Though Stuxnet, Flame and other cyber weapons linked to the United States and Israel are the most advanced known examples of state-led cyber attacks, other methods of cyber warfare have already been used by governments around the world. These attacks needn’t be limited to highly consequential geopolitical issues; they can be deployed to harass a disliked fellow state with equal panache. Following a diplomatic fight in 2007 over the Estonian government’s decision to remove a Russian World War II memorial in its capital, Tallinn, a mass of prominent Estonian websites, including those of banks, newspapers and government institutions, were abruptly struck down by a distributed denial of service (DDoS) attack. Estonia is often called the most wired country on Earth, because almost every daily function of the state (and nearly all of its citizens) employs online services, including e-government, e-voting, e-banking and m-parking, which allows drivers to pay for their parking with a mobile device. Yet the country that gave the world Skype suddenly found itself paralyzed due to the efforts of a group of hackers. The systems came back online, and the Estonians immediately suspected their neighbor Russia—the Estonian foreign minister, Urmas Paet, accused the Kremlin directly—but proving culpability was not possible. NATO and European Commission experts were unable to find evidence of official Russian government involvement. (The Russians, for their part, denied the charges.)

Some questions that arise—Was it an act of cyber warfare? Would it be if the Kremlin hadn’t ordered it, but gave its blessing to the hackers who executed it?—remain unanswered. In the absence of attribution, victims of cyber attacks are left with little to go on, and perpetrators can remain safe from prosecution even if suspicion is heightened. (One year after the Estonian attacks, websites for the Georgian military and government were brought down by DDoS attacks, while the country was in a dispute with, you guessed it, Russia. The following year, Russian hackers targeted the Internet providers in Kyrgyzstan, shutting down 80 percent of the country’s bandwidth for days. Some believe the attacks were intended to curb the Kyrgyz opposition party, which has a relatively large Internet presence, while others contend that the impetus was a failed investment deal, in which Russia had tried to get Kyrgyzstan to shut down the U.S. military base it hosted.)

Then there is the example of Chinese cyber attacks on Google and other American companies over the past few years. Digital corporate espionage is a rowdy subcategory of cyber warfare, a relatively new phenomenon that in the future will have a severe impact on relations between states as well as national economies. Google finds its systems under attack from unknown digital assailants frequently, which is why it spends so much time and energy building the most secure network and protections possible for Google users. In late 2009, Google detected unusual traffic within its network and began to monitor the activity. (As in most cyber attacks, it was more valuable to our cyber-security experts to temporarily leave the compromised channels open so that we could watch them, rather than shut them down immediately.) What was discovered was a highly sophisticated industrial attack on Google’s intellectual property coming from China.

Over the course of Google’s investigation, it gathered sufficient evidence to know that the Chinese government or its agents were behind the attack. Beyond the technical clues, part of the attacks involved attempts to access and monitor the Gmail accounts of Chinese human-rights activists, as well as the accounts of advocates of human rights in China based in the United States and Europe. (These attacks were largely unsuccessful.) In the end, this attack—which targeted not only Google but dozens of other publicly listed companies—was among the driving factors in Google’s decision to alter its business position in China, resulting in the shutdown of its Google China operations, the end of self-censorship of Chinese Internet content, and the redirection of all incoming searches to Google in Hong Kong.

Today, only a small number of states have the capacity to launch large-scale cyber attacks—the lack of fast networks and technical talent holds others back—but in the future there will be dozens more participating, either offensively or defensively. Many people believe that a new arms race has already begun, with the United States, China, Russia, Israel and Iran, among others, investing heavily in stockpiling technological capabilities and maintaining a competitive edge. In 2009, around the same time that the Pentagon gave the directive to establish United States Cyber Command (USCYBERCOM), then secretary of defense Robert Gates declared cyberspace to be the “fifth domain” of military operations, alongside land, sea, air and space. Perhaps in the future the military might create the equivalent of the Army’s Delta Force for cyberspace, or we could see the establishment of a department of cyber war with a new cabinet secretary. If this sounds far-fetched, think back to the creation of the Department of Homeland Security as a response to 9/11. All it takes is one big national episode to spur tremendous action and resource allocation on the part of the government. Remember, it was the United Kingdom’s experience with Irish terrorism that led to the establishment of closed-circuit television (CCTV) cameras in every corner of London, a move that was welcomed by much of the populace. Of course, some raised concerns about their every move on the streets being filmed and stored, but in moments of national emergency, the hawks always prevail over the doves. Postcrisis security measures are extremely expensive, with states having to act quickly and go the extra mile to assuage the concerns of their population. Some cyber-security experts peg the cost of the new “cyber-industrial complex” somewhere between $80 billion and $150 billion annually.

Countries with strong engineering sectors like the United States have the human capital to build their virtual weapons “in-house,” but what of the states whose populations’ technical potential is underdeveloped? Earlier, we described a minerals-for-technology trade for governments looking to build surveillance states, and it stands to reason that this type of exchange will work equally well if those states’ attention turns toward its external enemies. Countries in Africa, Latin America and Central Asia will locate supplier nations whose technological investment can augment their own lackluster infrastructure. China and the United States will be the largest suppliers but by no means the only ones; government agencies and private companies from all over the world will compete to offer products and services to acquisitive nations. Most of these deals will occur without the knowledge of either country’s population, which will lead to some uncomfortable questions if the partnership is later exposed. A raid on the Egyptian state security building after the country’s 2011 revolution produced explosive copies of contracts with private outlets, including an obscure British firm that sold online spyware to the Mubarak regime.

For countries looking to develop their cyber-war capabilities, choosing a supplier nation will be an important decision, akin to agreeing to be in their “sphere of online influence.” Supplier nations will lobby hard to gain a foothold in emerging states, since investment buys influence. China has been remarkably successful in extending its footprint into Africa, trading technical assistance and large infrastructure projects for access to resources and consumer markets, in no small part due to China’s noninterference policy and low bids. Who, then, will those countries likely turn to when they decide to start building their cyber arsenal?