IN ITS SHORT HISTORY, individuals and companies have harnessed cyberspace to create new industries, a vibrant social space, and a new economic sphere that are intertwined with our everyday lives. At the same time, individuals, subnational groups, and governments are using cyberspace to advance interests through malicious activity. Terrorist groups recruit, train, and target through the Internet, organized criminal enterprises exploit financial data with profits that exceed drug trafficking, and intelligence services steal secrets.

Today individuals tend to pose the greatest danger in cyberspace, but nonstate actors, intelligence services, and militaries increasingly penetrate information technology networks for espionage and influence. This is likely to continue in the future as governments seek new ways and means to defend their interests in cyberspace and to develop their own offensive capabilities to compete in cyberspace. As an early example, the Obama administration released International Strategy for Cyberspace in May 2011, which defines four key characteristics of cyberspace: open to innovation, secure enough to earn people’s trust, globally interoperable, and reliable.¹ Ensuring reliability against threats seems to dominate national security discussions today and raises concerns when thinking about future warfare.

Since the early 1990s analysts have forecast that cyberwar in the twenty-first century would be a salient feature of warfare. Yet, nearly twenty years later, individual hackers, intelligence services, and criminal groups pose the greatest danger in cyberspace, not militaries. But the concept of using cyber capabilities in war is slowly emerging. An example of this was the cyber attack that accompanied Russia’s invasion of Georgia in 2008. As Russian tanks and aircraft were entering Georgian territory, cyberwarriors attacked the Georgian Ministry of Defense. Though it had a minimal effect, the attack was a harbinger; future conflicts will have both a physical dimension and a virtual dimension. While not destructive, the attacks were disruptive. In the future, malicious code infiltrated through worms will disrupt communication systems, denial of service attacks will undermine governments’ strategic messages, and logic bombs could turn out the lights in national capitals. This approach was discussed during the 2011 NATO campaign in Libya, but was left largely in the conceptual phases.²

As a preview of what is to come, the 2010 Stuxnet worm was the first worm specifically designed to attack industrial control systems.³ Had the worm not been detected, hackers could have obtained control of power plants, communication systems, and factories by hijacking the infected systems. Theoretically, this outside actor could manipulate a control system in a power plant to produce a catastrophic failure. The source of the worm is purely speculative, but some experts saw this as the first true cyber attack against Iran’s nuclear infrastructure and credit it for slowing down Iran’s program.⁴

The 2010 Quadrennial Defense Review foreshadowed the dangers of Stuxnet and highlighted that, although it is a man-made domain, cyberspace is now as relevant a domain for Defense Department activities as the naturally occurring domains of land, sea, air, and space. The United States and many other countries, including China, Russia, Israel, and France, are preparing for conflict in the virtual dimension. In the United States, a joint cyber command was launched in 2010. With a modest two thousand personnel at its headquarters, the command derives support from fifty-four thousand sailors, eighteen thousand airmen, twenty-one thousand soldiers, and eight hundred marines who have been designated by their services to support the emerging cyber mission. The head of US Cyber Forces, Gen. Keith Alexander, sees future militaries using “cyberspace (by operating within or through it) to attack personnel, facilities, or equipment with the intent of degrading, neutralizing, or destroying enemy combat capability, while protecting our own.”⁵ The 2011 National Military Strategy directed joint forces to “secure the ‘.mil’ domain, requiring a resilient DoD cyberspace architecture that employs a combination of detection, deterrence, denial, and multi-layered defense.”⁶ The Defense Department strategic initiatives for operating in cyberspace include the following:

Like the physical environment, the cyber environment is all-encompassing. It includes physical hardware, such as networks and machines; information, such as data and media; the cognitive, such as the mental processes people use to comprehend their experiences; and the virtual, where people connect socially. When aggregated, what we think of as cyberspace serves as a fifth dimension where people can exist through alternate persona on blogs, social networking sites, and virtual reality games. Larry Johnson, chief executive officer of the New Media Consortium, predicts that over the next fifteen years we will experience the virtual world as an extension of the real one. Johnson believes that “virtual worlds are already bridging borders across the globe to bring people of many cultures and languages together in ways very nearly as rich as face-to-face interactions; they are already allowing the visualization of ideas and concepts in three dimensions that is leading to new insights and deeper learning; and they are already allowing people to work, learn, conduct business, shop, and interact in ways that promise to redefine how we think about these activities—and even what we regard as possible.”¹¹

