The US government is waging electronic warfare on a vast scale — so large that it's causing a seismic shift in the unregulated grey markets where hackers and criminals buy and sell security exploits, Reuters reports.

Former White House cybersecurity advisors Howard Schmidt and Richard Clarke say this move to "offensive" cybersecurity has left US companies and average citizens vulnerable, because it relies on the government collecting and exploiting critical vulnerabilities that have not been revealed to software vendors or the public.

"If the US government knows of a vulnerability that can be exploited, under normal circumstances, its first obligation is to tell US users," Clarke told Reuters. "There is supposed to be some mechanism for deciding how they use the information, for offense or defense. But there isn't."

Top U.S. officials told Congress this year that poor Internet security has surpassed terrorism to become the single greatest threat to the country and that better information-sharing on risks is crucial. Yet neither of the two major U.S. initiatives under way - sweeping cybersecurity legislation being weighed by Congress and President Barack Obama's February executive order on the subject - asks defense and intelligence agencies to spread what they know about vulnerabilities to help the private sector defend itself.

When a U.S. agency knows about a vulnerability and does not warn the public, there can be unintended consequences. If malign forces purchase information about or independently discover the same hole, they can use it to cause damage or to launch spying or fraud campaigns before a company like Microsoft has time to develop a patch. Moreover, when the U.S. launches a program containing an exploit, it can be detected and quickly duplicated for use against U.S. interests before any public warning or patch.

Some of Endgame's activities came to light in purloined emails published by hackers acting under the banner Anonymous. In what appear to be marketing slides, the company touted zero-day subscriptions as well as lists of exactly which computers overseas belonged to specific criminal "botnets" - networks of compromised machines that can be mobilized for various purposes, including stealing financial passwords and knocking websites offline with traffic attacks.

The point was not to disinfect the botnet's computers or warn the owners. Instead, Endgame's customers in the intelligence agencies wanted to harvest data from those machines directly or maintain the ability to issue new commands to large segments of the networks, three people close to the company told Reuters.

Against that background, the following news from The Verge about an attempt to pin down what exactly "cyberwar" might be, is particularly interesting:

A landmark document created at the request of NATO has proposed a set of rules for how international cyberwarfare should be conducted. Written by 20 experts in conjunction with the International Committee of the Red Cross and the US Cyber Command, the Tallinn Manual on the International Law Applicable to Cyber Warfare analyzes the rules of conventional war and applies them to state-sponsored cyberattacks.

That's because conventional war makes a distinction between combatants -- those fighting in regular armies -- and those who are "unprivileged belligerents". The difference is crucial: the former enjoy important rights, for example to be treated as prisoners of war if captured, whereas "unprivileged belligerents" do not. The distinction between the two groups is relatively obvious in traditional warfare, where combatants are organized and subject to clear command structures. Hacktivists, by contrast, may decide to defend their country by taking part in group attacks from their home or from a local café, say; the issue then becomes whether or not they are to be considered combatants with rights, or "unprivileged belligerents" without them.

The following section from the Tallinn Manual shows the experts floundering here -- and just how hard it is to come up with sensible rules for this "cyberwar" stuff:

Combatant status requires that the individual wear a 'fixed distinctive sign'. The requirement is generally met through the wearing of uniforms. There is no basis for deviating from this general requirement for those engaged in cyber operations. Some members of the International Group of Experts suggested that individuals engaged in cyber operations, regardless of circumstances such as distance from the area of operations or clear separation from the civilian population, must always comply with this requirement to enjoy combatant status.

So if you're ever tempted to engage in a little patriotic hacking into enemy computers, please don't forget to put on your uniform first...

Follow me @glynmoody on Twitter or identi.ca, and on Google+

If stealing secrets is an act of war then America is currently at war with all of its allies. Espionage is what governments do so they don’t have to go to war...directly. What appears to be upsetting the Congressman is that the Chinese are using espionage to make money in a way that the United States didn’t think of first.

The Times wasn’t content with using other peoples’ reports based on circumstantial evidence so it went out and got one of its own. The study by Mandiant has come under some fairly withering criticism.

