But Lynn didn’t mention one key element in the commanders’ response: they ordered all ports on the computers on their bases to be sealed with liquid cement. Such a demand would be a tough sell in the civilian realm. (And a Pentagon adviser suggested that many military computer operators had simply ignored the order.)

A senior official in the Department of Homeland Security told me, “Every time the N.S.A. gets involved in domestic security, there’s a hue and cry from people in the privacy world.” He said, though, that coöperation between the military and civilians had increased. (The Department of Homeland Security recently signed a memorandum with the Pentagon that gives the military authority to operate inside the United States in case of cyber attack.) “We need the N.S.A., but the question we have is how to work with them and still say and demonstrate that we are in charge in the areas for which we are responsible.”

“My mom makes me wear it.” Facebook

Twitter

Email

Shopping

This official, like many I spoke to, portrayed the talk about cyber war as a bureaucratic effort “to raise the alarm” and garner support for an increased Defense Department role in the protection of private infrastructure. He said, “You hear about cyber war all over town. This”—he mentioned statements by Clarke and others—“is being done to mobilize a political effort. We always turn to war analogies to mobilize the people.”

In theory, the fight over whether the Pentagon or civilian agencies should be in charge of cyber security should be mediated by President Obama’s coördinator for cyber security, Howard Schmidt—the cyber czar. But Schmidt has done little to assert his authority. He has no independent budget control and in a crisis would be at the mercy of those with more assets, such as General Alexander. He was not the Administration’s first choice for the cyber-czar job—reportedly, several people turned it down. The Pentagon adviser on information warfare, in an e-mail that described the lack of an over-all policy and the “cyber-pillage” of intellectual property, added the sort of dismissive comment that I heard from others: “It’s ironic that all this goes on under the nose of our first cyber President. . . . Maybe he should have picked a cyber czar with more than a mail-order degree.” (Schmidt’s bachelor’s and master’s degrees are from the University of Phoenix, though from one of their “ground” campuses.)

Howard Schmidt doesn’t like the term “cyber war.” “The key point is that cyber war benefits no one,” Schmidt told me in an interview at the Old Executive Office Building. “We need to focus on that fact. When people tell me that these guys or this government is going to take down the U.S. military with information warfare I say that, if you look at the history of conflicts, there’s always been the goal of intercepting the communications of combatants—whether it’s cutting down telephone poles or intercepting Morse-code signalling. We have people now who have found that warning about ‘cyber war’ has become an unlikely career path”—an obvious reference to McConnell and Clarke. “All of a sudden, they have become experts, and they get a lot of attention. ‘War’ is a big word, and the media is responsible for pushing this, too. Economic espionage on the Internet has been mischaracterized by people as cyber war.”

Schmidt served in Vietnam, worked as a police officer for several years on a SWAT team in Arizona, and then specialized in computer-related crimes at the F.B.I. and in the Air Force’s investigative division. In 1997, he joined Microsoft, where he became chief of security, leaving after the 9/11 attacks to serve in the Bush Administration as a special adviser for cyber security. When Obama hired him, he was working as the head of security for eBay. When I asked him about the ongoing military-civilian dispute, Schmidt said, “The middle way is not to give too much authority to one group or another and to make sure that we share information with each other.”

Schmidt continued, “We have to protect our infrastructure and our way of life, for sure. We do have vulnerabilities, and we do talk about worst-case scenarios” with the Pentagon and the Department of Homeland Security. “You don’t see a looming war and just wait for it to come.” But, at the same time, “we have to keep our shipping lanes open, to continue to do commerce, and to freely use the Internet.”

How should the power grid be protected? It does remain far too easy for a sophisticated hacker to break into American networks. In 2008, the computers of both the Obama and the McCain campaigns were hacked. Suspicion fell on Chinese hackers. People routinely open e-mails with infected attachments, allowing hackers to “enslave” their computers. Such machines, known as zombies, can be linked to create a “botnet,” which can flood and effectively shut down a major system. Hackers are also capable of penetrating a major server, like Gmail. Guesses about the cost of cyber crime vary widely, but one survey, cited by President Obama in a speech in May, 2009, put the price at more than eight billion dollars in 2007 and 2008 combined. Obama added, referring to corporate cyber espionage, “It’s been estimated that last year alone cyber criminals stole intellectual property from businesses worldwide worth up to one trillion dollars.”

