It’s fair to say that we’re already living in an age of state-led cyber war, even if most of us aren’t aware of it. Right now, the government of a foreign country could be hacking into your government’s databases, crashing its servers or monitoring its conversations. To outside observers, our current stage of cyber war might seem benign (indeed, some might contend that it’s not really “war” anyway, as per the classical Clausewitzian framework of “war as a continuation of policy by other means”). Government-backed engineers might be trying to infiltrate or shut down the information systems of companies and institutions in other countries, but no one is getting killed or wounded. We’ve seen so little spillage of these cyber wars into the physical world that for civilians, a cyber attack seems more an inconvenience than a threat, like an attack of the common cold.

But those who underestimate the threat of cyber war do so at their peril. While not all the hype surrounding cyber war is justified, the risks are real. Cyber attacks are occurring with greater frequency and more precision with each passing year. The increasing entwining of our lives with digital-information systems leaves us more vulnerable with each click. And as many more countries come online in the near future, those vulnerabilities will only expand and become more complicated.

A cyber attack might be the state’s perfect weapon: powerful, customizable and anonymous. Tactics like hacking, deploying computer worms or Trojan horses and other forms of virtual espionage present states with more reach and more cover than they would have with traditional weapons or intelligence operations. The evidence trails they leave are cold, providing perpetrators with effective camouflage and severely limiting the response capability of the victims. Even if an attack could be traced back to a particular region or town, identifying the responsible parties is nearly impossible. How can a country determine an appropriate response if it can’t prove culpability? According to Craig Mundie, Microsoft’s chief research and strategy officer and a leading thinker in Internet security, the lack of attribution—one of our familiar themes—makes this a war conducted in the dark, because “it’s just much harder to know who took the shot at you.” Mundie calls cyber-espionage tactics “weapons of mass disruption.” “Their proliferation will be much faster, making this a much stealthier kind of conflict than has classically been determined as warfare,” he said.

States will do things to each other online that would be too provocative to do off-line, allowing conflicts to play out in the virtual battleground while all else remains calm. The promise of near-airtight anonymity will make cyber attacks an attractive option for countries that don’t want to appear overtly aggressive but remain committed to undermining their enemies. Until the world’s technical experts get better at determining the origin of cyber attacks and the law is able to hold perpetrators to account, many more states will join in on the activities we see today. Blocks of states that are already gaining connectivity and technical capacity, in Latin America, Southeast Asia and the Middle East, will begin launching their own cyber attacks soon, if only to test the waters. Even those who lack indigenous technical skills (e.g., local engineers and hackers) will find ways to get the tools they need.

Let’s consider a few recent examples to better illustrate the universe of cyber warfare. Perhaps the most famous is the Stuxnet worm, which was discovered in 2010 and was considered the most sophisticated piece of malware ever revealed, until a virus known as Flame, discovered in 2012, claimed that title. Designed to affect a particular type of industrial control system that ran on the Windows operating system, Stuxnet was discovered to have infiltrated the monitoring systems of Iran’s Natanz nuclear-enrichment facility, causing the centrifuges to abruptly speed up or slow down to the point of self-destruction while simultaneously disabling the alarm systems. Because the Iranian systems were not linked to the Internet, the worm must have been uploaded directly, perhaps unwittingly introduced by a Natanz employee on a USB flash drive. The vulnerabilities in the Windows systems were subsequently patched up, but not after causing some damage to the Iranian nuclear effort, as the Iranian president, Mahmoud Ahmadinejad, admitted.

Initial efforts to locate the creators of the worm were inconclusive, though most believed that its target and level of sophistication pointed to a state-backed effort. Among other reasons, security analysts unpacking the worm (their efforts made possible because Stuxnet had escaped “into the wild”—that is, beyond the Natanz plant) noticed specific references to dates and biblical stories in the code that would be highly symbolic to Israelis. (Others argued that the indicators were far too obvious, and thus false flags.) The resources involved also suggested government production: Experts thought the worm was written by as many as thirty people over several months. And it used an unprecedented number of “zero-day” exploits, malicious computer attacks exposing vulnerabilities (security holes) in computer programs that were unknown to the program’s creator (in this case, the Windows operating system) before the day of the attack, thus leaving zero days to prepare for it. The discovery of one zero-day exploit is considered a rare event—and exploited information can be sold for hundreds of thousands of dollars on the black market—so security analysts were stunned to discover that an early variant of Stuxnet took advantage of five.

Sure enough, it was revealed in June 2012 that not one but two governments were behind the deployment of the Stuxnet worm. Unnamed Obama administration officials confirmed to the New York Times journalist David E. Sanger that Stuxnet was a joint U.S. and Israeli project designed to stall and disrupt the suspected Iranian nuclear-weapons program.⁵ Initially green-lit under President George W. Bush, the initiative, code-named Olympic Games, was carried into the next administration and in fact accelerated by President Obama, who personally authorized successive deployments of this cyber weapon. After building the malware and testing it on functioning replicas of the Natanz plant built in the United States—and discovering that it could, in fact, cause the centrifuges to break apart—the U.S. government approved the worm for deployment. The significance of this step was not lost on American officials.⁶ As Michael V. Hayden, the former CIA director, told Sanger, “Previous cyberattacks had effects limited to other computers. This is the first attack of a major nature in which a cyberattack was used to effect physical destruction. Somebody crossed the Rubicon.”

When the Flame virus was discovered two years later, initial reports from security experts suggested that it was unconnected to Stuxnet; it was much larger, used a different programming language and operated differently, focusing on covert data-gathering instead of targeting centrifuges. It was also older—analysts found that Flame had been in existence for at least four years by the time they discovered it, which means it predated the Stuxnet worm. And Sanger reported that American officials denied that Flame was part of the Olympic Games project. Yet less than a month after the public revelations about these cyber weapons, security experts at Kaspersky Lab, a large Russian computer-security company with international credibility, concluded that the two teams that developed Stuxnet and Flame did, at an early stage, collaborate. They identified a particular module, known as Resource 207, in an early version of the Stuxnet worm that clearly shares code with Flame. “It looks like the Flame platform was a kick-starter of sorts to get the Stuxnet project going,” a senior Kaspersky researcher explained. “The operations went separate ways, maybe because Stuxnet code was mature enough to be deployed in the wild. Now we are 100 percent sure that the Stuxnet and Flame groups worked together.”