's handling of the Kursk incident and the war in Chechnya, the idea of reliable government information is questionable at best. The government considers the "information war" conducted by the press for public opinion as a very important aspect of keeping the emotions and loyalties of its people in check during crises. All governments do this to a certain degree, but the Russian government appears to have swung the pendulum far past reason in these two cases. The doctrine states near its conclusion that a basic function of the system of information security of the Russian Federation is "the determination and maintenance of a balance between the needs of citizens, society, and the state for the free exchange of information, and the necessary restrictions on the dissemination of information."

The last paragraph of the document states that

The implementation of the priority measures in support of the information security of the Russian Federation enumerated in this doctrine presupposes the drafting of the corresponding federal program. Certain provisions of this doctrine may be made more specific with reference to particular spheres of the activity of society and the state in the appropriate documents approved by the President of the Russian Federation.

Over the next few years more attention should be directed to these more recent documents. The first meeting to start the process was the 23 October conference on information security. Anatoliy Streltsov, deputy head of the Information Security Department (which has six members) of the staff of the Russian Security Council, said that the doctrine might promote a dialogue between the authorities and the press. The conference hoped to create a data bank for shaping state policy in the sphere of the mass media and the formation of the most effective basis for cooperation between the press services of ministries and agencies, on the one hand, and the mass media on the other.[10]

Chinese Views on Information Security

The issue of information security appeared to become an important subject in China in early 2000. A series of articles on the subject appeared in the press throughout the year.  Even though not directly addressed in the definition above of information security, the content of the articles showed that Chinese analysts consider the information security aspect of the mind more so than does the U.S. but less so than the Russians. For example, some Chinese analysts feel that the U.S. wants to use the Internet to shape the world’s values in accord with those of the U.S. in order to maintain political, economic, military, and information benefits.[11]

It was also of interest that many Chinese information security articles are published by military journals. The military cites problems due to a neglect of safeguards, backward technology, and a lack of comprehensive rules and regulations.[12] The first Chinese all-army forum held in late October 2000 set forth management rules and accelerated building an effective protection system for information security technology. There are now more than 1,000 computer networks of various kinds for the PLA to manage.[13]

The military identified the “three shifts” required to ensure the security of network information. These shifts are from maintaining secrets to maintaining secrets and building firewalls, from merely emphasizing conventional security work to emphasizing the security of information, and from stressing administrative management to stressing both administrative management and prevention technology. Educators are trying to help officers renew their concept of security and establish building a “firewall” in everyone’s head. The armed forces are trying to train a group of “network guards” with high-tech expertise. This process has been accelerated through the establishment of an all-army center for information security examination, appraisal, and recognition.[14]

Chinese information theorists believe that the modern fight is centered on the “right of controlling information,” making information security one of the “commanding heights” for winning a war. “The right of controlling information” is synonymous with having an advantage in warfare. This makes the information confrontation an important operational component of modern war with information security and confidentiality the main battleground. Obtaining and counter-obtaining, control and anti-control, and destroying and counter-destroying will become an important operational mode in future warfare, as will developing the strategies and tactics of information security work.

PLA deputies to the National People’s Congress called for legislation on information security, and pointed out a few hidden dangers--technological traps and weak preventative measures. Deputies called for a national defense information security law, and concentration of effort to speed up the development of information security technology in China.[15] On 23 October 2000, the Chinese State council recommended that the 18th meeting of the 9th National People’s Congress consider a final daft of related regulations on maintaining network and information security. It appears that the issue is receiving top-level consideration, and that a policy may be forthcoming in the coming year.[16]

Shen Changxiang wrote the most authoritative article available to this author on the subject of information security. He noted that the main threats to China’s cyber-information system included (1) its being tampered with, altered, stolen or sabotaged by viruses, or by hackers taking advantage of the Internet to intrude into the system to collect and transmit sensitive information  (2) using computers’ CPUs, or pre-installed information collection and sabotage programs in the computer’s operating system, data managing system, and application system (3) and monitoring and intercepting information, using the Computer’s electromagnetic leaks and its peripheral equipment. Whoever excels in preserving information security; controls information and wins the information war in future conflicts. In IW, the difference between a developed country and an undeveloped country will be far smaller than if it were a conventional war. This requires that China draw up an information security strategy and information defense system.[17]

In the civilian sector, information security is as important a topic as it is in the military sector. In June of 2001 the weekly general affairs journal of China’s official news agency Xinhua, Liaowang, stated that information security issues are now of the utmost importance. For example, the Internet is linked to vital national infrastructures as well as to the education, health, and minds of citizens. This makes the control of the Internet’s information security aspect twice as important as it was in the past. In addition, it is estimated that over 33% of the U.S. economic growth is from the information industry. The U.S. has control over the Internet and online resources. Liaowang estimated that America has 70% of the world’s web sites, 94 of the top 100 most visited web sites, accounts for nearly one half of the world’s total number of cybercitizens, and conducts nearly 90% of the world’s Internet business. It also controls 80% of the world’s computer systems and software markets. The Internet has also produced new information security issues such as simply controlling the amount of information available.[18]

The most visible expression of a Chinese information security “plan” was offered in the June 2000 issue of the Internet website Guojia Gao Jishu Yanjiu Fazhan Jihua (HTRDP) 863. This website is sponsored by the China Office for the High Technology Research and Development Plan, an institution under the State commission for Science and Technology. The web site offered a guide to help China focus on making technical breakthroughs regarding typical information security issues and tasks in politics, the economy, and culture. The guide is based on decisions from the “Emergency Information Security Technology Plan” formulated by a specialist group researching information security strategy for National Plan 863.  The goals of the plan are: effectively alleviate information security issues for party and government network systems and financial network systems; effectively control the wanton propagation of illegal and deleterious information in mutually connected networks; and raise China’s information security technology to a new level.[19]

