When it comes to a future cyberwar, the issue is no longer if it'll happen. Instead, the concern is when it'll happen, how bad it'll be, and how many attacks we'll have to withstand.

Cyberwar is inevitable. From the perspective of our enemies, waging a cyberwar is just too easy and too effective to ignore. Put bluntly, a cyberwar has an excellent ROI (Return on Investment).

Clausewitz observed, "War is a continuation of politics by other means." Information warfare -- a cyberwar -- war waged via computers and the Internet, certainly can further a political agenda. What makes cyberwar such a potent threat, though, is the economic implications. Not only can a cyberwar damage enemies, unlike virtually ever other war-fighting modality, a well-run cyberwar can also become a profit center through activities like organized identity theft.

When most people think of war (and, for that matter, terrorist attacks), they most often think of an outcome with physical destruction and loss of life. But war (and terrorism) is most often waged to meet a desired end, whether to gain territory, reduce the strength of, or distract an enemy, or to simply cause damage. Cyberwar can be used here as well. It's just more subtle -- and therefore, can be all that more effective.

Traditional war is more like a bullet to the chest. Cyberwar is like a cancer -- just as dangerous and deadly, but far more torturous over the long term. And like cancer, we've yet to find a cure for cyberwar.

Let's talk for a moment about how a cyberwar might play out. Let's game it.

We've seen some early attacks already. In May, the National Journal reported about a suspected Chinese cyberstrike that purportedly took out a "9,300-square-mile area, touching Michigan, Ohio, New York, and parts of Canada, lost power; an estimated 50 million people were affected."

A full on cyberattack is likely to begin with a distributed denial of service (DDoS) attack. A DDoS is a form of attack designed to bring computer systems and networks down by overwhelming them with a flood of data from many computers at once. The attacks on George were DDoS attacks.

Unlike traditional war and even terrorism, cyberattacks aren't going to be initiated just by nation-states and entities with a political agenda. Individual companies and even just bored computer users are also going to be initiating devastating attacks.

One such attack occurred over the Memorial Day weekend and was aimed at a small Internet video broadcaster named "Revision3". These guys are the good guys. They create their own video programming about technology and culture, and make that programming available for download online. I've known some of their key people from other publications where I've worked and they're producing quality programming.

But they were attacked -- a full, premeditated, no-holds-barred attack -- by a company called MediaDefender. MediaDefender has had clients including Sony, Universal Music, and the central industry groups for both music and movies -- the RIAA and MPAA.

So why would MediaDefender initiate a denial of service attack against our friends at Revision3? It may have been a mistake. Revision3 distributes its totally legitimate programming through a totally legitimate network called BitTorrent. But BitTorrent is also used to distribute pirated movies and music. MediaDefender has made it their very shady business to initiate terrorist-like denial of service attacks against BitTorrent users.

There's no real reason for MediaDefender to attack Revision3, except that they've been scanning BitTorrent hosts and attacking them indiscriminately. The damage to Revision3 was subtle. There were no explosions and no deaths, as you'd see in a traditional terrorist attack. But Revision3 is a new, small company and relies on being able to distribute their programming. A few more attacks like this and Revision3 is out of business, with 20 or so families losing employment.

If someone blew up a company's headquarters, even if no one was on site at the time and the only result was that 20 people lost their jobs, it'd still be considered terrorism. Like I said, cyberwar is more subtle. It's hard to compare the attack on Revision3 to something like a car bomb. The fine folks over at Revision3 were simply shaken up. Their confidence was damaged, they spent a very stressful weekend, they exhausted themselves defending their property, and they lost business. But by any measure, that's an attack.

In a sense, MediaDefender is a faction in the coming cyberwar. They're the mercenaries, being paid by companies like Sony, Universal, BMG, and so forth to attack American citizens and American businesses. MediaDefender is based in Los Angeles, but Sony is a Japanese company. The BMG division of Bertelsmann is located in Tokyo, and parent company Bertelsmann AG is located in Gutersloh, Germany.

It is interesting, isn't it, that American interests and individuals are being attacked by an agent of German and Japanese enterprises? Nearly 70 years ago, we fought a bricks-and-bombs war with Germany and Japan. Now, we're defending ourselves against constant economic attacks from these same nations.

And that's also where cyberwar becomes a worrisome issue. Attacks aren't only going to come from digitally-capable terrorist organizations like al-Qa'idah and known nation-state enemies like Iran and North Korea, they're also going to come from countries with whom we're supposedly allied, and from other countries (like Belarus and the Ukraine) with whom we enjoy coldly warm relations.

