Piggybacking off your comment: I am surprised, am I missing something? Given the US' and the West's rather serious vulnerability in this arena, escalating the use of cyber-"weapons" doesn't obviously seem the best idea.
(Stockpiling hacks and crypto nastiness is obviously a good idea, doing something about China's cyber-espionage makes sense, and increasingly sophisticated and well-funded hacking is probably unavoidable; but TTBOMK, the US has been the first to directly attack targets of major military significance, both in Iraq and in Iran.)
What is the logic here? That if the US simply doesn't invest in offensive security research, nobody else will? That the US is somehow escalating the information security crisis?
That would be a ridiculous point, unworthy of debate.
Nation states around the world owe their first allegiance to their own interests, and then to the interests of their long-term economic and geopolitical prospects, and then maybe to their people. Any allegiance owed to principled conduct in "cyberspace" is way, way down the list. Any rival of the United States has an advantage that can be prosecuted using offensive security research is assuredly already doing so.
I also take issue with your last sentence, with the idea that the US was the first state to directly engage foreign targets. Obviously, the words "of major military significance" gives your argument a lot of room to maneuver, but the overall effect of the argument as it stands is that the US is the only state pursuing any kind of meaningful offensive security effort. That's almost definitely not the case.
I'm also unclear as to why I should be particularly disturbed by the weaponization of IT. Let's stipulate for a moment that Stuxnet was a weapon intended to sabotage a covert Iranian nuclear weapons program. OK. And? What moral authority does Stuxnet lack that a laser-guided bomb dropped from a jet owns? Did Stuxnet kill anyone? To the extent the US military can accomplish objectives using technological countermeasures rather than explosive munitions, I call that progress.
> I also take issue with your last sentence, with the idea that the US was the first state to directly engage foreign targets. Obviously, the words "of major military significance" gives your argument a lot of room to maneuver, but the overall effect of the argument as it stands is that the US is the only state pursuing any kind of meaningful offensive security effort. That's almost definitely not the case.
Absolutely. The US was simply the first to cause actual physical damage to a high-profile target. Other nation states have focused their efforts on accessing sensitive information, a la Aurora. Occasionally these attacks make it into the news but, more often than not, they go undisclosed by the target and/or unreported by the media.
Is "Stuxnet represents yet another step towards greater weaponization of IT" really ridiculous? I'm not arguing that the US is the only driver of that trend, nor am I arguing that the US should not (offensively) defend its miriad interests; rather, our (everyone's) extreme vulnerability scares me (especially SCADA and such.) And Stuxnet does make it harder to gather wide opposition to any other nations found hacking.
I otherwise agree with everything you say, especially that cyberwarfare is (so far) pretty nice.
