In a previous post, I commented on the apparent desire of U.S. Cyber Command to develop "loud" cyber weapons, that is, weapons whose use could be easily attributable. But further conversation with various people suggest one additional wrinkle important enough to warrant a separate posting here (rather than just updating the original article).
a birthday gift!
Specifically, it seems important to distinguish between self-attributing cyber weapons and cyber weapons used in self-attributable cyber attack. The former can be used—and attributed—without further action on the part of the United States. Indeed, a self-attributing weapon in the kinetic world—one with the Stars and Stripes painted on it—can be recognized as a US missile or airplane by anyone who happens to see it. In other words, attribution in this case (better known as "taking credit for the attack") is passive on the part of the United States.
But most cyberattacks deliberately launched by Nation A against Nation B could only be attributed to A if A calls B and provides details that only the attacker could have known. In this instance, the technical requirement for cyber weapons used in such attacks would be easier to meet—the weapons only have to be discoverable given sufficient information provided by A to B over the telephone. This is what I described above as a self-attributable attack.
Since Cyber Command clearly knows these points better than I do, the interesting question is this: What are the strategic circumstances in which self-attributing cyber weapons are potentially useful?
Send me your thoughts!