-It doesn’t appear to say anything new. CEO Kevin Mandia: "Mandiant’s not the first company to blame China for the hacks, but it was our turn to carry the ball for a little bit." Translation = “We were working for the NYT and that’s some golden PR.”

-Did I mention it was based on circumstantial evidence? Jeffrey Carr does a superb job of explaining why Mandiant saw exactly what it expected to find and then offers several other equally valid possible perpetrators, including Russia, France and Israel.

Here is my boilerplate response on the security weakness of U.S. utilities in regards to cyber attacks: "Yes, there is a problem. It is not a crisis. To do any significant damage any such attack would most likely have to be associated with a physical attack." (The sky is not falling, Chicken Little, but I bet I could make a whole lot of money convincing you otherwise.)

That decision is among several reached in recent months as the administration moves, in the next few weeks, to approve the nation's first rules for how the military can defend, or retaliate, against a major cyberattack. New policies will also govern how the intelligence agencies can carry out searches of faraway computer networks for signs of potential attacks on the United States and, if the president approves, attack adversaries by injecting them with destructive code - even if there is no declared war.

The first shot was probably the release of Stuxnet sometime during or before 2009. Even though no one has officially claimed responsibility everyone knows who was behind it. Stuxnet hit with a bang and did a whole lot of damage to Iran's uranium-enrichment capabilities. The United States followed that up with Flame–the ebola virus of spyware.

What did the Iranians fire back with? A series of massive, on-going and ineffective DDoS attacks on American banks. This is a disproportionate response but not in the way military experts usually mean that phrase. It's the equivalent of someone stealing your car and you throwing an ever-increasing number of eggs at his house in response.

ProPublica reported yesterday that a widely cited Defense Department study claiming Iran's Intelligence Ministry constitutes "a terror and assassination force 30,000 strong" has been "pulled for revisions." It seems there's no proof whatsoever that the 30,000 number wasn't pulled out of thin air.

On balance, it seems that cyberwar capabilities have real potential to deal with some of the world's more pernicious problems, from crime and terrorism to nuclear proliferation. In stark contrast to pitched battles that would regularly claim thousands of young soldiers' lives during Robert E. Lee's time, the very nature of conflict may come to be reshaped along more humane lines of operations. War, in this sense, might be "made better" -- think disruption rather than destruction. More decisive, but at the same time less lethal.

The earliest public reference appears to be in a June 26, 1996 Daily News article in which CIA Director John Deutch warned that hackers "could launch 'electronic Pearl Harbor' cyber attacks on vital U.S. information systems."

The next month, then-Deputy Attorney General Jamie Gorelick told the Senate Governmental Affairs permanent subcommittee on investigations that "we will have a cyber-equivalent of Pearl Harbor at some point, and we do not want to wait for that wake-up call," according to the Armed Forces Newswire Service.

Thereafter the term appears to have gone into a hiatus, apart from some offhand or derivative references to the original sources cited above. But, not to worry, Sen. Sam Nunn (D-Ga.) used it again in the spring of 1998, being quoted in a March 19 South Bend Tribune article warning that "We have an opportunity to act now before there is a cyber-Pearl Harbor...We must not wait for either the crisis or for the perfect solution to get started."

The likelihood of attacks having extraordinary consequences is low. This talk of “cyberwar” and “cyberterror” is the ugly poetry of budget-building in Washington, D.C. But watch out for U.S. cyberbellicosity coming home to roost. The threat environment is developing in response to U.S. aggression.

This parallels the United States’ use of nuclear weapons, which made “the bomb” (Dmitri) an essential tool of world power. Rightly or wrongly, the United States’ use of the bomb spurred the nuclear arms race and triggered nuclear proliferation challenges that continue today. (To repeat: Cyberattacks can have nothing like the consequence of nuclear weapons.)

Senator Reid has gone hook, line, and sinker for the “cyber-9/11″ idea, of course. Like all politicians, his primary job is not to set appropriate cybersecurity policies but to re-elect himself and members of his party. The tiniest risk of a cyberattack making headlines to use against his party justifies expending taxpayer dollars, privacy, and digital liberties. This it not to prevent “cyber” attack. It is to prevent political attack.

