I don't think it rises quite to the level of SABRE-rattling, but some of Chinese president Hu Jintao's recent pronouncements on China's defense policy as it relates to information technology got me thinking. In his report to the 17th Party Congress, Hu says:

To attain the strategic objective of building computerized armed forces and winning IT-based warfare, we will accelerate composite development of mechanization and computerization, carry out military training under IT-based conditions, modernize every aspect of logistics, intensify our efforts to train a new type of high-caliber military personnel in large numbers and change the mode of generating combat capabilities.

I get the feeling that something may have been lost in translation, or maybe it's just the universal sort of double-speak that politicians the world over are famous for; there aren't really many specifics in that. But it's no secret that China has been aggressively developing information warfare capabilities, as Western intelligence agencies have been reporting.

I have noticed a tendency among many IT staff and CIOs to mentally segregate day-to-day security and the panopoly of attacks and vulnerabilities which typify modern network operations from the loftier matter of "Information Warfare." IW is something that nations might levy against one another and at any rate it's all a bit theoretical, right? Certainly nothing to eclipse concerns about the next potential breach of personal credit card information.

But this attitude is just as mistaken as the dismissal of any other sort of warfare as being primarily a matter between state actors. For many people, terrorism has driven home the fallacy of this notion. The most effective means of striking at a nation, it seems, is to strike directly at its people, bypassing the military and other mechanisms designed for defense. This isn't a new strategic thought, but it may have come to its logical conclusion in our era.

The same is true with Information Warfare. Should China, or any other capable entity (whether a state or non-governmental organization), desire to strike out at an opponent, there is little profit in doing so toward those sectors best prepared for such an event. Instead, the best targets to incite fear in the populace and ruin an economy and communications conduits are the group of corporations which comprise it. And that, to a greater or lesser extent, means your company. Information Warfare, should it ever really come of age, will do so on your servers, not on those buried in some hardened bunker at the Pentagon.

Hu seems to acknowledge this tacitly in his report, stating the necessity of developing military and civilian capabilities and systems hand in hand. There is no significant difference between them if one intends to fight an IW battle, after all.

The good news is that most of the things that you are already doing to secure your network are just as applicable in the face of IW as they are against a teenage phreaker or a syndicate of card number thieves. The bad news is that few of us take those things seriously enough as it is. And while a minor disaster at a particular company is no big deal at the moment, a concerted effort to wreak havoc at dozens, or hundreds of major corporations simultaneously could have significant effect on the nation.

If you're interested in learning more about the broader scope of IW, I recommending checking out theInformation Warfare Site for additional information.

Thanks to ITWorld for the original pointer to Hu's report.