In April 2009, the US National Academies of Science suggested that it was time for the US to get serious about cyberwarfare, setting official policy for its offensive use and spearheading the development of international norms governing its deployment. Less than three months later, the US and Korea were each hit by a series of network-based attacks that are thought to have originated in North Korea.

An analysis of these attacks has now concluded that their relative lack of sophistication reinforces the conclusion that only major nations have advanced cyberwarfare capabilities, but warns that this situation will only last for a few more years.

Sabotage or espionage?

The report was prepared for the Center for International and Strategic Studies, a non-partisan think tank, by James A. Lewis, who has written books on cyberwarfare. It spends very little time on the actual Korean attacks—they were recognized as unsophisticated at the time, and further analysis hasn't changed that diagnosis—dismissing them as a "noisy demonstration." Instead, Lewis uses them as a launching point for discussing the general state of cyberwarfare.

The report attempts to draw a parallel between different levels of cyberwarfare and the sort of non-virtual equivalents with which we're more familiar. So, for example, low-level annoyances such as the Korean attacks and others that targeted Estonia and Georgia are considered the equivalent of espionage-—something that may inflame international relations but not rise to the level of warfare.

In contrast, it's thought that a number of nations have the ability to inflict long term damage on physical and virtual property that is comparable to an act of sabotage.

At the moment, there is no indication that this sort of virtual sabotage has ever happened. This may be a product of the fact that so few nations—Lewis lists Russia, China, Israel, France, the United States, and the United Kingdom as the only ones—have access to the needed tools and knowledge. And, for the most part, these nations have treated their cyberweapons as just another part of their offensive arsenal.

"Absent such larger conflict, however, a nation-state is no more likely to launch a serious cyber attack than they are to shoot a random missile at an opponent," the report concludes.

(Even this category of cyberaggression won't necessarily create a state of open hostility between nations, Lewis argues, pointing to the USS Pueblo incident as evidence that larger political concerns can still trump gunfire when it comes to war.)

The fact that this list of nations is limited to those that have responsibly possessed nuclear weapons, however, shouldn't be a cause for complacency. In contrast to nuclear technology, cybertechnology moves down the food chain quite rapidly. "A very rough estimate," Lewis writes, "would say that there is a lag of three and eight years between the capabilities developed by advanced intelligence agencies and the capabilities available for purchase or rental in the cybercrime black market."

And that's a problem, because there are a lot of indications that governments, both those with and without sophisticated cyberwarfare resources, are increasingly reliant on the black-market elements for this capability. When not engaged in warfare on behalf of a state sponsor, these criminals can simply make money the old-fashioned way: by theft.

"The cybercriminal can live well, the local economy benefits, and the government gains a powerful weapon with a strong case for 'plausible deniability' when it is used for political purposes, as appears to be the case in Estonia or Georgia," the report notes.

Limiting aggression

The means that the US has traditionally relied on for limiting aggression, primarily the threat of an overwhelming counter-response, can't be considered a viable option. If it's difficult to identify the source of an attack and connect it to a government or organization, then there's nothing to either threaten or target with a counter-response.

The report concludes by noting that the US, with its heavy reliance on a digital infrastructure and information-based economy, has the most to lose if sophisticated cyber weaponry makes its way into the hands of less advanced nations or non-governmental organizations. Given a potentially short time window of three years, Lewis calls for a crash program to get our defenses up to speed.

At the same time, however, we need to begin trying to build international support for some norms that govern the use and distribution of cyber weaponry. These, Lewis argues, should include the notion of responsibility for non-state actors.

"The notion that a cybercriminal in one of these countries operates without the knowledge and thus tacit consent of the government is difficult to accept," he writes. "A hacker who turned his sights from Tallinn to the Kremlin would have only hours before his service was cut off, his door was smashed down, and his computer confiscated."