Defense Secretary Gates has announced that he wants offensive cyber warfare capability.
It's not going to work. Hacking is "asymmetric" warfare. The military is trying to shoehorn it into traditional "symmetric" warfare.
Hacking doesn't work the way it's portrayed in the movies. In the movie Swordfish, the villain puts the hero in front of a computer open to a website, puts a gun to the hero's head, and tells the hero to hack into the website in 60 seconds "or else". That's not the way hacking works, the best hackers in the world could not do that.
However, you could tell a good hacker to break into any website in 60 seconds. In hacking, it's difficult accomplishing a specific, narrowly defined goal. The broader the range of goals, the more likely the hacker will succeed at one of them.
What the military wants is a hacker squad that they can give a specific objective, and have the hackers carry out that objective within a specific timeframe. For example, they might tell hackers to take out Iran's radar at midnight so that fighter jets can enter their airspace a few minutes later to bomb their nuclear plants. That's not going to work.
What you could do is tell hackers to go after Iran and do whatever they can to disrupt their nuclear developments. One hacker might find a way to shut down safety controls and cause a nuclear meltdown, another might jam the centrifuges, another might change the firmware on measuring equipment to incorrect measure the concentration of U238.
Or, you could give the hackers six months to infiltrate Iran's computers, then come back with a list of options. Maybe disabling the radar system will be one of them, maybe not. But that's not the sort of thing the military is tasked to do - that's more an intelligence operation the CIA would be doing.
I use this scenario as an example because something similar happened in the first Iraq war in 1990, where our "hackers" were able to disable their radar by hacking into their phone network. This happened because of circumstance and luck, not because it was a carefully laid out plan to disable their radar that way.
China and Russia understand this. They don't directly employ hackers or tell the hackers to accomplish certain goals. They let the hackers have free range to do whatever they want. If the hackers come across something interesting, such as plans for the Joint Strike Fighter, the government buys it, but no government official ever told the hackers specifically to steal those plans.
The reason China and Russia can do this is because that's already the way totalitarian regimes work. A good example is the Russian "Nashi" organization. This is a militant, nationalistic youth group encouraged by the government. Among the things these thugs do is beat up journalists critical of the central government. They also show up at anti-government demonstrations to rough up the demonstrators. In this way, the government gets what it wants (suppressing dissent) without having to do the dirty work itself.
I mention the Nashi because it appears that youths affiliated with that group were also responsible for some of the cyber attacks against Estonia in that dispute in 2007. It is probable that no Russian government official directed the attacks - that's the entire point. By encouraging nationalistic groups, things like this happen without the government having to direct anything.
There are problems with this technique. Sometimes the youth groups don't do enough, sometimes they get out of hand. China props up Japan as their primary adversary, and last year, riots demonstrating against Japan got out of hand, and the Chinese government had to back down on their anti-Japan rhetoric. Whatever the costs, though, it allows the government to keep their hands clean.
So how can the United States get in on this sort of asymmetric warfare action?
The first thing is that you have to stoke some sort of nationalism in the way that Russia and China do. I'm not sure this is in our character (especially under the current president), however, so we'd probably have to find some alternative. Instead of pro-USA nationalism we could instead focus on human rights activism. The government could spend a lot of time talking to the press about the sorts of human rights abuses that go on in Russia and China. Get our own USA hackers thinking about human rights as their own causus belli.
The second thing they need to do is create a climate where our own hackers can operate. I would gladly hack into Iranian computers, but I'm not sure how this fits into US law. (I don't mind breaking Iranian law, but I'm a stickler as far as US law is concerned).
This would be similar to the "letters of mark and reprisal" used by governments during the 1700s. In those days, national navies were too small to patrol the entire ocean. Therefore, governments licensed privateers to prey upon a hostile nation's shipping. The privateers kept half the booty, and gave the other half to their respective government. This is essentially what China and Russia have done.
A third thing our military would need to do is train our hackers in the target language. Foreign hackers usually learn English, but American hackers rarely learn foreign languages, especially Russian, Chinese, or Farsi (Iranian). If we want to encourage our hackers to go after those countries in the same way they come after us, we need to encourage them to learn those languages. The military runs an excellent school in Monterey. They should recruit people at conferences like Defcon to take their language aptitude tests (right there at the conference), and for hackers who score well, pay them to attend their 6-month high-intensity language courses.
The fourth thing our military would need to do is fix their horrid purchasing processes. I experienced this when selling BlackICE to the military: it almost cost us more going through the byzantine purchase process than we got in money from the purchase. Let's say that you found a robustly exploitable Windows server vulnerability. It's worth $100,000 to our military. There is no way they could buy it. If you tried selling it to them, it would cost you more than $100,000 to go through their obstacles.
Note that I think the individuals who run our military are very, very smart. I've met several generals and colonels who understand this. The problem is that while individuals are smart, the organization is dumb as a rock. The organization crushes precisely the sort of creative thinking need to have a successful "cyber" offensive capability.