And what would a proof-of-concept demonstration for an information warfare weapon look like? Possibly a lot like the computer virus attacks the Internet has experienced in recent years. I suspect that some of these electronic attacks were actually the results of deliberate tests for a future attack that could have truly dire consequences.

To understand my alarm, you need to understand the anatomy of computer viruses and their cousins, worms. Most of these hostile programs have three parts. The first, the “exploit,” is the technique the virus or worm uses to break into systems. Most exploits take advantage of a known security flaw—for example, the classic “buffer overflow,” in which an excess of incoming data corrupts the information already stored in memory. The second part, the “propagation engine,” is the code that targets computers for attack. And the third, the “payload,” does the actual damage.

Viewed through this morphology, the major worms that have disabled computers on the Internet—Code Red, Nimda, Klez, and, most recently, Slammer—share a disturbing similarity. Each one employed a novel—and extremely effective—propagation engine. But for exploits, all these worms have used security vulnerabilities that had been previously identified. And as for the payload: all were duds. Even though each gained so-called administrative privileges to alter the systems they infected, none used its privileges to cause mayhem.

Sure, they did some harm. But in nearly every case, the damage was caused by the propagation itself—as if a burglar systematically were to break windows, enter every house on the block, and steal nothing. An actual payload could scramble financial data, erase operating systems, and ruin motherboards by wiping out the contents of their programmable chips.

Fred Cohen, a computer security researcher who has been studying malicious programs for two decades (and who is credited with coining the term virus), doubts that the worms we have seen are the work of government-run information-warfare labs. But he concedes that smaller labs or solo operators—possibly renegade operations in China or independent outfits looking to sell their services—might have released weakened versions of their worms into the wild as tests. The U.S. military set a sort of precedent in the 1960s when it tested “simulant” germ-warfare agents in the New York City subway and off the coast of San Francisco. And it is widely believed that the original Microsoft Word macro virus, auspiciously named Concept, was written as a proof-of-concept test by a programmer at Microsoft and was inadvertently released on discs at a developers’ conference.

Speculation about the origin of these worms has taken on more relevance since last summer, when President Bush reportedly signed an order directing the U.S. government to develop guidelines for launching a cyberattack against enemy computer networks. Before that order, my friends in the military were saying that the United States would never consider conducting an offensive information-warfare campaign: as the nation with the most computers, we have the most to lose. But now our government is in the process of legitimizing cybernetic warfare.

I’m worried. Today’s lame computer worms, even with well-known exploits and dummy payloads, have shut down corporate and government networks. A determined enemy would target a new exploit with a really nasty payload. The proof that time could be a hundred billion dollars in damage.