Are we at cyber Defcon 1?

The most frequently asked question I receive is “How likely is it that we will have a cyber war?” An interesting question, but I have a few of my own questions on this topic. Are we on the verge of a digital war? When you read about all the attacks on the stock exchange or about how the White House e-mails loaded with malware became a cyber weapon used in a cyberattack against British officials about two months ago, you have to wonder. (It is unclear whether the attack came from official White House e-mail accounts that had been hacked or were artfully spoofed.)

After reading these and other accounts of cyber aggression, you might think we are already in a digital war. How would we know since we do not have an agreed on definition of what constitutes an act of war in the cyber domain? The issue does not stop there. To declare an act of cyber war you would need to measure the impact of a cyberattack. What are the set of measures for cyber battle damage? Right now it appears to be “I’ll know it when I see it” and that is not sufficient. I could go on, but I will stop there for now.

Acts of cyber aggression are now a reality that we must deal with, but we are really not ready. Designing, developing and testing cyber weapons coupled with creating cyber warfare strategies are highly gratifying mental challenges. Policies, procedures and doctrine development are bland activities in comparison, but these are the fundamental components that when combined with offensive and defensive cyber weapons, and also cyber intelligence, make us ready for hostile cyber acts that target our nation. We need to play catch up and accelerate all of our efforts to deal with the ever increasing dangers and threats in the cyber domain. A formal doctrine is a must.