This lack of clarity is troubling. "We're nowhere near where our policy makers believe we are or want us to think we are," says Anup Ghosh, a research professor and chief scientist at George Mason University's Center for Secure Information Systems in Fairfax, Va. "Internet Protocol (IP) was never designed with strong attribution properties. There's no connection between an IP address and an individual."
In cyberspace, it is easy to masquerade as someone else. "As naked as we are in security, so is China," says Ghosh, also co-founder and CEO of cybersecurity technology maker Invincea. "Their security might even be worse than ours, which is pretty sad. It wouldn't be hard to use China as a jumping-off point if you're in organized crime or another nation state looking to cause some saber rattling between China and the U.S."
Much of the U.S.'s current tension with China comes from Google's claims that recent hacker attempts to steal Gmail user passwords appeared to have originated from China. "Google is a very secure company, so when they are attacked we should stand up and take notice," says O. Sami Saydjari, a former Pentagon cyber expert who now runs a consultancy called Cyber Defense Agency. At the national level, however, "clearly you want to be able to attribute an attack with a degree of certainty before you respond with military action," he adds.
Internet agencies such as the Internet Corporation for Assigned Names and Numbers (ICANN) might be a reasonable place to start when trying to improve cybersecurity and avoid international cyberconflicts, but essentially this is a problem requiring input from the U.S. State Department and international policy makers and perhaps even something along the lines of an Internet Geneva Convention, Saydjari says. "One option is to make countries [that are] unwilling to trace the source of cyberattacks coming from within their borders accountable for the results of those attacks," he adds. "We also need more think tanks in this space such [as] we had during the cold war, where analysts discussed the consequences of nuclear weapons and mutually assured destruction."
If the U.S. chooses to enter a new war with another country within the next decade, there will be cyberweapons deployed under the guidance of cyberdoctrine to scramble communications and otherwise disrupt the enemy, Bronk says. "I would assume that the cyberattacks that we would consider as acts of warfare would be clandestine in nature, with Stuxnet being an example of how this might happen," he adds, referring to the highly sophisticated Microsoft Windows computer worm that made headlines last year when it attacked targets in Iran, leading to speculation that it was developed by the U.S. or Israel.
The threat of cyberwar "is like any great security problem; the key is not to either overreact or underreact but [to] have a calibrated response based on the knowledge we hold," Bronk says. "The problem is our knowledge is very, very limited. This is the infancy of this issue."