One solution is mandated encryption: the government would compel both corporations and individuals to install the most up-to-date protection tools. This option, in some form, has broad support in the technology community and among privacy advocates. In contrast, military and intelligence eavesdroppers have resisted nationwide encryption since 1976, when the Diffie-Hellman key exchange (an encryption tool co-developed by Whitfield Diffie) was invented, for the most obvious of reasons: it would hinder their ability to intercept signals. In this sense, the N.S.A.’s interests align with those of the hackers.

John Arquilla, who has taught since 1993 at the U.S. Naval Postgraduate School in Monterey, California, writes in his book “Worst Enemies,” “We would all be far better off if virtually all civil, commercial, governmental, and military internet and web traffic were strongly encrypted.” Instead, many of those charged with security have adopted the view that “cyberspace can be defended with virtual fortifications—basically the ‘firewalls’ that everyone knows about. . . . A kind of Maginot Line mentality prevails.”

Arquilla added that America’s intelligence agencies and law-enforcement officials have consistently resisted encryption because of fears that a serious, widespread effort to secure data would interfere with their ability to electronically monitor and track would-be criminals or international terrorists. This hasn’t stopped sophisticated wrongdoers from, say, hiring hackers or encrypting files; it just leaves the public exposed, Arquilla writes. “Today drug lords still enjoy secure internet and web communications, as do many in terror networks, while most Americans don’t.”

Schmidt told me that he supports mandated encryption for the nation’s power and electrical infrastructure, though not beyond that. But, early last year, President Obama declined to support such a mandate, in part, Schmidt said, because of the costs it would entail for corporations. In addition to the setup expenses, sophisticated encryption systems involve a reliance on security cards and on constantly changing passwords, along with increased demands on employees and a ceding of control by executives to their security teams.

General Alexander, meanwhile, has continued to press for more authority, and even for a separate Internet domain—another Maginot Line, perhaps. One morning in September, he told a group of journalists that the Cyber Command needed what he called “a secure zone,” a separate space within the Internet to shelter the military and essential industries from cyber attacks. The secure zone would be kept under tight government control. He also assured the journalists, according to the Times, that “we can protect civil liberties, privacy, and still do our mission.” The General was more skeptical about his ability to please privacy advocates when he testified, a few hours later, before the House Armed Services Committee: “A lot of people bring up privacy and civil liberties. And then you say, ‘Well, what specifically are you concerned about?’ And they say, ‘Well, privacy and civil liberties.’ . . . Are you concerned that the anti-virus program that McAfee runs invades your privacy or civil liberties?’ And the answer is ‘No, no, no—but I’m worried that you would.’ ”

This summer, the Wall Street Journal reported that the N.S.A. had begun financing a secret surveillance program called Perfect Citizen to monitor attempted intrusions into the computer networks of private power companies. The program calls for the installation of government sensors in those networks to watch for unusual activity. The Journal noted that some companies expressed concerns about privacy, and said that what they needed instead was better guidance on what to do in case of a major cyber attack. The N.S.A. issued a rare public response, insisting that there was no “monitoring activity” involved: “We strictly adhere to both the spirit and the letter of U.S. laws and regulations.”

A former N.S.A. operative I spoke to said, of Perfect Citizen, “This would put the N.S.A. into the job of being able to watch over our national communications grid. If it was all dot-gov, I would have no problem with the sensors, but what if the private companies rely on Gmail or att.net to communicate? This could put the N.S.A. into every service provider in the country.”

The N.S.A. has its own hackers. Many of them are based at a secret annex near Thurgood Marshall International Airport, outside Baltimore. (The airport used to be called Friendship Airport, and the annex is known to insiders as the FANX, for “Friendship annex.”) There teams of attackers seek to penetrate the communications of both friendly and unfriendly governments, and teams of defenders monitor penetrations and attempted penetrations of U.S. systems. The former N.S.A. operative, who served as a senior watch officer at a major covert installation, told me that the N.S.A. obtained invaluable on-the-job training in cyber espionage during the attack on Iraq in 1991. Its techniques were perfected during the struggle in Kosovo in 1999 and, later, against Al Qaeda in Iraq. “Whatever the Chinese can do to us, we can do better,” the technician said. “Our offensive cyber capabilities are far more advanced.”

