1. Attacks can by symmetrical or asymmetrical. In warfare, the attackers and defenders arent always evenly matched.

Weve all seen what modern bombers can do to a small village, but many people dont realize that cyberwarfare flips the equation, making it much more costly to defend than attack. For example, any small group with a pile of PCs (or even PlayStations) can mount a hugely damaging attack, especially if they make use of zombie botnets as a force multiplier. This means that while the attackers only have to aim at one target, the nation states have to defend every possible target from every possible attack. The cost of defense can be wildly more expensive than the cost of attack. This changes the entire budgetary calculus of war. Take tank warfare, for example. Back in the days of tank warfare, each side needed to come up with the necessary resources to build and buy tanks an expensive endeavor. The nuclear race was even more costly, costing in the billions (and, nearly in todays dollars the trillions) to develop. By contrast, a PC capable of launching a digital attack of mass destruction might cost a few hundred bucks. Defending against those attacks could cost billions. 2. Responses can be proportionate or disproportionate. Most so-called civilized nations try to practice whats called a proportionate response when attacked. You shoot down one of our passenger airplanes, well shoot down one of your military jets. The idea is that for each action, theres a relatively equal reaction. Most Western nations distinguish between valid military targets and those of unarmed civilians. Many less-than-civilized nations often take advantage of our perception of right and wrong, and use human shields to safeguard high-value military targets. The problem with a cyberattack is that the attacking force could be scattered across the countryside. One guy could be working out of Moms basement, while another attacker might be working out of a barn in a cornfield. Its quite difficult, therefore, to pinpoint on exact base of attack and simply destroy that. Its difficult, but not impossible. We are capable of surgical strikes, whether from the air or with feet on the ground. Digital attackers will do their best to hide or misrepresent who they are or where an attack is coming from. This makes a physical response to a cyberattack difficult, but

not impossible. Remember that once you move beyond the digital domain, forensics, research, and good old investigatory skills still work. Attackers need to eat, they need a network connection, they need to communicate, and all of these activities leave footprints that a defender can find and use as a basis for retaliation. 3. With every new battlespace comes new policies, strategies, and rules of engagement. This isnt the first time nations have had a new battlespace to explore. Back in ancient times, boats couldnt get very far from shore. But once they could, deep sea battles became possible, and a whole new array of policies, strategies, and rules of engagement became necessary. Once the battle went undersea and up in the sky, still new warfighting techniques needed to be developed. Cyberspace is merely another battlespace. The weapons are different, but the bottom-line is still the same: defend against attacks, and teach attackers that its a very, very bad idea to ever attack again. The United States is currently working on formulating its new rules for the new battlespace. This is a good thing (if youre on our side, of course). 4. In cyberwar, like in real war, the combatants arent only nation states. We often think of war as being fought between nations. But the reality of war is that its often fought by many different factions, with vague and changing loyalties to different flags. Terrorism is a good example of this. Were not fighting an individual country, but a series of groups, often supported and helped by various countries practicing their own personal form of plausible deniability. Cyberwarfare has the same challenge. This week, two companies were attacked: Google and Lockheed Martin. Its not clear that either attack originated from a nation state (although the attack on Google apparently originated in Jinan, a Chinese town with a big military installation and Lanxiang Vocational School, an educational institution with strong military/industrial ties). 5. Nations will always ultimately reserve the right to respond with force to a deadly threat. I was asked by BBC presenter Giles Dilnot if the Pentagon statement speaking of the use of force scenario indicated that the United States was more serious about cyberattacks. To some degree, the answer is Yes. The U.S. has always been serious about attacks of any nature, its just that were beginning to integrate this new battlespace into our more formal planning. No matter what any diplomat (from any country) will tell you, nations always, always reserve the right to respond with force to a deadly threat. One of the fundamental purposes of governance is the protection of the population and the interests of the State. Therefore, no responsible government can rule out using whatever means is necessary to protect its people.

6. Nations are always researching new weapons systems, both offensive and defensive. So heres the $60,000 question: if the U.S. has acknowledged its working on defensive digital weaponry, does that mean the U.S. is also working on offensive weaponry, digital weapons to attack the digital attackers? Quite obviously, I cant answer that in any detail. But I can tell you that nations are always researching new weapons systems. It would be foolish to only research defensive systems 7. Just because theres a policy in place, that doesnt mean its going to be put to use. A related question I was asked was whether or not the Pentagons stance implied theyre going to start attacking digital adversaries. My answer is that given the number of cyberattacks (theyre virtually constant), its certainly likely that a retaliatory attack will happen at some time in the future. But thats not the point. The point is that civilized nations plan, they work through eventualities, they establish chains of command, they determine spans of authority, they develop rules of engagement and they do all this, hopefully, before theres any immediate plans for attack or escalation. So, just because were putting professional warfighting policies in place, that doesnt mean were planning on attacking anyone tomorrow. 8. Just because powerful nations can attack any target, that doesnt mean they will. I was asked a funny question. I was asked that now that this policy is taking form, did that mean that if someone attacked the U.S., wed turn around and attack their social health care system or something similar. Separating out the obvious fact that weve been too busy destroying our own health care system to mess with that of another country, and that no attacker can do more damage to health care policy than our very own precious politicians, the answer is pretty much no. Heres the thing. We dont attack civilian targets unless theyre specifically being used as weapons of war. If a large group of soldiers is using the Internet to attack core systems in the United States, we may retaliate, but our goal would be to stop the attacks and shut down the attackers facilities. It wouldnt be to randomly target, for example, hospitals and schools. Of course, if some rogue nation were to build a network solely for the purpose of housing an attacking engine, specifically as an attempt to mislead (or play a PR war), then the scope of the response would reflect the scale of the threat. 9. Your single best course of action is to be our friends, not our enemies. The bottom line in this is simple. If you try to hurt the United States, the United States is continually refining its capabilities to respond. Its a much, much smarter (and safer) strategy to simply play nice with Uncle Sam.