MIKE PESCA:

This week President Obama signed executive orders that set down the rules of war for cyber attacks. The new Pentagon guidelines are similar to those that govern the use of other weapons of war, like nuclear bombs and drone attacks.

Jim Lewis is a director at the Bipartisan Center for Strategic and International Studies. He says that while the actual threat of cyber warfare has been widely exaggerated, many countries around the world are adopting policies to combat such attacks.

JIM LEWIS:

We just did a survey at CSIS that found about 35 countries are developing military doctrine for cyber attack, and part of that doctrine  will be taking out other computers. What the Pentagon won’t be doing is they won't be taking out computers in the United States, and they won’t be taking out computers that belong to criminals or spies.

MIKE PESCA:

So do these new guidelines actually preclude the United States from doing anything?

JIM LEWIS:

Not at all.

[MIKE LAUGHS]

Hopefully they make it clear to our opponents, if you do an attack that causes physical damage or that hurts Americans, we will respond with military force. And that's a useful thing to let people know.

MIKE PESCA:

So the guidelines are as much about what the United States won't do, as what will constitute a cyber attack on the United States?

JIM LEWIS:

Yeah, it’s more to lay out for the world how we're thinking about this in military terms. And DOT has put a lot of effort into this over the last few years. They call it a new domain for warfare. But when they say that, what they mean is this is another way to fight, and it's subject to the same rules we apply to any other kind of weapons system.

What this lets us do is it helps us prepare, 1) for upcoming negotiations in the U.N., where people want to talk about what are the rules for cyber warfare. And it helps us work with our allies and partner countries to say, what are the things that we want to cooperate on,  what are the messages we want to send to potential opponents.

And finally, it let's talk to potential opponents. It lets us both warn them, don't do this or there’ll be big trouble. And it lets us say maybe we can sit down and talk. And DOD and State and other agencies have been making a real effort to engage both China and Russia to get cyber warfare under control.

MIKE PESCA:

You mention the U.N. Is the momentum internationally to have more restrictive rules about what superpowers can and can’t do in cyberspace?

JIM LEWIS:

It's really interesting. And there's been one big change. Most countries are afraid of cyber warfare. That's good. When everyone has a shared fear, there's a place to negotiate. But until recently most countries, when you asked them what nation do you fear most in cyberspace, they said the United States.

We did the poll again recently and the numbers had changed. China and Russia were in first place. And people still are concerned about cyber command, they’d still like rules for cyber warfare, but they're no longer as afraid of the U.S. as they once were.

MIKE PESCA:

The cyber attacks that you say actually have happened, including Stuxnet, what - what exactly was Stuxnet? Remind us.

JIM LEWIS:

Stuxnet was really cool. Somebody did a great job. They did a tremendous amount of intelligence work to figure out what control system ran the Iranian centrifuges that were making uranium for their nuclear weapons. The centrifuges were connected to control devices, sort of simple computers.

And someone found a way to penetrate these Iranian computers, which were supposedly insulated from the Internet, to create a virus that went in and caused them to go out of control and self destruct. They had a virus that went around the world searching for Iranian centrifuges. Many countries were infected, but the only place where there was damage was Iran.

So it was the most sophisticated cyber attack we've seen. And, fortunately for right now, only four or five countries can do this kind of thing.

MIKE PESCA:

Did it really set back Iranian nuclear capabilities?

JIM LEWIS:

That's what we're told. Really, the debate was over should we have an air strike or should we use this more clandestine means. And this was infinitely better. No civilian casualties, no pictures of burning buildings on television. But that's where at least one country, Israel, was beginning to think - they're getting too close, maybe we should do something hard to them.

And we all have suspects. I mean, Israel and the U.S. are the leads suspects. There are other countries that could have done it, as well. But this was a military action that was very effective.

MIKE PESCA:

The way you characterize Stuxnet –

JIM LEWIS:

Yeah –

MIKE PESCA:

- that actually strikes me as a little bit different from a lot of the coverage, which is to worry about what does this mean for the future of worms and cyber warfare. But, if you look at it, like you did, this is a lot better than sending a B2 bomber –

JIM LEWIS:

[LAUGHS] Yeah. You know, the problem is that we tend to call everything a cyber attack, so a group of bored teenagers go after VISA’s public website, that's a cyber attack.

Well no, it’s not a cyber attack. Cyber attacks are really hard. What I worry about is when the capability to launch these sophisticated attacks becomes more readily available and when you see countries like Iran itself or North Korea or groups like al-Qaeda, when they get these capabilities, we're gonna have a big problem.

But right now it's just the top of the league that can do this, and it takes a lot of effort, a lot of time and a lot of money.

MIKE PESCA:

All right. Thanks a lot.

JIM LEWIS:

[LAUGHS] Hey, thank you.

MIKE PESCA:

Jim Lewis is a director at the Center for Strategic and International Studies.