Why cyberwarfare isn't used all that often

[Cain]

http://www.nationaljournal.com/njmagazine/cs_20091114_3145.php  via http://politics.theatlantic.com/2009/11/why_the_us_wont_pull_a_brazil--yet.php

Would the United States ever use a more devastating weapon, perhaps shutting off the lights in an adversary nation? The answer is, almost certainly no, not unless America were attacked first.
To understand why, forget about the cyber dimension for a moment. Imagine that some foreign military had flown over a power substation and Brazil and dropped a bomb on it, depriving electricity to millions of people, as well as the places they work, the hospitals they visit, and the transportation they use. If there were no official armed conflict between Brazil and its attacker, the bombing would be illegal under international law. That's a pretty basic test. But even if there were a declared war, or a recognized state of hostilities, knocking out vital electricity to millions of citizens--who presumably are not soldiers in the fight--would fail a number of other basic requirements of the laws of armed conflict. For starters, it could be considered disproportionate, particularly if Brazil hadn't launched any similar sized offensive on its adversary. Shutting off electricity to whole cities can effectively paralyze them. And the bombing would clearly target non-combatants. The government uses electricity, yes, but so does the entire civilian population.

Now add the cyber dimension. If the effect of a hacker taking down the power grid is the same as a bomber--that is, knocking out electrical power--then the same rules apply. That essentially was the conclusion of a National Academies of Sciences report in April. The authors write, "During acknowledged armed conflict (notably when kinetic and other means are also being used against the same target nation), cyber attack is governed by all the standard law of armed conflict. ...If the effects of a kinetic attack are such that the attack would be ruled out on such grounds, a cyber attack that would cause similar effects would also be ruled out."

[...]

According to a report in The Guardian, military planners refrained from launching a broad cyber attack against Serbia during the Kosovo conflict for fear of committing war crimes. The Pentagon theoretically had the power to "bring Serbia's financial systems to a halt" and to go after the personal accounts of Slobodan Milosevic, the newspaper reported. But when the NATO-led bombing campaign was in full force, the Defense Department's general counsel issued guidance on cyber war that said the law of (traditional) war applied.

The military ran into this same dilemma four years later, during preparations to invade Iraq in 2003. Planners considered whether to launch a massive attack on the Iraqi financial system in advance of the conventional strike. But they stopped short when they realized that the same networks used by Iraqi banks were also used by banks in France. Releasing a vicious computer virus into the system could potentially harm America's allies. Some planners also worried that the contagion could spread to the United States. It could have been the cyber equivalent of nuclear fallout.

Very interesting.  One of the things that made me suspicious of cyberwarfare was if it was so effective, why hadn't the USA used it in one of it's every three years or so wars?  Interconnectivity was another thing I had considered, but it was, as always, hard to say if the potential capabilities of cyberwarfare were being hyped as part of a disinformation program, in the hope that China, Russia and other adversaries would pump money and resources into a not very useful area.

Of course, the other thing to take away from this is that if cyberwarfare can be that effective, then hackers in the pay of organized crime and terrorist/insurgent/guerrilla groups might well decide to deploy it in such circumstances where states might fear to (excluding states like North Korea, which exist almost entirely outside of the international system, minimizing potential blowback).  I mean, if you see the entire Western world and most Middle Eastern governments as your enemy, like for example Al-Qaeda does, then do you really give a shit if your hacking attempts on the Iraqi economy hit France and the USA as well?  Sounds like a bonus, from that perspective.