The control room for Cyber Storm I, a simulated online attack run in 2006.

By DAVID E. SANGER, JOHN MARKOFF and THOM SHANKER


Just as the invention of the atomic bomb changed warfare and deterrence 64 years ago, a new international race has begun to develop cyberweapons and systems to protect against them.

When American forces in Iraq wanted to lure members of Al Qaeda into a trap, they hacked into one of the group’s computers and altered information that drove them into American gun sights.

When President George W. Bush ordered new ways to slow Iran’s progress toward a nuclear bomb last year, he approved a plan for an experimental covert program - its results still unclear - to bore into Tehran’s computers.

And the Pentagon has commissioned military contractors to develop a highly classified replica of the Internet of the future. The goal is to simulate what it would take for adversaries to shut down the country’s power stations, telecommunications and aviation systems, or freeze the financial markets - in an effort to build better defenses against such attacks, as well as a new generation of online weapons.

Thousands of daily attacks on federal and private computer systems in the United States - many from China and Russia, some malicious and some testing weaknesses in the patchwork of American firewalls - have prompted the Obama administration to review American strategy.

President Obama is expected to propose a far larger defensive effort soon. But Mr. Obama is expected to say little or nothing about the nation’s offensive capabilities, on which the military and the nation’s intelligence agencies have been spending billions. In interviews, a range of military and intelligence officials, as well as outside experts, have described a huge increase in the sophistication of American cyberwarfare capabilities.

Because so many aspects of the American effort to develop cyberweapons and define their proper use remain classified, many of those officials declined to speak on the record.

The most exotic innovations under consideration would enable a Pentagon programmer to surreptitiously enter a computer server in Russia or China, for example, and destroy a“botnet”- a program that commandeers infected machines into a vast network that can be clandestinely controlled - before it could be unleashed in the United States.

So far, however, there are no broad authorizations for American forces to engage in cyberwar.

Cyberwar would not be as lethal as atomic war, of course, nor as visibly dramatic. But when Mike McConnell, the former director of national intelligence, briefed Mr. Bush on the threat in May 2007, he argued that if a single large American bank were successfully attacked“it would have an order-ofmagnitude greater impact on the global economy”than the September 11, 2001, attacks.

Studies have focused on whether cellphone towers, emergency-service communications and hospital systems could be brought down, to sow chaos. But the theoretical has, at times, become real.

“We have seen Chinese network operations inside certain of our electricity grids,”said Joel F. Brenner, who oversees counterintelligence operations for Dennis Blair, Mr. McConnell’s successor as national intelligence director, speaking at the University of Texas at Austin last month.“Do I worry about those grids, and about air traffic control systems, water supply systems, and so on? You bet I do.”

But the broader question - one the administration so far declines to discuss - is whether the best defense against cyberattack is the development of a robust capability to wage cyberwar.

Today, when Pentagon computers are subjected to a barrage, the origin is often a mystery, so it is almost impossible to mount a counterattack.

Senior Pentagon and military officials also express deep concern that the laws and understanding of armed conflict have not kept current with the challenges of offensive cyberwarfare. If a military base is attacked, would it be a proportional, legitimate response to bring down the attacker’s power grid if that would also shut down its hospital systems, its air traffic control system or its banking system?

“We don’t have that for cyber yet,”one senior Defense Department official said,“and that’s a little bit dangerous.”


This article was reported by David E. Sanger, John Markoff and Thom Shanker and written by Mr. Sanger