Nonetheless, Marc Rotenberg, the president of the Electronic Privacy Information Center and a leading privacy advocate, argues that the N.S.A. is simply not competent enough to take a leadership role in cyber security. “Let’s put the issue of privacy of communications aside,” Rotenberg, a former Senate aide who has testified often before Congress on encryption policy and consumer protection, said. “The question is: Do you want an agency that spies with mixed success to be responsible for securing the nation’s security? If you do, that’s crazy.”

Nearly two decades ago, the Clinton Administration, under pressure from the N.S.A., said that it would permit encryption-equipped computers to be exported only if their American manufacturers agreed to install a government-approved chip, known as the Clipper Chip, in each one. It was subsequently revealed that the Clipper Chip would enable law-enforcement officials to have access to data in the computers. The ensuing privacy row embarrassed Clinton, and the encryption-equipped computers were permitted to be exported without the chip, in what amounted to a rebuke to the N.S.A.

That history may be repeating itself. The Obama Administration is now planning to seek broad new legislation that would enable national-security and law-enforcement officials to police online communications. The legislation, similar to that sought two decades ago in the Clipper Chip debate, would require manufacturers of equipment such as the BlackBerry, and all domestic and foreign purveyors of communications, such as Skype, to develop technology that would allow the federal government to intercept and decode traffic.

“The lesson of Clipper is that the N.S.A. is really not good at what it does, and its desire to eavesdrop overwhelms its ability to protect, and puts at risk U.S. security,” Rotenberg said. “The N.S.A. wants security, sure, but it also wants to get to capture as much as it can. Its view is you can get great security as long as you listen in.” Rotenberg added, “General Alexander is not interested in communication privacy. He’s not pushing for encryption. He wants to learn more about people who are on the Internet”—to get access to the original internal protocol, or I.P., addresses identifying the computers sending e-mail messages. “Alexander wants user I.D. He wants to know who you are talking to.”

Rotenberg concedes that the government has a role to play in the cyber world. “We privacy guys want strong encryption for the security of America’s infrastructure,” he said. He also supports Howard Schmidt in his willingness to mandate encryption for the few industries whose disruption could lead to chaos. “Howard is trying to provide a reasoned debate on an important issue.”

Whitfield Diffie, the encryption pioneer, offered a different note of skepticism in an e-mail to me: “It would be easy to write a rule mandating encryption but hard to do it in such a way as to get good results. To make encryption effective, someone has to manage and maintain the systems (the way N.S.A. does for D.O.D. and, to a lesser extent, other parts of government). I think that what is needed is more by way of standards, guidance, etc., that would make it easier for industry to implement encryption without making more trouble for itself than it saves.”

More broadly, Diffie wrote, “I am not convinced that lack of encryption is the primary problem. The problem with the Internet is that it is meant for communications among non-friends.”

What about China? Does it pose such a threat that, on its own, it justifies putting cyber security on a war footing? The U.S. has long viewed China as a strategic military threat, and as a potential adversary in the sixty-year dispute over Taiwan. Contingency plans dating back to the Cold War include calls for an American military response, led by a Navy carrier group, if a Chinese fleet sails into the Taiwan Strait. “They’ll want to stop our carriers from coming, and they will throw whatever they have in cyber war—everything but the kitchen sink—to blind us, or slow our fleet down,” Admiral McVadon, the retired defense attaché, said. “Our fear is that the Chinese may think that cyber war will work, but it may not. And that’s a danger because it”—a test of cyber warfare—“could lead to a bigger war.”

However, the prospect of a naval battle for Taiwan and its escalation into a cyber attack on America’s domestic infrastructure is remote. Jonathan Pollack, an expert on the Chinese military who teaches at the Naval War College in Newport, Rhode Island, said, “The fact is that the Chinese are remarkably risk-averse.” He went on, “Yes, there have been dustups, and the United States collects intelligence around China’s border, but there is an accommodation process under way today between China and Taiwan.” In June, Taiwan approved a trade agreement with China that had, as its ultimate goal, a political rapprochement. “The movement there is palpable, and, given that, somebody’s got to tell me how we are going to find ourselves in a war with China,” Pollack said.

