NYT editorial...something else to worry about.

A New Kind of Warfare

Published: September 9, 2012 

Cybersecurity efforts in the United States have largely centered on defending computer networks against attacks by hackers, criminals and foreign governments, mainly China. Increasingly, however, the focus is on developing offensive capabilities, on figuring out how and when the United States might unleash its own malware to disrupt an adversary’s networks. That is potentially dangerous territory.

Such malware is believed to have little deterrent value against criminals who use computers to steal money from banks or spies who pilfer industrial secrets. But faced with rising intrusions against computers that run America’s military systems and its essential infrastructure — its power grid, for instance, and its telecommunications networks — the military here (and elsewhere) sees disruptive software as an essential new tool of war. According to a study by the Center for Strategic and International Studies, the 15 countries with the biggest military budgets are all investing in offensive cyber capabilities.

The latest step occurred last month when the United States sent out bids for technologies “to destroy, deny, degrade, disrupt, corrupt or usurp” an adversary’s attempt to use cyberspace for advantage. The Air Force asked for proposals to plan for and manage cyberwarfare, including the ability to launch superfast computer attacks and withstand retaliation.

The United States, China, Russia, Britain and Israel began developing basic cyberattack capabilities at least a decade ago and are still figuring out how to integrate them into their military operations. Experts say cyberweapons will be used before or during conflicts involving conventional weapons to infect an adversary’s network and disrupt a target, including shutting down military communications. The most prominent example is the Stuxnet virus deployed in 2010 by the United States and Israel to set back Iran’s nuclear program. Other cyberattacks occurred in 2007 against Syria and 1998 against Serbia.

Crucial questions remain unanswered, including what laws of war would apply to decisions to launch an attack. The United States still hasn’t figured out what impact cyberweapons could have on actual battlefield operations or when an aggressive cyber response is required. Nor has Washington settled on who would authorize an attack; experts see roles for both the president and military commanders. There is also the unresolved issue of how to minimize collateral damage — like making sure malware does not cripple a civilian hospital.

Another big concern is China, which is blamed for stealing American military secrets. Washington has not had much success persuading Beijing to rein in its hackers. There is a serious risk of miscalculation if, for example, there is a confrontation in the South China Sea. China could misinterpret a move, unleash a cyberattack and trigger a real cyberwar. What’s clearly needed are new international understandings about what constitutes cyber aggression and how governments should respond. Meanwhile, the United States must do what it can to protect its own networks.