Rid seems especially dubious about the potential for this form of strategic cyberwar. And rightly so. But there is ample evidence that this mode of virtual attack is being employed, and with genuinely damaging effects. The 2007 cyberwar against Estonia, apparently arising out of ethnic Russian anger over removal of a World War II monument, offered a clear example. The attack was initially highly disruptive, forcing the government to take swift, widespread measures to install security patches, improve firewalls, and make strong encryption tools available to the people. Estonia is small, but one of the world's most wired countries; 97 percent of its people do all their banking online. Costs inflicted by the attacks -- from business interruption and disruption to the need to erect new defenses -- are estimated in the many millions of euros. A scaled-up version of this kind of cyberwar, to America-sized attacks, would cause damage in the hundreds of billions of dollars.
The Stuxnet worm, which struck directly at Iranian nuclear-enrichment capabilities, is another example of strategic cyberattack -- what I prefer to call "cybotage." But will it achieve the larger goal of stopping Iranian proliferation efforts? Not on its own, no more than the Israeli air raid on the Osirak nuclear reactor 30 years ago ended the Iraqi nuclear program. Iraq's pursuit of nuclear technology simply became more covert after the Osirak attack, and the same will surely hold true for Iran today.
A key aspect of both Stuxnet and the Estonian cyberattacks is that the identity of the perpetrators, though suspected, cannot be known with certainty. This anonymity is also the case with the extensive cybersnooping campaigns undertaken against sensitive U.S. military systems since the late 1990s -- and against leading companies, too, some of which are seeing their intellectual property hemorrhaging out to hackers. A few of these campaigns have suspected links to China and Russia, but nothing is known for sure. So these actions, which to my mind qualify as a low-intensity form of cyberwar, have gone unpunished. Rid himself acknowledges that these sorts of attacks are ongoing, so it seems we are in agreement, at least about the rise of covert cyberwar.
My deeper concern is that these smaller-scale cyberwar exploits might eventually scale up, given the clear vulnerability of advanced militaries and the various communications systems that cover more of the world every day. This is why I think cyberwar is destined to play an increasingly prominent role in future wars. Yes, some cyberweapons do require substantial investment of resources and manpower, as Rid suggests. But once created, they can be used in ways that easily overcome existing defenses. Even for those exploits that don't require significant resources, like the campaign against Estonia, the lesson remains clear: The advantage lies with those who take the offensive.