There are several information security issues affecting China. First, China must correct flaws in its information security management system. There is no clear division of labor on information security management among various functional departments, and it is difficult to adapt the present management model to a networked era. Second, there is an inadequate legal system in place to handle information security issues. Critical laws designed to protect the information infrastructure have not been formulated, and the construction of a legal system lags far behind what is required. Third, more research is required in the area of core information security technologies and products. China is limited by its microelectronics industry, which is of a lower quality and standard. Many cryptographic, digital signature, identity authentication, firewall and monitoring system requirements are not fulfilled as a result. Finally, there are many hidden information security dangers associated with China’s financial system. The use of lower-grade PCs and the lack of information security methods in supervisory management still make people nervous.[20]

Qiushi magazine warned that China must develop an information security system that is strong and adaptable, independent of foreign control, and must combat superstition, rumors, slander, pornography and hackers that corrupt people’s minds and threaten national security. Of particular concern is the Internet as a subversive tool. The U.S.’s over reliance on technology causes it to forget that the last line of defense in information security remains people. China must also enhance the use of positive propaganda on the Net, and strive to run a number of web sites that attract people. China must also build up its information security infrastructure including network control centers, appraisal and certification centers, and virus prevention centers. This will help accelerate the promotion of China’s information security sector.[21]

State Council member Shen Weiguang, reportedly China’s first information warfare analyst, wrote that China needed a national information security commission to strengthen centralized leadership over information warfare research. Such a commission should assume total responsibility for China’s information security and provide an information security and information warfare studies institute at the highest level. Soldiers no longer have a patent on war. There now are information invasion, information firepower surveillance, information deterrence, and information pollution problems to contend with in information space. China must establish information security standards and rules of conduct, and issue information security assessments and inspection standards according to Shen.[22]

Conclusions

The purpose of this article was to examine the U.S., Russian, and Chinese understanding of information security. The examination shows that in both definitions and in discussion, Russia and China differ markedly in their idea of information security than does the U.S.. Russia and China are worried about ways to influence the mind and emotions of its citizens. The U.S., on the other hand, treats the mind as a separate issue governed by different terms: human rights, perception management, and so on.

The U.S. does not use the same lexicon in its documents (seldom if ever using “information security” in conjunction with the logic of its citizens), and has been affected by a different situational context.

Governed by such different paradigms, it is easy to fathom how discussion and understanding of the term “information security” in the U.N. could prove to be very difficult. However, with just minor compromises, common ground can be found. It is important to do so now. A decade ago, cloning and stem-cell research were futuristic problems for scientists but today they are problems scientists must learn to control. The speed of development of information technology implies that a futuristic concept such as the electronic manipulation of the mind may be closer than we want to believe. If that happens, the idea of information security will take on a whole new dimension. It is wise to prepare now for the future and develop some universal procedures for scientists to consider.


[1]  White Paper, The Clinton Administration’s Policy on Critical Infrastructure Protection: Presidential Decision Directive 63, 22 May 1998, downloaded from the Internet.

[2] "International Public Information Presidential Decision Directive PDD 68, 30 April 1999, downloaded from the web site of the Federation of American Scientists on 3 July 2001.

[3] Joint Publication 3-13, Joint Doctrine for Information Operations, 9 October 1998, p. GL-7.

[4] Mubin Abdurakhmanov and Dmitry Barishpolets, “From the Dictionary ‘Geopolitics and National Security,’” Military News Bulletin, Vol. Vii, No 10, October 1998, p. 13.

[5] V.I. Parfenov, “Protecting Information: Terms and Definitions,” Questions of Protecting Information, No. 3-4, 1997,  p. 1 of an insert.

[6] Shen Changxiang, “Information Security—an Important Contemporary Issue,” Jiefangjun Bao, 4 April 2001, p 11 as translated and downloaded from the FBIS web site on 4 April 2001.

[7]  White Paper, 22 May 1998.

[8]  Ibid.

[9]  See http://www.psycdef.se/english

[10]  ITAR-TASS, "Conference on Information Security, Mass Media held in Russia," 23 October 2000.

[11] PLA Daily News, 9 November, 2000.

[12] “Security Means Ensuring ‘Winning the War,’” Jiefangjun Bao, 27 October 2000 p. 1 as translated and downloaded from the FBIS web site on 27 October 2000.

[13] Li Xuanqing and Liu Mingxue, “PLA’s Security Work Emphasis Shifted to Building of Information Security,” Jiefangjun Bao, 27 October 2000 as translated and downloaded from the FBIS web site on 27 October 2000.

[14]  Ibid.

[15]  No author, title, Jiefnagjun Bao, 12 March 2000, p. 4 as translated and downloaded from the FBIS home page on 14 March 2000.

[16]  PLA Daily News, 9 November 2000.

[17]   Ibid., Shen.

[18]  Yang Guangliang, “Paying Attention to Information Security,” Liaowang, No 23, pp. 37, 38, 4 June 2001 as translated and downloaded from the FBIS web site on 12 June 2001.

[19] “PRC High Technollogy Research Development Plan, http://www.863.org.cn, 6 June 2000 as translated and downloaded from the FBIS web page on 25 October 2000.

[20]  Ibid.

[21] He Dejin, “Raise Network Security Awareness and Build Information Protection Systems,” Quishi, 1 November.

[22] Shen Weiguang, The Third World War—Total Information War, 2000 as translated and downloaded from the FBIS web page.