Defending against cyberwar won't simply require defending against one very visible enemy. Defending against cyberwar will require defending against numerous visible and shadowy enemies, all across the world. Cyberwar is an ideal strategic and tactical platform for digital guerrillas, with small groups of attackers hiding behind the digital brush of spoofed IP addresses, switching Internet addresses and pathways the way Viet Cong moved from rice paddy to rice paddy.

Although cyberwar attacks will take many forms other than distributed denial of service attacks, one deserves particular mention: botnets. These things are nasty, because like cancer, they attack from within. They cause our own computers -- computers owned or operated by our friends, family, employers, employees, and even government servants and government agencies -- to turn against us.

Botnets are not completely distinct from denial of service attacks. In fact, one of the more devastating forms of DDoS is one which originates from a botnet. But botnets can also initiate other forms of attack, from injecting malware (attack software) and viruses (another form of attack software) to generating email spam and enabling identity theft.

Fundamentally, a botnet consists of a network of computers that have been compromised in some way. These computers, called zombies, are typically end-user machines running in offices and homes across the Internet. A user at the computer (someone like your mom or dad, your boss, or the kid from down the street) might have inadvertently accessed a questionable Web page, had open router ports, or run a malware email attachment. In any case, once compromised, the zombie computer is available to be commanded and controlled from the botnet's instigator (sometimes called a "botnet herder").

Botnets are particularly dangerous because they're massive force multipliers for an attacker. A botnet attack can be originated from a single computer which then goes on to infect a variety of zombie computers. Then those zombies propagate the infection -- and so on, and so on, and so on.

Lest you think this is more science fiction than fact, let me draw your attention to the Netherlands in 2005. Three young men, age 19, 22, and 27, created a botnet intended to initiate a denial of service attack against a U.S. firm, steal identities, and distribute spyware. After several Internet service providers noticed unusual activity on their networks in October of that year, the Netherland's Computer Emergency Response Team discovered that the botnet consisted of 1.5 million compromised computers, all working in tandem to attack U.S. systems and consumers.

To put this computing power into perspective, the fastest monolithic supercomputer ever recorded was the IBM Roadrunner at the Los Alamos National Laboratory, which on June 8, 2008 sustained a processing rate of 1.026 PFLOPS (or about 10 to the 15th power floating point operations a second).

In March 2008, Folding@home, a network of consumer-level PCs and PlayStation 3 game machines working together to understand protein folding and molecular dynamics, reached a sustained performance level of two PFLOPS (almost double that of the government's supercomputer) with approximately 300,000 active PCs.

With 300,000 consumer PCs and PlayStation 3 game machines, Folding@home essentially became the world's fastest legal supercomputer. Then again, our three young Netherlands men operated a computer network five times larger -- in effect, they had created a network with computational capacity at least five times greater than any supercomputer on the planet.

But just how accessible is the technology necessary to launch a botnet? It's almost as cheap as dirt. Let's say you're a smart kid living in Belarus. For as little as $314 -- about 663,000 Belarusian rubles or about two week's salary for a city dweller -- you could buy a low-end PC capable of running the free Linux operating system. That one PC could easily initiate a botnet infestation that could propagate to thousands or millions of PCs.

What makes a botnet so terrifying is that it can initiate its attack from inside the firewall. Think of a firewall around your network the way you might a fence around your swimming pool. The fence is designed for privacy, and to prevent uninvited guests and stray animals from getting into your pool, but it's mostly intended to prevent your neighbors' kids from hurting themselves in your pool and protect you from the associated potential liability.

A firewall or router does the same general thing on the digital plane. It prevents outsiders from getting into your network, using your network for illegal activities, and accessing your private data. But while having a firewall is important, it can't protect you from yourself. Like the situation where you open your pool's fence to let the neighbor kid come in to swim, when you open an email attachment or visit an inappropriate Web site, you're often opening your network to attack.

And once a bot has gotten a foothold on a computer inside your network, it has free run of your network, and often free run leaving your network and attacking other computers. This is a particular problem with workers who use laptops on open Internet connections, like at hotels and coffee bars. While the laptop is outside the firewall, it might be infected. Once it's brought back to work and plugged into the corporate network within the firewall, there's nothing stopping it from propagating infection throughout the entire, supposedly secured network.

I've only talked about two tactics in a cyberwar attack: a distributed denial of service attack and the use of botnets. There are many other attack vectors our enemies can use including buffer overflows, dangling pointers, format string bugs, shell meta-character exploits, SQL injection, code injection, directory traversal, time-of-check-to-time-of-use bugs, symlink races, cross-site scripting and cross-site request forgery in Web applications, privilege escalation, and more.

