"The fact that DOD has moved to the point where it felt required to [conduct the policy review] is a step toward normalization and operationalization of cyberweapons," says Dan Kuehl, a professor of intelligence studies at Mercyhurst University and formerly at National Defense University. "If you've got a new bomb or a tank or a weapons system, there's a requirement to do a legal review of its usage – under the Law of Armed Conflict. With DOD having done that for cyber, it's a significant step toward normalization of cyber as a weapon we can actually use militarily."
Word that legal hurdles have been largely surmounted for cyberweapons comes amid a backdrop of daily reports of cyberespionage attacks on US businesses, government agencies, and the Pentagon – not to mention numerous recent statements of concern by the nation's military officials.
In a speech last fall, Secretary of Defense Leon Panetta warned of the potential for a "cyber 9/11" and urged tougher laws that would help protect US critical infrastructure like the power grid and water systems. Other current and former senior administration and Pentagon officials have echoed that concern – and say that the legal review is long past due.
"This legal review of cyberweapons has been far too slow, too lawyer-and-State Department-ridden," says Stewart Baker, a former assistant secretary at the Department of Homeland Security and now a partner at Steptoe & Johnson, a Washington law firm. "What we've needed is a faster process that allows us to actually come up with a strategy for actually winning a cyberconflict. But this is clearly a step in the right direction. It's clear that cyberweapons are going to be used. If so, then we need to be better at using them than our adversaries."