Cyber warfare techniques might be leaping forward and nations ramping up spending on digital defences and new electronic weapons, but the policy frameworks and philosophy for their use lag well behind.
The Stuxnet computer worm – widely believed to be an attack on Iran’s nuclear program through reprogramming industrial control systems to create damage – is seen as the latest sign of the increasing militarization of cyberspace.
The United States and Britain have openly increased focus in the area. Emerging nations such as China and Russia are believed to see it as an arena in which they can challenge conventional U.S. military dominance.
Non-state actors such as militant groups are also seen keen to take advantage.
But the rules and conventions that govern how cyber weapons might be used, who they should be used by and how that might be authorized are still far from clear.
“In most areas, the relevant policies, roles and responsibilities have not kept pace with the technology – although this is changing,” said Prescott Winter, former chief information officer and chief technical officer at the U.S. National Security Agency (NSA) and now a senior official at computer security firm Arcsight Inc.
The United States has launched its own military cyber command in part to bring offensive capabilities under the preserve of the military rather than secretive intelligence agencies such as the NSA, which handles electronic surveillance. Senior officials in Britain, the US and elsewhere increasingly make speeches on the topic.
But the field still raises a host of moral, legal, ethical and practical questions so far largely unaddressed.
How could nations retaliate if it is not possible to trace the national origin of an attacker who is using only a laptop?
Who should pay to protect critical national systems such as power grids owned by the private sector?
Should nations acknowledge publicly they have an offensive cyber attack capability to deter aggressors, or keep it secret – particularly as they can never know for certain if it will work until they unleash it on a target?
BEYOND MATURE POLITICAL DISCOURSE?
“The pace of change can be so abrupt as to render the action/reaction cycle of traditional strategy out of date before it has begun,” wrote authors from British think tank Chatham House in a report this month, describing cyberspace as “currently beyond the reach of mature political discourse”.
Some compare the situation to that in the early years of nuclear weapons, when countries were still working out how they might use them and before the realization of mutually assured destruction between the Soviet Union and the United States bought some level of policy consensus.
“There was no real scope for ambiguity when it comes to nuclear weapons,” said Nigel Inkster, a former senior British Secret Intelligence Service (MI6) official now head of transnational threats and will political at London’s International Institute for Strategic Studies, “With cyber, of course, there is. I don’t think anybody quite knows what the consequences of an extended exchange in the cyber domain would actually be. It’s an area where we probably don’t want to find out how bad it would be.”
Experts say major powers have long been developing systems to attack or hijack the software increasingly used to run essential industrial infrastructure, from traffic and supermarket supply control systems to nuclear power plants and telecommunications hubs.
Richard Clarke, former cyber security adviser to the White House under Bill Clinton and George W. Bush, compares the situation to that before World War One where nations mechanized for war with railways, ironclads, gas, aircraft and airships.
