Last November the U.S. Air Force set up a new cyberwarfare group, called the Cyberspace Command, as part of the Eighth Air Force. "The aim is to develop a major command that stands alongside Air Force Space Command and Air Combat Command," says Secretary of the Air Force Michael Wynne.
Though much of the U.S. Department of Defense's cyberplanning is classified, some aspects of its strategy are public knowledge.
According to the Washington Post, President George W. Bush signed a secret directive in July 2002 that set down guidelines for determining when and how the United States would attack foreign computer systems.
Fifteen months later, then-Secretary of Defense Donald Rumsfeld approved a 74-page "Information Operations Roadmap" outlining his department's plan to develop cyberwarfare capabilities. The cyberwarfare sections of the plan remain classified, but a March 20, 2007, report prepared by the Congressional Research Service states that the Pentagon has proceeded cautiously with these capabilities, "since a cyber attack could have serious cascading effects, perhaps causing a major disruption to networked civilian systems."
The U.S. military decided not to launch a cyberattack in Iraq as part of its 2003 invasion, the report states. Concern that any such attack might have rolled over into civilian networks outside Iraq may have played a part in its decision.
Civilian spillover a danger
Estonia's situation aptly illustrates this key problem with cyberwarfare, according to Mulvenon, who has tracked cyberskirmishes between attackers in China, Taiwan, and the United States. "None of the cyberwars that I've seen in the last 10 or 15 years has been clean," he says.
This characteristic complicates matters for states that engage in cyberwarfare because an attack may reach beyond its original objectives into civilian territories or neighboring countries.
Nations must also contend with rogue agents, such as the ones in Russia and China who may have acted without their government's approval. One official who helped coordinate Estonia's response says the attack on Estonia's computer infrastructure amounted to a cyberriot.
"In war you have definite targets," says Hillar Aarelaid, manager of Estonia's Computer Emergency Response Team (CERT). "In a riot you don't care, you're just breaking windows."
Aarelaid was struck by the sheer variety of the attacks Estonia endured. Some assailants had simply downloaded software on their home computers that repeatedly sent information requests to Estonian servers, while others had marshaled sophisticated botnet armies.
Are civilian attackers part of any nation's cyberwar strategy? Perhaps. "I tend to think that the government views them as useful idiots," Mulvenon says.
For now, Mulvenon predicts, fears of unintended consequences--whether in the form of civilians joining in the fight or of a cascading network failure--will keep cyberwarfare planners cautious, especially in conflicts with powerful nation-states. But that won't prevent attacks like the ones in Estonia, where civilian irregulars pile on in hopes of serving their nation's interests.