1. Protecting government computer systems against hackers and criminals (74 percent)
2. Protecting our electric power grid, water utilities and transportation systems against computer or terrorist attacks (73 percent)
3. Homeland security issues such as terrorism (68 percent)

SEC. 954. MILITARY ACTIVITIES IN CYBERSPACE.

Congress affirms that the Department of Defense has the capability, and upon direction by the President may conduct offensive operations in cyberspace to defend our Nation, Allies and interests, subject to—

(1) the policy principles and legal regimes that the Department follows for kinetic capabilities, including the law of armed conflict; and

(2) the War Powers Resolution (50 U.S.C. 1541 et seq.).

SEC. 954. MILITARY ACTIVITIES IN CYBERSPACE.

‘‘(a) AFFIRMATION.—Congress affirms that the Secretary of Defense is authorized to conduct military activities in cyberspace.

‘‘(b) AUTHORITY DESCRIBED.—The authority referred to in subsection (a) includes the authority to carry out a clandestine operation in cyberspace—

‘‘(1) in support of a military operation pursuant to the Authorization for Use of Military Force (50 U.S.C. 1541 note; Public Law 107-40) against a target located outside of the United States; or

‘‘(2) to defend against a cyber attack against an asset of the Department of Defense.

‘‘(c) RULE OF CONSTRUCTION.—Nothing in this section shall be construed to limit the authority of the Secretary of Defense to conduct military activities in cyberspace.’"

The dangers of this digital special-ops saber-rattling are breathtaking. Secretary of State Hillary Clinton has been valiantly advocating for Internet freedom, strategic multilateralism, engagement and “smart power” around the world. The White House has said its objective is to work with other nations to “encourage responsible behavior and oppose those who would seek to disrupt networks and systems.”

Purveyors of cyberfear are going in the opposite direction. They are not interested in engaging with other countries to come up with codes of online conduct or to translate the Geneva Conventions for cyberspace -- so as to avoid collateral damage and protect hospitals, electrical grids, and so on. They want to be able to change ones to zeros on servers around the globe, whatever that means for speech and commerce at home and worldwide.

Given the undeniable benefits that the open global Internet has brought to the U.S., building moats around our networks and subjecting them to constant, unaccountable audits and other restraints -- all in the service of an immense online warfighting machine staffed by military contractors -- would be burning the village in order to save it

We must deliver and we must act quickly. It’s time to be bold. The troubling side of spending a week with some of the experts in the cybersecurity world is that when we compare notes on our views of the threat, we all agree that despite the firewalls and layered defenses, we are not always keeping intruders out. We need to continue to sharpen our response tactics and move even faster when an intruder gets inside to limit the damage and protect our information. That requires a fast, unified response between federal agencies and our private partners – which is where Congress can help.

To suggest that this bill should move directly to the Senate Floor because it has ‘been around’ since 2009 is outrageous," McCain said. "First, the bill was introduced two days ago. Secondly, where do Senate Rules state that a bill’s progress in a previous congress can supplant the necessary work on that bill in the present one?"

Sen. Jay Rockefeller (D-W. Va.), Sen. Dianne Feinstein (D-Calif.) and Homeland Security Secretary Janet Napolitano warned the committee there could be grave consequences if Congress does not act to protect cybersecurity.

"Think about how many people could die if a cyber terrorist attacked our air traffic control system and planes slammed into one another," Rockefeller said. "Or if rail switching networks were hacked—causing trains carrying people—or hazardous materials—to derail and collide in the midst of some of our most populated urban areas, like Chicago, New York, San Francisco or Washington."

Ever since Vietnam, the U.S. government has shown an odd propensity for dragging us into unpopular (and unwinnable) wars. Between the protracted Iraq "War" (nearly a decade at this point), our involvement in Afghanistan and our intervention in Libya , Americans are finding that the old concept of "war" doesn't really fit what's going on here.

Back on the home front, various unwinnable wars continue to suck down tax dollars and erode civil rights. The War on Drugs. The War on Terror. The political system is no longer interested in mere skirmishes or "police actions." Everything is a capital-W "War."

