First, cybersecurity is inherently a business management problem - how the business itself operates is what introduces vulnerable systems (whether through purchasing decisions, operating maturity, development, HR, market timing, financial trade-offs, user awareness and responsibility management etc.). Even if the rate at which those vulnerabilities are introduced by the business remains constant, increasingly connected and complex systems assure that the vulnerable space will increase is the overall business - not just the dedicated cybersecurity functions & capabilities are improved. It will become, if it hasn't already, functionally impossible to resource cybersecurity in a way that keeps risk down to limits we find acceptable. In other words, train up all the security people you want and create all the security specific standards you can - unless you standardize and base business environments into predictable patterns, those security efforts will continue to fail.
Second, because of the deeply embedded business nature of the problem (only the symptoms of which are really technical), any external organization that comes in to try and help "fix it" will face substantial challenges - telling an independent organization that it must change the way it makes money fundamentally in order to meet theoretical and apparently-to-non-security-folks abstract risks doesn't go far quickly and involving government in any way assures that the conversation will stay as log jammed as it has been. There has to be a DEEP culture change that involves planning for long term business maturity, and that is almost antithetical to the culture in the U.S.
Third, there ARE organizations and programs that are and have been attempting this. This stuff isn't "new", just the reporting on it is - journalists rarely investigate this stuff beyond what it takes to write a succulent story. (I work for one of those organizations.)
Fourth, for all of the talk about all the "attacks against the grid" as opposed to other attacks, there is almost no information provided of useful analytical value. How much are other sectors looking? What kind of attacks are these? Real? Automated? A function of being on the internet at large? Etc. etc.
Finally, for all you "air gap" people - get with reality. There are no air gaps. Anywhere. Data moves across systems - whether they are connected by technology or not. If you're someone who is seriously attempting to interfere with critical infrastructure operations, you know this, know how to exploit it, and have the time/resources to do so.
Air only (or officially air only) wars are a great counter example. You're not really taking territory, but controlling it. Why are you controlling it? To influence the enemy: Deny them freedom to move, to cause casualties, to damage production capability, etc, etc, etc in order to achieve a political objective. All of those are accomplishable almost exclusively in the cyber domain for some set of possible objectives.
Choosing to define something out of existence by using a purist definition defies how things work. More often, domains and tactics are blended together (air, sea, land, space, cyber) to achieve, by force, political objectives. Sabotage is part of war, as is espionage, as is subversion.
If the point was "there are no cyber-only wars", I don't believe it, but it's tenable (as is "there are no air only wars" - there is always ground support and/or ground effect). But that's not what the point of "carrot for those selling the stick" is. Whatever your definition of "war" is, several facts remain:
You can achieve kinetic, financial, and political effect using cyber only means; There is activity by nation states to use force in the cyber domain; Military organizations have already used cyber attacks in kinetic conflicts to help them achieve their aims against other military organizations.
You don't have to call any of these (or the sum of their implied possibilities) "cyberwar", but that doesn't mean the threats, vulnerabilities, or consequences are being hyped up either.
Computers have tangible effects on our culture, our economics, our politics, and our military. We all know this.
Computer systems are broken into regularly, we all know this (go google a list of known data breaches, for example).
"Someone" (for this purpose it doesnt matter who) has used code to manipulate physical controls of industrial equipment (possibly for politics/military reasons). We all can see this (see: Stuxnet)
Cyber attacks have their own logical benefits that don't really need proof, they exist by definition (can be executed, remotely, relatively difficult to attribute, can reach multiple geographically separate locations at once, etc).
So, to deny "cyber warfare" here is a lot like saying "I know the enemy can reach out assets this way, I know they can impact us this way, Ive seen lesser versions of it in action so I know it could work if there was political will....but I havent actually SEEN anyone use ballistic nuclear weapons so the threat must not be there".
(And this is assuming there isnt any evidence for it, which is itself debatable. But if you can prove the likelihood and possibility given the right motivations, the difference in position if there is/isnt evidence of it *currently* going on doesn't amount to much. Defensive and offensive pre-positioning should be the same.)
Ionno - No one gave a crap that I looked at Slashdot when I worked there. Good job taking a poorly worded bureaucratic ass-covering and attributing Dan Brown levels of +eleventy-billion conspiracy powers to it. And feel free to jump to my website, resume, art site, whatever for a pretty decent counter-example to your a$$-hattery here.
//God, some people, they do need babysitters and soft walls.