For a variety of reasons, over the last several months the issue of cyber security has been prominently covered in the U.S. news media. But for more than a decade, the vulnerability of networked computer systems has been considered by policymakers, with worst-case scenarios running from "Electronic Pearl Harbor" to the more recent rhetorical refresh of "Cyber Katrina."
The Obama Administration and a number of congressional leaders have made preliminary moves to craft a strategy for defending the country's computer networks, but policymaking interest may outpace technical reality. As a nation, we want to be prepared for cyberwar, but we are a long way from having a cohesive game plan -- what the Pentagon calls doctrine -- for it.
There are four useful subcategories of cyber attacks: (1) attacks that knock systems offline; (2) ones in which information is stolen or (3) manipulated; and (4) attacks in which infrastructure is subverted to produce physical results. A massive denial of service attack, as happened in Estonia in 2007, falls into the first category. Digital theft, such as the reported purloined plans for the F-35 Joint Strike Fighter, fall into the second. These types of attacks happen all of the time and are launched by everybody from cyber gangs to the security services of nation states. Attacks of type 3 and 4 are rarer phenomena, and when they do occur they are generally heavily veiled in secrecy. Electronic subversion of an air defense network or the disruption of supervisory control and data acquisition (SCADA) systems are theoretical exemplars, but fully documented open cases of this sort are exceptionally rare.