So far, we've discussed the economic damage a cyberattack can wreak upon us. But there's the potential of physical damage as well. More and more of our critical systems rely on computing technology and more and more of that technology has an Internet connection -- effectively linking everything to the bad guys with mere milliseconds in traversal time.

The Airbus Concurrent Engineering system uses PTC's Internet-enabled software and maintenance services on all existing aircraft programs. Imagine what could happen if the maintenance records were tampered with by an intruder.

This stuff is real. In 2006, a hacker took control of the University of Washington Medical Center's internal network and downloaded admissions records for 4,000 heart patients. The hacker gained entrance through a Linux system running in the hospital's pathology department. The attacker claims he only downloaded the records, but imagine the damage that could have been done had he changed records, modifying medications or dosages. At this point, lives come into balance.

In 2007, an attack against the office of the U.S. Secretary of Defense penetrated the network and managed to steal sensitive U.S. defense information. In 2006, Jeanson James Ancheta peformed distributed denial of service and hacking attacks against the Naval Air Warfare Center in China Lake and the Defense Information Systems Agency.

And in May, 2008, the General Accounting Office of the United States Government issued a report decrying the Tennessee Valley Authority's cyber-security. The TVA operates 11 coal-fired fossil plants, 8 combustion turbine plants, 3 nuclear plants, and a hydroelectric system that includes 29 hydroelectric dams and one pumped storage facility in the southeast U.S. The TVA is the nation's largest public power company.

According to testimony before the Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology, Committee on Homeland Security, House of Representatives, the TVA did not fully implement appropriate security practices to secure the control systems used to operate its critical infrastructures. It's almost mind-boggling to consider the sort of critical infrastructure damage and threat to public safety a cyberattack could cause were it to compromise any of the TVA's facilities.

When it comes to cyberwar, we're fighting on a virtually unlimited number of fronts, against some of our own resources turned against us. We're fighting against massive weapons systems built by our enemies from readily available consumer products that are easily accessible and affordable. According to CNN, the U.S. spent a minimum of $5,821 billion on nuclear weapons programs from 1940 to 1996. While a cyberattack is unlikely to cause the loss of life of a hydrogen bomb, our enemies need to spend merely $314 to deploy a weapons system that may have an even greater reach than a nuclear warhead in terms of overall infrastructure and economic damage.

At the beginning of this article, I said cyberwar was inevitable because of the low barrier to entry and the very high yield. I've shown that the enemy combatants in a cyberwar will constitute far more than just identifiable nation states and will include for-profit businesses, very bright children, and terrorists with many different agendas. I showed how the weapons systems used will consist of incredibly cheap consumer personal computers and even video game consoles.

I showed how attacks will come not only from outside our borders, but from legions of zombie computers attacking us from within our own homes and offices. And I've shown how cyberwar attacks can damage us economically as well as wreak havoc with our critical infrastructure services.

But what can we do about it? How can we defend ourselves? Can we defend ourselves?

Quite honestly, I despair of giving you good news. Nearly all cyberattacks rely on exploiting an inherent vulnerability or sloppiness in our internal security. But because attacks can be perpetrated through our own poorly informed citizenry and because of the high-level of knowledge necessary to insulate our systems from attack, there can be no doubt about the inevitable conclusion:

Cyberwar is coming,

Nota bene: We can take some steps to protect ourselves. Simple actions like updating virus definitions regularly, installing operating system updates, and never opening email attachments can help. Upgraded versions of operating systems more and more aware of vulnerabilities will also, over time, reduce some of our exposure. And consumer education, encouraging a higher level of understanding about computer security, can reduce our overall vulnerability by some percentage.

**The Journal of Counterterrorism and Security International is published by The International Association for Counterterrorism and Security Professionals (IACSP). With offices in the United States of America, South Africa, South America, The United Kingdom, and Australia, the IACSP is the only professional organization with a strong and growing membership base of security professionals actively working to combat worldwide terrorism.

*For more than 20 years, David Gewirtz, the author of Where Have All The Emails Gone? and The Flexible Enterprise, has analyzed current, historical, and emerging issues relating to technology, competitiveness, and policy. David is the Editor-in-Chief of the ZATZ magazines, is the Cyberterrorism Advisor for the International Association for Counterterrorism and Security Professionals, and is a member of the instructional faculty at the University of California, Berkeley extension. He can be reached at david@zatz.com and you can follow him at http://www.twitter.com/DavidGewirtz.