Gone are the stereotypes of young male gamers that dominate cyberspace; those that inhabit virtual worlds are increasingly middle-aged, employed, and female. For example, the median age in the virtual world “Second Life” is thirty-six years old, and 45 percent are women. Among Facebook users, about half are women.¹² There are more Facebook users aged twenty-six to thirty-four than there are aged eighteen to twenty-five. The Internet has been the primary means of this interconnectivity, which is both physical and virtual. Due to the highly developed economies and its important role in the information technology sector, the highest Internet penetration rate is in North America. Yet, given its population size and rapid development, Asia has the most users (see table 1.1).

As it relates to war, the Internet is both a means and a target for militaries. Former US deputy defense secretary William J. Lynn underscored how important the information infrastructure is to national defense. “Just like our national dependence [on the Internet], there is simply no exaggerating our military dependence on our information networks: the command and control of our forces, the intelligence and logistics on which they depend, the weapons technologies we develop and field—they all depend on our computer systems and networks. Indeed, our 21st century military simply cannot function without them.”¹³ Additionally, governments use the Internet to shape their messages through media outlets hosted throughout the Web. US military commanders use public blogs and operational units post videos to YouTube. This gives both the military and citizens unprecedented insight from pilots after they bomb a target, or from marines as they conduct humanitarian assistance. The transparency is intended to reduce suspicion, counter deceptive claims made by adversaries, and improve the image of the military. Yet there are limits to these potential advantages; the Pentagon is concerned that its personnel can also share too much data through Facebook or project a poor image that runs counter to its efforts through YouTube videos. Or, in illegal cases, military personnel can steal classified data and post hundreds of thousands of classified documents to sites like Wikileaks, which can undermine national security.

In contrast to traditional warfighting domains such as land, air, or sea, governments are not the only powers in cyberspace. Rather, individuals can readily harness technology to compete on a global scale. And it is worth noting that virtualization will continue this trend of democratizing the Internet, giving individuals tremendous power that was unthinkable even ten years ago. Satellite imagery used to be highly classified and limited by the US intelligence community, but now anyone can access imagery from an iPhone using Google Earth. Likewise, the complexity and cost of building a nuclear weapon limits their production to governments, but the same cannot be said for the virtual weapon of mass destruction that can destroy data and networks, undermine international credibility, and disrupt commerce. Malicious activity through worms, viruses, and zombies regularly disrupts Internet activity (see table 1.2). And there are already many examples of virtual activities impacting the physical world such as terrorists being recruited, radicalized, and trained on the Internet; communications being severed; or power production being disrupted. Illegal groups use cyberspace to move money, conceal identities, and plan operations, which makes it extremely difficult for the governments to compete. Consequently, governments are increasingly concerned with the cyber domain as a new feature within the national security landscape.

In some sense, there has always been an implicit national security purpose for the Internet. After all, the Internet was originally conceived of and funded by one of the Defense Department’s research organizations, then known as Advanced Research Projects Agency (ARPA). Given the state of telecommunications and stand-alone computer systems that existed in the 1960s, researchers wanted to create a reliable network where a user’s system or location was unimportant to his or her ability to participate on the network. Charles Herzfeld, ARPA director from 1965 to 1967, explains the genesis of the network:

This vision of a network became a reality in 1969 when a computer link was established between the University of California–Los Angeles and Stanford University. At the time, the connection was called “internetworking,” which later was shortened to the Internet. For thirty years, the Internet was largely the domain of universities, colleges, and research institutes. But when Tim Berners-Lee and his colleagues created the World Wide Web in 1990, commercial and social applications exploded. Within a few short years, companies such as Amazon (1995), Ebay (1995), Wikipedia (2001), Facebook (2004), and Khan Academy (2009) founded a new industry and changed the way we live and work. Ongoing trends in web development tools suggest that the gap between the virtual and physical worlds is indeed narrowing.

Academic and commercial companies were pioneers in harnessing the Internet, and the government was a relative latecomer. Cyberspace first emerged as a distinct national security policy area in 1998 when President Clinton signed Presidential Decision Directive 63, w...