Territory control is only a side effect of most wars. Most of the time, territory is gained for resources or to take away resources. There are other resources to take away or gain that are not geographically based - clear threat to financial stability is a simplistic example. That will certainly, through force, have the other side closer to suing for peace.

Air only (or officially air only) wars are a great counter example. You're not really taking territory, but controlling it. Why are you controlling it? To influence the enemy: Deny them freedom to move, to cause casualties, to damage production capability, etc, etc, etc in order to achieve a political objective. All of those are accomplishable almost exclusively in the cyber domain for some set of possible objectives.

Choosing to define something out of existence by using a purist definition defies how things work. More often, domains and tactics are blended together (air, sea, land, space, cyber) to achieve, by force, political objectives. Sabotage is part of war, as is espionage, as is subversion.

If the point was "there are no cyber-only wars", I don't believe it, but it's tenable (as is "there are no air only wars" - there is always ground support and/or ground effect). But that's not what the point of "carrot for those selling the stick" is. Whatever your definition of "war" is, several facts remain:

You can achieve kinetic, financial, and political effect using cyber only means; There is activity by nation states to use force in the cyber domain; Military organizations have already used cyber attacks in kinetic conflicts to help them achieve their aims against other military organizations.

You don't have to call any of these (or the sum of their implied possibilities) "cyberwar", but that doesn't mean the threats, vulnerabilities, or consequences are being hyped up either.

Not believing in cyber war is like not believing in air war, sear war, land war, or space war.

Computers have tangible effects on our culture, our economics, our politics, and our military. We all know this.

Computer systems are broken into regularly, we all know this (go google a list of known data breaches, for example).

"Someone" (for this purpose it doesnt matter who) has used code to manipulate physical controls of industrial equipment (possibly for politics/military reasons). We all can see this (see: Stuxnet)

Cyber attacks have their own logical benefits that don't really need proof, they exist by definition (can be executed, remotely, relatively difficult to attribute, can reach multiple geographically separate locations at once, etc).

So, to deny "cyber warfare" here is a lot like saying "I know the enemy can reach out assets this way, I know they can impact us this way, Ive seen lesser versions of it in action so I know it could work if there was political will....but I havent actually SEEN anyone use ballistic nuclear weapons so the threat must not be there".

(And this is assuming there isnt any evidence for it, which is itself debatable. But if you can prove the likelihood and possibility given the right motivations, the difference in position if there is/isnt evidence of it *currently* going on doesn't amount to much. Defensive and offensive pre-positioning should be the same.)

Sure, but that's not specific to this particular mess. And, as this doc clearly wasn't analysis of the general impact of worms and malware on control systems in general, they didnt need to say it here.

is here: http://www.us-cert.gov/control_systems/pdf/ICSA-10-238-01B%20-%20Stuxnet%20Mitigation.pdf Probably a little more accurate than crappy media reporting.

You can't change the Siemens passwords in this case (and have things keep working).

Actually, you are factually incorrect here. The methodologies youre describing do make it more difficult, but we have plenty of insight into what's been happening - it's just either close hold or not making the news. Just because -you- don't know, don't assume "we" don't know.

I fully expect /. to be blocked by TSA there
Ionno - No one gave a crap that I looked at Slashdot when I worked there. Good job taking a poorly worded bureaucratic ass-covering and attributing Dan Brown levels of +eleventy-billion conspiracy powers to it. And feel free to jump to my website, resume, art site, whatever for a pretty decent counter-example to your a$$-hattery here.

//God, some people, they do need babysitters and soft walls.

Heh. That would be "most of them". There's a reason there're all these bills going before congress about critical infrastructure and cyber security.

Not all parts are easily or quickly replaceable and most things aren't designed correctly.

Please, knocking out the power grid or making all the red lights turn green or whatever they're afraid of is nothing like having a bullet penetrate someone or a bomb going off - it's almost impossible, if not impossible to kill someone by hacking into a computer.

You're flat out incorrect here. First, not only can the power be shut off, but generators can be made to explode. Second, if you mess with the supply chain electronically, it's possible to do some really interesting stuff with medical supplies, parts for just in time manufacturing, etc. Could go on - but the overall effect is direct, substantial life threatening consequences.

Im not a fan of the IRS, but let's be real: 1. There are almost no government agencies or civilian organizations that don't have fairly terrible security...2. These checkbox requirements dont really tell a story. 2. These checkbox requirements dont tell a story of the actual level of security. You'd have to take a look at the whole architecture to figure out whether, for example, those UNIX passwords actually were important or not.

There should be a moratorium on government internet legislation of any kind until the first crop of kids who grew up with it and understand it are in power. The current group doesnt and will do long lasting damage - even if their intentions were/are good.