Cyber Warfare

War Without Borders

Cyber warfare has fundamentally changed the nature of conflict. For the first time in history, a nation can inflict catastrophic damage on another without moving a single soldier, firing a single bullet, or crossing a single border. Attacks happen at the speed of light, across every timezone simultaneously, and the attacker can plausibly deny everything.

There is no Geneva Convention for cyberspace. No treaty governs what constitutes a cyber “act of war” versus espionage versus crime. When Russia's NotPetya caused $10 billion in damage worldwide, including crippling Maersk's global shipping operations and shutting down Merck's pharmaceutical production, no international body had the framework to respond. Was it war? Terrorism? Vandalism? Nobody could agree.

The United States is simultaneously the most capable offensive cyber power on Earth and the most vulnerable target — because no country is more dependent on networked systems. Every power plant, water treatment facility, hospital, bank, and military base in America is connected to networks that adversaries are probing 24/7.

The Pentagon's own assessment: the US is losing the cyber war. Despite spending $11.2 billion per year on Cyber Command alone, the US failed to detect SolarWinds for 9 months, failed to prevent the OPM breach, and watched Colonial Pipeline collapse because of a single stolen password. The offense-dominant nature of cyber warfare means the attacker almost always wins.

Major Cyber Attacks & Operations

Sources: Wired, NY Times, Washington Post, Kaspersky Lab, FireEye/Mandiant, Bureau of Investigative Journalism, Snowden documents.

America's Offensive Cyber Arsenal

The United States maintains the most sophisticated offensive cyber capability on Earth. While publicly the focus is on “defense,” the vast majority of resources go to offensive operations — penetrating foreign networks, implanting backdoors, and developing weapons for future use.

China's Cyber Espionage: The Greatest Transfer of Wealth in History

The Commission on the Theft of American Intellectual Property estimated in 2017 that IP theft by China costs the US economy $225–600 billion per year. Former NSA Director Keith Alexander called it “the greatest transfer of wealth in history.”

Chinese cyber espionage is systematic, state-directed, and operates on an industrial scale. The People's Liberation Army (PLA) operates dedicated cyber units — most notably Unit 61398 (APT1) based in a 12-story building in Shanghai — that target US defense contractors, technology firms, and government agencies.

In 2014, the DOJ indicted five PLA officers for hacking US companies — the first time the US charged foreign government officials with economic cyber espionage. China denied everything and retaliated by suspending the US-China Cyber Working Group. A 2015 Obama-Xi agreement to stop commercial espionage had minimal effect; Microsoft and CrowdStrike reported that Chinese hacking actually increased after the agreement.

Escalation: How Cyber War Becomes Real War

The most dangerous aspect of cyber warfare isn't the attacks themselves — it's the escalation dynamics. The US has never clearly defined what constitutes a cyber “act of war” that would trigger a military response. In 2011, the Pentagon declared that a cyberattack causing death or significant destruction could be answered with conventional military force — but the thresholds remain deliberately vague.

Consider this scenario: Russian hackers penetrate the US power grid (which they've already done, according to DHS). During a geopolitical crisis, they shut down electricity to a major city in winter. People die of hypothermia. Is that an act of war? Does the US respond with cruise missiles? What if the US can't be 100% certain it was Russia?

The “defend forward” doctrine adopted by US Cyber Command under General Paul Nakasone in 2018 makes this even more dangerous. Under this policy, the US conducts offensive cyber operations inside adversary networks during peacetime — placing implants, mapping infrastructure, and preparing the battlefield. Russia and China do the same in US networks. Both sides are pre-positioning for a war that could start with a keystroke.

In December 2023, Chinese hackers (Volt Typhoon) were discovered embedded in US critical infrastructure — water utilities, power plants, transportation systems — across the country. FBI Director Christopher Wray called it “the defining threat of our generation.” The hackers weren't stealing data; they were pre-positioning for disruptive attacks in the event of a conflict over Taiwan. The US is doing the same in Chinese networks. Both sides have their fingers on the trigger.