A multitude of problems arise from couching these situations in catastrophic and adversarial terms. Declaring "war" on drugs has brought the battle to the home front and turned our law enforcement into an ad hoc military force. The slightest of violations is met with excessive force. There are dozens of stories of people whose houses have been invaded by SWAT teams armed with automatic weapons. Uninvolved children have been thrust into violent situations by the perceived wrongdoing of their parents. When a person possessing a couple of ounces of marijuana is treated like a Colombian drug lord, the system is being abused.

Using the word "war" automatically defines your opponent as violent, no matter how untrue that designation is. Declaring the nation to be in the midst of a "cyberwar" allows law enforcement and government security agencies to escalate their response to perceived threats. Every reaction becomes an overreaction. No matter what your opinion of Anonymous and like-minded hackers might be, it's pretty safe to say that most of us do not consider them to be a violent threat.

All previous indications point to this being handled just as badly as any previous "war." The point will come when people are overrun in their own homes by armed tactical units in response to actions like DDoS attacks which, as Reason points out, are usually "undirected protests" with "no tactical objective." Truly innocent citizens will be swept up in this as well, considering the number of computers out there that have been "zombified" and pressed into service as part of a botnet. Immigration and Customs Enforcement (ICE) has already demonstrated that it needs nothing more than an IP address to mobilize.

In times of war, corners are cut and rights are treated as privileges. When the enemy is invisible and the list of possible suspects grows exponentially with each broadening of the definition of "hacking," the "war" becomes a convenient excuse for law enforcement fishing expeditions and violent tactical reactions. California has already decided police can search your phone without a warrant and the list of municipalities willing to expand police power with warrantless searches and abuse of "probable cause" continues to grow.

The ugliest part of this whole "war" concept is that underneath all the tough talk and tougher action is a good old fashioned money grab. Reason cites Sen. Barbara Mikulski's quote, "We are at war, we are being attacked, and we are being hacked," while pointing out that Maryland is home to the U.S. Cyber Command Headquarters. A Baltimore Sun piece digs deeper into this money grab:

Mikulski, the state's senior senator, sits on the intelligence and appropriations committees. She said that she and Rep C.A. Dutch Ruppersberger, who sits on the appropriations and intelligence committees in the House, are Maryland's "one-two punch" on Capitol Hill. Mikulski also was named recently to a cyber security task force, which will focus on governance, technology development and work force development nationwide.

O'Malley called for the establishment of a "National Center for Excellence for Cyber Security" in Maryland, more education and work force training, and an economic development strategy for cyber security in the state.

The computer design and services sector, which includes cyber security, employs about 60,000 mostly high-paid workers in Maryland, and grew despite the national recession, at a 7.2 percent annual clip through November 2009, state officials said.

Beginning in early 2008, towns across the country sought to lure Cyber Command's permanent headquarters. Authorities in Louisiana estimated that the facility would bring at least 10,000 direct and ancillary jobs, billions of dollars in contracts, and millions in local spending. Politicians naturally saw the command as an opportunity to boost local economies. Governors pitched their respective states to the secretary of the Air Force, a dozen congressional delegations lobbied for the command, and Louisiana Gov. Bobby Jindal even lobbied President George W. Bush during a meeting on Hurricane Katrina recovery. Many of the 18 states vying for the command offered gifts of land, infrastructure, and tax breaks.

The city of Bossier, Louisiana, proposed a $100 million "Cyber Innovation Center" office complex next to Barksdale Air Force Base and got things rolling by building an $11 million bomb-resistant "cyber fortress," complete with a moat. Yuba City, California, touted its proximity to Silicon Valley. Colorado Springs pointed to the hardened location of Cheyenne Mountain, headquarters for NORAD. In Nebraska the Omaha Development Foundation purchased 136 acres of land just south of Offutt Air Force Base and offered it as a site.

Proposed cybersecurity legislation presents more opportunities for pork spending. The Cybersecurity Act of 2010, proposed by Sens. Jay Rockefeller (D-W. Va.) and Olympia Snowe (R-Maine) called for the creation of regional cybersecurity centers across the country, a cyber scholarship-for-service program, and myriad cybersecurity research and development grants.

