Cyberwar, Stuxnet and people in glass houses

People tracking stories on hacking or cyberwar have had a busy few months. Headlines this week were provided courtesy of the Pentagon's first formal cyber strategy document which concluded "that computer sabotage coming from another country can constitute an act of war", and "opens the door for the US to respond using traditional military force".

The same article carried a widely repeated (but not clearly attributed) quote from a military official who glibly said: "If you shut down our power grid, maybe we will put a missile down one of your smokestacks." To many who work in information security, the threat of a full military response to a cyber offensive seems disproportional - especially when many pundits were claiming that cyberwar was not even a real threat- so where did this come from and what does it mean?

Most of the established military powerhouses have long realised the internet's potential as a battleground and many have been dipping their toes tentatively into cyberwar waters for a while. The first computer worm ever unleashed on the internet (in 1988) was written by a graduate student from Cornell, whose father happened to be the chief scientist of the American National Security Agency. Reactions to that worm spawned the computer security industry as we know it today, which in turn spawned what's becoming known as the military digital complex.

The incident in February with US defense subcontractor HBGary and Anonymous gave people a glimpse into this world and opened the eyes of many to the millions of dollars being invested in offensive computer security research. What many suspected (and a few knew) was laid open for everyone to see. Huge investments were being made in Exploits & Rootkits, essential components of any self-respecting cyberwar. Two incidents (separated by a few months) are worth noting here.