The Cost of Cyber Insecurity

The US spends over $11 billion per year on Cyber Command alone — but remains deeply vulnerable. The problem isn't spending; it's the fundamental architecture of the internet (designed for openness, not security) and the perverse incentive structure that prioritizes offensive weapons over defensive security.

Every dollar spent developing a new zero-day exploit is a dollar not spent hardening American infrastructure. Every vulnerability hoarded is a vulnerability that could be stolen and used against Americans. The NSA has chosen, again and again, to prioritize its ability to spy on others over its mission to protect American communications. The WannaCry disaster was the inevitable result.

The Cyber-Industrial Complex

Just as conventional warfare created the military-industrial complex, cyber warfare has spawned a cyber-industrial complex — a revolving door between government hackers and private contractors worth tens of billions.

NSO Group (Israel) developed Pegasus spyware, sold to governments worldwide including Saudi Arabia (used to target Jamal Khashoggi's associates before his murder), UAE, Mexico, and others. The spyware can turn any iPhone or Android into a complete surveillance device — accessing camera, microphone, messages, and location — with zero user interaction.

In the US, companies like Raytheon, Northrop Grumman, Booz Allen Hamilton, and Leidos dominate the cyber contracting space. Former NSA employees command salaries of $200,000–500,000+ in the private sector. Edward Snowden himself was a contractor for Booz Allen Hamilton making $122,000 per year when he leaked the most sensitive secrets in NSA history — illustrating the security risks of an overreliance on private contractors.

The zero-day exploit market is particularly troubling. Companies like Zerodium openly advertise bounties of up to $2.5 million for iPhone zero-days and $1 million for Android exploits. These are then resold to government clients — including authoritarian regimes. The market incentivizes finding vulnerabilities and not reporting them — the exact opposite of what would make everyone safer.

No Rules, No Accountability, No Consent

Conventional warfare has the Geneva Conventions, the Laws of Armed Conflict, the UN Charter, congressional war powers, and at least the theoretical possibility of accountability. Cyber warfare has none of these constraints.

The Tallinn Manual — a non-binding academic study by NATO-affiliated experts — attempted to apply existing international law to cyber operations. But no nation has adopted it as binding. The UN's Group of Governmental Experts (GGE) has met repeatedly since 2004 without producing enforceable norms. Russia and China have proposed cyber treaties; the US has consistently rejected them, preferring the freedom to conduct offensive operations without legal constraints.

Congress has virtually no oversight of offensive cyber operations. The 2018 National Defense Authorization Act gave Cyber Command the authority to conduct “clandestine military activity” in cyberspace without presidential approval for routine operations. This means the US military can hack foreign governments and infrastructure with less oversight than a domestic wiretap requires.

No American has ever voted on whether the US should engage in offensive cyber warfare. No treaty has been ratified. No law specifically authorizes or constrains it. The entire domain of cyber conflict — which could trigger World War III through miscalculation — exists in a legal and constitutional void. The Founders gave Congress the power to declare war precisely because they understood that war is too important to leave to the executive alone. In cyberspace, that principle has been completely abandoned.

What Comes Next

The cyber arms race is accelerating. AI will make attacks faster, more targeted, and harder to attribute. Quantum computing threatens to break current encryption, potentially rendering every encrypted communication in history readable overnight. The Internet of Things is connecting billions of insecure devices — medical implants, power grids, water systems, vehicles — creating an attack surface that no government can defend.

The US response has been to spend more on offense, classify more information, demand more surveillance powers, and push for more encryption backdoors — every one of which makes Americans less safe, not more.

The alternative is straightforward: prioritize defense over offense. Report vulnerabilities instead of hoarding them. Strengthen encryption instead of weakening it. Invest in resilient infrastructure instead of offensive weapons. Hold government agencies accountable when they fail to protect data. And recognize that in cyberspace, as in all things, the greatest threat to American security is not a foreign hacker — it's an unaccountable government that has decided it knows best.