The Pentagon has concluded that cyber attacks are acts of war and may therefore merit a full military response. People tracking stories on hacking or cyberwar have had a busy few months. Headlines this week were provided courtesy of the Pentagons first formal cyber strategy document which concluded that computer sabotage coming from another country can constitute an act of war, and opens the door for the US to respond using traditional military force. The same article carried a widely repeated (but not clearly attributed) quote from a military official who glibly said: If you shut down our power grid, maybe we will put a missile down one of your smokestacks. To many who work in information security, the threat of a full military response to a cyber offensive seems disproportional - especially when many pundits were claiming that cyberwar was not even a real threat- so where did this come from and what does it mean? Most of the established military powerhouses have long realised the internets potential as a battleground and many have been dipping their toes tentatively into cyberwar waters for a while. The first computer worm ever unleashed on the internet (in 1988) was written by a graduate student from Cornell, whose father happened to be the chief scientist of the American National Security Agency. Reactions to that worm spawned the computer security industry as we know it today, which in turn spawned whats becoming known as the military digital complex. The incident in February with US defence subcontractor HBGary and Anonymous gave people a glimpse into this world and opened the eyes of many to the millions of dollars being invested in offensive computer security research. Two incidents (separated by a few months) are worth noting here. Stuxnet In July of 2010, a worm was discovered by a Belarusian company with some interesting payloads. The more the worm (dubbed Stuxnet) was examined, the more interesting it became. Today we know that Stuxnet was written to target SCADA systems relating to gas centrifuges. The worm contained multiple attack vectors that were previously unknown to the world (0days) and was in some ways, technically sublime. It ultimately targeted Iranian nuclear reactors, and some experts claim that the worm set back the Iranian Nuclear programme by as much as two years. Estimates on the cost of building the worm swing wildly but even the highball figure of several million is a far sight cheaper than the traditional weaponry that would have been needed to achieve the same result. We may never know for sure if the worm was written by Israel or the US as most experts believe, but we do know that it was effective, and that it made it clear that attacks in cyberspace have effects in the real world. Comodo Hack In March this year a Secure Sockets Layer (SSL) certification authority named Comodo was hacked. Comodo was one of those trusted intermediaries. After hacking into them, the attacker was able to generate several fake certificates. This allowed them to set up fake web sites and then have them vouched for. You would think that you were talking to internet banking (or Gmail) and your browser would happily display the padlock, but all your communication could be compromised. The attackers created fake certificates (to vouch for), and (among others) but once they had the ability to create certificates, they could have generated them for any site they chose. This could enable mass interception of traffic and few people would be any the wiser. Comodo traced the attack to Iran and claimed that it was a state-sponsored attack. The media swallowed it whole. A few days later, however, the attacker went public. In an online statement he proved that he was indeed the real attacker, explained his motives and pointed out his age: I should mention my age is 21... When USA and Israel write Stuxnet, nobody talks about it, nobody gets blamed, nothing happened at all... I say that, when I sign certificates nothing should happen (sic). We have seen this movie before; young, talented hackers being able to achieve results with enough impact that people attribute their actions to a nation state. In the end, all this power lay in the hands of a 21-year-old hacker with an ideology. The simple truth is that cyberspace is tough to police and near impossible to protect (with current technology). There are too many moving pieces and defensive technology has not yet caught up with attacks. Stuxnet is probably the most analysed piece of malware in the world, and we still cannot say categorically who created it. The difficulty faced with attribution means that the threat of putting a missile down one of your smokestacks is vacuous at best, or irresponsible at worst. Now we see an increased rush to develop cyber capabilities and, though cyber seems to be the new arms-race, there is an important difference. Exploits can be worked on in private without tell-tale mushroom clouds or double-flashes of light which betray nuclear testing. Capabilities can be built and refined for fractions of the cost and most importantly: There is no hint of mutually assured destruction. Firing off Stuxnet might have seemed like a good idea, but since everyone is vulnerable (and some are more vulnerable than others) it is possibly a road that was better avoided. When it comes to cyberspace, the connected world is living in a glass house, and we all know that people in glass houses shouldnt throw stones. Haroon Meer is the founder of Thinkst Applied Research. Al-Jazeera