Ralph Langner is a computer security expert in Hamburg, Germany, who was among the first to decode the Stuxnet computer virus that was used against Iranian nuclear facilities.

In December 2010, after we had reverse engineered the Stuxnet virus, I argued that the attackers must have known they would open Pandora's box. Others suggested it would be opened anyway, so it better be us.

It can be argued that the time was ripe for history's first cyber weapon, and having it come from China or Russia would have created another unpleasant Sputnik experience. On the other hand it is evident that the United States is not prepared to defend against such sophisticated cyber-physical attacks that they chose to experiment with in the open, with the actual weapon eventually being downloadable from the Internet.

The United States is not prepared to defend against such sophisticated cyber-physical attacks that they chose to experiment with in the open.

While it has been said that Stuxnet was a wakeup call, the only people who woke up were military forces and intelligence services around the globe, along with some terrorists and criminals. Everybody else just fell back to coma, which is puzzling and depressing because protection against cyber weapons is possible.

The cyber-physical battlefield is ultimately defined by defense — or the lack thereof — rather than by offensive capabilities. Nevertheless, whole industry sectors, like power generation, traditionally chose to ignore cyber security. All that occurred with the blessing of the Department of Homeland Security, which made it clear that Stuxnet wouldn't prompt any serious reaction. To date, there is not one single Department of Homeland Security publication on Stuxnet and potential copycats with any meaningful content.

The elephant in the room is not even cyberwar. War can be waged only by nation states. In cyberspace, the real threat comes from nonstate actors against which military deterrence is powerless. It does not require the resources of a nation state to develop cyber weapons. I could achieve that by myself with just a handful of freelance experts. Any U.S. power plant, including nuclear, is much easier to cyberattack than the heavily guarded facilities in Iran. An attacker who is not interested in engaging in a long-term campaign with sophisticated disguise (which rogue player would be?) needs to invest only a tiny fraction of effort compared to Stuxnet.

Almost two years ago, I wrote that Iran seemed to be begging for a cyberattack. I did not imagine that the same could become true for the United States or other industrialized countries, but it appears like we're getting there.