The Obama Administration and a number of congressional leaders have made preliminary moves to craft a strategy for defending the country's computer networks, but policymaking interest may outpace technical reality. As a nation, we want to be prepared for cyberwar, but we are a long way from having a cohesive game plan -- what the Pentagon calls doctrine -- for it.

There are four useful subcategories of cyber attacks: (1) attacks that knock systems offline; (2) ones in which information is stolen or (3) manipulated; and (4) attacks in which infrastructure is subverted to produce physical results. A massive denial of service attack, as happened in Estonia in 2007, falls into the first category. Digital theft, such as the reported purloined plans for the F-35 Joint Strike Fighter, fall into the second. These types of attacks happen all of the time and are launched by everybody from cyber gangs to the security services of nation states. Attacks of type 3 and 4 are rarer phenomena, and when they do occur they are generally heavily veiled in secrecy. Electronic subversion of an air defense network or the disruption of supervisory control and data acquisition (SCADA) systems are theoretical exemplars, but fully documented open cases of this sort are exceptionally rare.

But cyber attacks are growing more common across the board. The cyber security problem is gradually worsening -- more attacks, more lost data, more down time. There is no fully ratified international treaty on cybercrime -- the Council of Europe's 2001 Convention on Cybercrime is as close as it gets. So international harmony on what constitutes a criminal act in cyberspace is lacking. In addition, there is no treaty of any sort regarding cyber warfare. This means there are no rules governing whether a country can engage in military action against another country in retaliation for a cyber attack. Worse, because any Internet-connected computer is a potential weapon, the barriers to launching a cyber attack are low. Thus, when an attack does happen, the perpetrators may not be linked to any country, at least not in an official capacity. For example, in 2007, cyber attacks were launched against Estonia after the country's government moved a monument to the Great Patriotic War out of downtown Tallinn. The Russians made all sorts of menacing noises, but officially denied involvement.

This new domain of conflict scares many because, to paraphrase former U.S. Defense Secretary Donald Rumsfeld, there are many unknown unknowns. The only major infrastructure attack on record was launched by a malicious insider against an Australian resort town. A disgruntled programmer subverted the municipal waste water system his company designed and installed, triggering a massive sewage spill. This is a far cry, of course, from the sort of digital doomsday scenarios conjured in the Stephen King movie Maximum Overdrive.

In the international sphere, the cyber threat that is most often mentioned is China. Its military intelligentsia has written extensively on the topic of information warfare. While only the Politburo knows all the particulars, there may be in excess of 60,000 cyber warfighters in the PLA. How that manifests itself in measurable capability is anybody's guess, with best guesses coming from the U.S. National Security Agency. There are reports of al-Qaida building a cyber capability, but they likely remain far more interested in blowing things up and killing infidels. Most major powers have some sort of cyber capability, and many encourage the development of the hacker skill set at the grass roots level with various challenges and contests.

What can be done about the problem? Russia recently proposed an international treaty, but that would require signatories to state that they can prevent their citizens from engaging in cyber attacks. The U.S. State Department is pushing for more openness and collaboration in international law enforcement -- the harmonization of legal statutes, criminal processes, extradition policies, etc. Such steps would be useful for countering cybercrime, but would be of little use to prevent state-sponsored cyber operations. Could Russia ask Israel to turn over a Mossad operative who penetrated a Russian corporate or government network and made off with some information? Not likely. We may see an international regime on denial of service or infrastructure attacks, but probably not a ban on cyber espionage. Intelligence services will use the cyber tool whenever they can -- it likely will continue to grow more useful.

In Washington and beyond, policymakers must recognize a simple bottom line: We are in a globally interconnected world, and players will use information asymmetry to their gain whenever possible -- in the boardroom and the marketplace, in international negotiations and on the battlefield. That said, it is time for the world's diplomats and military doctrinaires to begin crafting broader agreement on desired rules. It is time for serious international dialog on this issue to enter a prolonged phase in which we strive to make the world's information networks less of an Achilles' heel and more robust, safe and survivable, by employing both technological innovation and political accommodation.

**Chris Bronk is a research fellow at Rice University's Baker Institute for Public Policy and an adjunct instructor of computer science at Rice. He previously served as a Foreign Service officer and was assigned to the State Department's Office of eDiplomacy.