A rough Beltway consensus has emerged that the United States is facing a grave and immediate threat that can only be addressed by more public spending and tighter controls on private network security practices.

We have been treated, over the past few years, to an increasing chorus of hysteria and hype about "cyberwar". Some of that has come from governments eager to justify their increasing invasion of citizen privacy. Some of that has come from government contractors, eager to score more $100M do-nothing contracts. And since Stuxnet has come to light, it's been held up repeatedly as an example of the extreme cleverness of attackers.

But while Stuxnet is pretty darn clever, that's not the real problem. The real problem is that the incompetent morons at Siemens allowed this piece of crap to get out the door and into production environments. Thus the storyline isn't so much about the devious and subtle craft of Stuxnet's creators, as it is about the jaw-dropping negligence of Siemens: how could their QA miss this? How could they allow such a rudimentary, obvious mistake to pass?

We don't need to spend billions (or trillions) on elaborate cyberwar initiatives. We need to stop making fundamental mistakes. We need to stop doing the stupid things that we KNOW are stupid.

“Certain hostile acts conducted through cyberspace could compel actions under the commitments we have with our military treaty partners,” says the document. “When warranted, the United States will respond to hostile acts in cyberspace as we would any other threat to our country.”

Attempts to quantify the potential damage that hi-tech attacks could cause and develop appropriate responses are not helped by the hyperbolic language used to describe these incidents, said the OECD report.

"We don't help ourselves using 'cyberwar' to describe espionage or hacktivist blockading or defacing of websites, as recently seen in reaction to WikiLeaks," said Professor Peter Sommer, visiting professor at LSE who co-wrote the report with Dr Ian Brown of the Oxford Internet Institute.

"Nor is it helpful to group trivially avoidable incidents like routine viruses and frauds with determined attempts to disrupt critical national infrastructure," added Prof Sommer.

If @wikileaks is a "cyberwar," then what were the Pentagon Papers, a wood pulp war?

Blumsack, Hines and Cotilla-Sanchez decided to contrast the performance of a topological model with one based on actual physics - specifically on Ohm's and Kirchoff's Laws governing the flow of electricity in the real world. They tried out both kinds of model on an accurate representation of the North American Eastern Interconnect, the largest and one of the most trouble-prone portions of the US grid, using real-world data from a test case generated in 2005.

The three engineers say that the physics-driven model was much closer to reality, and that this verifies what physics models show. The results showed that in fact it is major grid components through which a lot of power flows - big generating stations and massive transformers - which are the main points of vulnerability, not the minor installations scattered across the country.

It isn't so much that a minor event on a minor line or installation can't crash the network: such things do happen. But in general there have to be huge numbers of such minor events before one of them happens to hit the miracle weak point and bring everything down. It would be an impossible task for terrorists or other malefactors to know in advance just where and when a minor pinprick could cause massive effects.

"Our system is quite robust to small things failing," says Hines.

If there is to be a federal government role in securing the Internet from cyberattacks, there is no good reason why its main components should not be publicly known and openly debated. Small parts, like threat signatures and such--the unique characteristics of new attacks--might be appropriately kept secret, but no favor is done to any potential attackers by revealing that there is a system for detecting their activities.

A cybersecurity effort that is not tested by public oversight will be weaker than ones that are scrutinzed by private-sector experts, academics, security vendors, and watchdog groups.

Benign intentions do not control future results, and governmental surveillance of the Internet for "cybersecurity" purposes may warp over time to surveillance for ideological and political purposes.

We surely need to improve our cybersecurity. But words have meaning, and metaphors matter. There's a power struggle going on for control of our nation's cybersecurity strategy, and the NSA and DoD are winning. If we frame the debate in terms of war, if we accept the military's expansive cyberspace definition of "war," we feed our fears.

We reinforce the notion that we're helpless -- what person or organization can defend itself in a war? -- and others need to protect us. We invite the military to take over security, and to ignore the limits on power that often get jettisoned during wartime.

If, on the other hand, we use the more measured language of cybercrime, we change the debate. Crime fighting requires both resolve and resources, but it's done within the context of normal life. We willingly give our police extraordinary powers of investigation and arrest, but we temper these powers with a judicial system and legal protections for citizens.