Many long-standing allies of the United States have been deeply engaged in cyber espionage for decades. A retired four-star Navy admiral, who spent much of his career in signals intelligence, said that Russia, France, Israel, and Taiwan conduct the most cyber espionage against the U.S. “I’ve looked at the extraordinary amount of Russian and Chinese cyber activity,” he told me, “and I am hard put to it to sort out how much is planning for warfare and how much is for economic purposes.”

The admiral said that the U.S. Navy, worried about budget cuts, “needs an enemy, and it’s settled on China,” and that “using what your enemy is building to justify your budget is not a new game.”

There is surprising unanimity among cyber-security experts on one issue: that the immediate cyber threat does not come from traditional terrorist groups like Al Qaeda, at least, not for the moment. “Terrorist groups are not particularly good now in attacking our computer system,” John Arquilla told me. “They’re not that interested in it—yet. The question is: Do vulnerabilities exist inside America? And, if they do, the terrorists eventually will exploit them.” Arquilla added a disturbing thought: “The terrorists of today rely on cyberspace, and they have to be good at cyber security to protect their operations.” As terrorist groups get better at defense, they may eventually turn to offense.

Jeffrey Carr, a Seattle-based consultant on cyber issues, looked into state and non-state cyber espionage throughout the recent conflicts in Estonia and Georgia. Carr, too, said he was skeptical that China or Russia would mount a cyber-war attack against the United States. “It’s not in their interest to hurt the country that is feeding them money,” he said. “On the other hand, it does make sense for lawless groups.” He envisaged “five- or six-year-old kids in the Middle East who are working on the Internet,” and who would “become radicalized fifteen- or sixteen-year-old hackers.” Carr is an advocate of making all Internet service providers require their customers to use verifiable registration information, as a means of helping authorities reduce cyber espionage.

Earlier this year, Carr published “Inside Cyber Warfare,” an account, in part, of his research into cyber activity around the world. But he added, “I hate the term ‘cyber war.’ ” Asked why he used “cyber warfare” in the title of his book, he responded, “I don’t like hype, but hype sells.”

Why not ignore the privacy community and put cyber security on a war footing? Granting the military more access to private Internet communications, and to the Internet itself, may seem prudent to many in these days of international terrorism and growing American tensions with the Muslim world. But there are always unintended consequences of military activity—some that may take years to unravel. Ironically, the story of the EP-3E aircraft that was downed off the coast of China provides an example. The account, as relayed to me by a fully informed retired American diplomat, begins with the contested Presidential election between Vice-President Al Gore and George W. Bush the previous November. That fall, a routine military review concluded that certain reconnaissance flights off the eastern coast of the former Soviet Union—daily Air Force and Navy sorties flying out of bases in the Aleutian Islands—were redundant, and recommended that they be cut back.

“Finally, on the eve of the 2000 election, the flights were released,” the former diplomat related. “But there was nobody around with any authority to make changes, and everyone was looking for a job.” The reality is that no military commander would unilaterally give up any mission. “So the system defaulted to the next target, which was China, and the surveillance flights there went from one every two weeks or so to something like one a day,” the former diplomat continued. By early December, “the Chinese were acting aggressively toward our now increased reconnaissance flights, and we complained to our military about their complaints. But there was no one with political authority in Washington to respond, or explain.” The Chinese would not have been told that the increase in American reconnaissance had little to do with anything other than the fact that inertia was driving day-to-day policy. There was no leadership in the Defense Department, as both Democrats and Republicans waited for the Supreme Court to decide the fate of the Presidency.

The predictable result was an increase in provocative behavior by Chinese fighter pilots who were assigned to monitor and shadow the reconnaissance flights. This evolved into a pattern of harassment in which a Chinese jet would maneuver a few dozen yards in front of the slow, plodding EP-3E, and suddenly blast on its afterburners, soaring away and leaving behind a shock wave that severely rocked the American aircraft. On April 1, 2001, the Chinese pilot miscalculated the distance between his plane and the American aircraft. It was a mistake with consequences for the American debate on cyber security that have yet to be fully reckoned. ♦