We're likely to find out, and soon. Lawyers across the U.S. government have raised so many show-stopping legal questions about cyberwar that they've left the military unable to fight or even plan for a war in cyberspace. But the only thing they're likely to accomplish is to make Americans less safe.
No one seriously denies that cyberwar is coming. Russia pioneered cyberattacks in its conflicts with Georgia and Estonia, and cyberweapons went mainstream when the developers of Stuxnet sabotaged Iran's Natanz uranium-enrichment plant, setting back the Islamic Republic's nuclear weapons program more effectively than a 500-pound bomb ever could. In war, weapons that work get used again.
Unfortunately, it turns out that cyberweapons may work best against civilians. The necessities of modern life -- pipelines, power grids, refineries, sewer and water lines -- all run on the same industrial control systems that Stuxnet subverted so successfully. These systems may be even easier to sabotage than the notoriously porous computer networks that support our financial and telecommunications infrastructure.
And the consequences of successful sabotage would be devastating. The body charged with ensuring the resilience of power supplies in North America admitted last year that a coordinated cyberattack on the continent's power system "could result in long-term (irreparable) damage to key system components" and could "cause large population centers to lose power for extended periods." Translated from that gray prose, this means that foreign militaries could reduce many of U.S. cities to the state of post-Katrina New Orleans -- and leave them that way for months.
Can the United States keep foreign militaries out of its networks? Not today. Even America's premier national security agencies have struggled to respond to this new threat. Very sophisticated network defenders with vital secrets to protect have failed to keep attackers out. RSA is a security company that makes online credentials used widely by the Defense Department and defense contractors. Hackers from China so badly compromised RSA's system that the company was forced to offer all its customers a new set of credentials. Imagine the impact on Ford's reputation if it had to recall and replace every Ford that was still on the road; that's what RSA is experiencing now.
HBGary, another well-respected security firm, suffered an attack on its system that put thousands of corporate emails in the public domain, some so embarrassing that the CEO lost his job. And Russian intelligence was able to extract large amounts of information from classified U.S. networks -- which are not supposed to touch the Internet -- simply by infecting the thumb drives that soldiers were using to move data from one system to the next. Joel Brenner, former head of counterintelligence for the Office of the Director of National Intelligence, estimates in his new book, America the Vulnerable, that billions of dollars in research and design work have been stolen electronically from the Defense Department and its contractors.
In short, even the best security experts in and out of government cannot protect their own most precious secrets from network attacks. But the attackers need not stop at stealing secrets. Once they're in, they can just as easily sabotage the network to cause the "irreparable" damage that electric-grid guardians fear.