"In the very near future, many conflicts will not take place on the open field of battle, but rather in spaces on the Internet, fought with the aid of information soldiers . . . . This means that a small force of hackers is stronger than the multi thousand force of the current armed forces."

- Former Duma member Nikolai Kuryanovich1

On 19 July 2008 an Internet security firm reported a distributed denial of service (DDoS) cyber attack against Web sites in the country of Georgia.2 Three weeks later, on 8 August, security experts observed a second, more substantial round of DDoS attacks against Georgian Web sites. Analysts noted that these additional DDoS attacks appeared to coincide with the movement of Russian troops into South Ossetia in response to Georgian military operations launched a day earlier in the region. By 10 August the DDoS attacks had rendered most Georgian governmental Web sites inoperative.3

As a result of these attacks, the Georgian government found itself cyber-locked, barely able to communicate on the Internet. In response, the government took the unorthodox step of seeking cyber refuge in the United States. Without first obtaining US government approval, Georgia relocated critical official Internet assets to the United States, Estonia, and Poland.4

Georgian-Russian hostilities in South Ossetia have generated a substantial amount of analysis and speculation regarding the accompanying cyber conflict.5 Most of the focus has centered on identifying the parties who conducted the cyber attacks. The Georgian cyber event provides an intriguing opportunity to examine a more subtle and perhaps overlooked aspect of cyber conflict-the concept of cyber neutrality. The Georgian case raises two fundamental questions: (1) How did the combined actions of the Georgian government and US information technology (IT) companies impact American status as a cyber neutral? (2) Can the United States remain neutral (or cyber neutral) during a cyber conflict?

The underlying implications of the overall issue should be of great concern to US policymakers and strategists. Even if the United States is not a belligerent in a cyber conflict, incursions against the US Internet infrastructure are likely. Private industry owns and operates the majority of the Internet system. During a cyber conflict, the unregulated actions of third-party actors have the potential of unintentionally impacting US...