"Cyberwar" and "cyberweapons" are fiction. The conflicts between nation states in cyberspace are nothing like warfare, and the tools hackers use are nothing like weapons. Putting "cyber" in front a something is just way for people to grasp technical concepts, the analogies quickly break down, and are useless when taken too far (such as a "cyber disarmament treaty"). Unfortunately, it's the clueless people who believe in these analogies that are driving national policy.
What makes special forces (like the Green Berets or Navy Seals) so much better than the average soldier? Is it better weapons? No, it's better training. These guys are trained to kill you with their hands, or with a knife, or with anything that's available. The same is true with hackers: all we need is some crappy computer and a network connection, and we can hack into anything. (During a "pen-test", I've had my finger on the "off" switch for an entire country's power grid from a mobile phone).
Hacking is very technical, so we use analogies to explain how it works. The thing to remember is that these are just analogies. Any conclusions you might draw from the analogies could be wrong.
But then somebody comes to you with a better idea. He has a trained dog that can sniff out secret tunnels. You send the dog out, he finds a tunnel, your soldiers sneak in, and take control of the castle.
So, the next time you attack a castle, you send the dog out to find tunnels. However, the dog comes back without finding anything. Therefore, you conclude, you need a bigger dog. The "dog" is analogous to a "catapult", and if a bigger catapult does its job better, so must a bigger dog. (I'm assuming at this point the reader understands the foolishness of this analogy, and that the size of the dog is irrelevant).
The same is true of "cyberweapons", an analogy used to describe tools like "exploits". An "exploit" is a program that you aim at another computer in order to take control of it. Most people in our military think that if an exploit doesn't work against a well-defended computer, then you need a more "powerful" exploit. This is wrong, in exactly that same way that a "bigger dog" won't help. (Like finding secret tunnels to sneak into castles, hackers find programming bugs, then exploit them to sneak into computers).
This is why the military will never understand cyberspace. Their idea of attack and defense is based on the idea of "brute force": just throw more resources at it, such as bigger bombs, more soldiers, higher tech airplanes. Defeating enemies in cyberspace is different, means outsmarting them, and the military doesn't do smart.
Moreover, the military is very goal driven. They want weapons that have a specific effect. That's not how hacking works. Hacking is opportunistic. For example, let's say that you want to attack Iran. You might give your cyberwarriors the task of taking out their radar. That's not something the cyberwarriors could do: chances are good that the exploits they have will have no effect on Iranian radar computers.
This is why a nation's army will not be involved in a true "cyberwar": hacking just doesn't fit into the military model.
It's also why China and Russia are winning a cybewar against the United States: because it's not their armies conducting the war.
Totalitarian governments, like China, Russia, or Iran, need dirty work done, but without getting caught. They need "plausible deniability". Unfortunately, this is essentially impossible: you really can't have big conspiracies without leaking information.
Nashi" in Russia, or the "Basij" in Iran. These groups are sympathetic to the government, but not technically under control of the government. These groups love their national government, and tend to do things that government would want, without being told.
Thus, when journalists in Russia says something critical of the government, they are beaten up (or murdered) by the Nashi. The government never tells the Nashi to beat anybody up - it just happens. At most, the government will instruct police not to investigate the crimes too heavily. As a result, Russia is one of the most dangerous countries for journalists, but without a national policy to kill journalists.
The problem with these youth groups is that since they aren't being controlled by the central government, they don't always get the right results. Sometimes the wrong people are killed, or the right journalists are ignored. It's the price the government has to pay in order to keep its hands clean.
The basic truth in cybersecurity is that you don't have to build products/services that outwit hackers, you only have to outwit your customers. As long as you know a tiny bit more about hacking than your customers, they will buy anything from you. I'm seeing that a lot lately, such as the recent case of Booz and Allen hyping fictional stories about the power grid in order to secure a $34-million contract from the government. Another example is the "Center for Strategic and International Studies" (CSIS). It's a lobbying organization that produced a document that has become a blueprint for cybersecurity regulation that threatens our liberties in cyberspace. This sort of cluelessness is a bigger danger to cyberspace than Russian hackers.
speech at CSIS recently. I don't know what to make of it. On one hand, he said things that demonstrate cluelessness, but on the other hand, he said things that demonstrate competence with the subject. Generals tend to be geniuses, so I would be a fool to assume Gen. Alexander is clueless, so I'll have to assume he was simplifying things for a clueless audience. I'm worried nonetheless.
So, to summarize, the idea of nation states waging cyberwar with powerful cyberweapons is utter fiction. It's an analogy we might use to describe some things, but it's not what really goes on in cyberspace. The conflicts between nation states in cyberspace are nothing like warfare, and the tools hackers use are nothing like weapons. However, this fiction is what is driving national policy, and that worries me a lot. I feel this cluelessness is a bigger danger to cyberspace than foreign hackers.
UPDATE: I just thought of another way to describe this: The military tries to make cyber fit within normal military practices, rather than changing military practices to fit in cyberspace.
BIO: The author of this blog post invented the "intrusion prevention system", a popular product for defending against attack. The author has done many "penetration tests", hacking into networks (for hire) in order to discover weaknesses. The author has created many tools that are part of pen-test/hacking toolkits. The author has reverse engineered code, discovered vulnerabilities, and written exploit shellcode.