It started with a single infected USB flash drive delivering targeted malware to US military and intelligence systems and has ended up launching the latest major rethink of US cybersecurity.

According to an account offered recently by US Deputy Secretary of Defense, William J. Lynne III, in 2008 a data-stealing program was able to infect classified systems after unwittingly being introduced by a single drive inserted into a laptop in the Middle East.

On detecting the attack, the US military banned USB flash drives and other removable media which attracted some unwanted publicity at the time. The USB stick ban has since been lifted in some areas.

How it took such an obvious attack to alert the Pentagon to the threat posed by portable media is a mystery. Twenty years ago, the virus phenomenon first took off by infecting floppy disc boot sectors, which is basically the exact same idea dressed for the pre-Internet world.

The foreign agency behind the attack has never been named but Russia remains the main suspect, which sounds like an important detail until you read that the Pentagon believes it is also being targeted in different ways by up to 100 countries, which is more or less every country going, including its allies.

This is where the suggested new strategy, dubbed ‘Cyberstrategy 3.0’ in Pentagon-speak, raises a few questions which are thoughtfully summarised by Washington Post writer, David Ignatius in a recent article.

The problem with cybersecurity strategies is knowing where to start - and where to stop.

Identifiying important military and civilian assets worthy of protection sounds easy, but what about the supply chain of companies used by the military? Cybersecurity 3.0 has wisely extended its protection to them, but that still leaves large numbers of other private companies and, of course, private citizens, operating in the DMZ.

“In the debate about cyberstrategy, I hope officials will recognize the dangers of militarizing the global highway for commerce and communication,” says Ignatius.

Even more so, in the need to classify allies and enemies, there is a risk of reinstating the Cold war in a digital form. The US has spent the last two decades trying to ease itself out of the psychological dead ends built by that strange conflict, fought mostly through proxies, and has no need to kickstart another round.

At worst, such a strategy could start to warp what the Internet becomes. The US has Cyberstrategy 3.0, but so do its enemies, and before long cyber-policy could find itself dominated by a digital arms race the shape of which is hard to see from these early exchanges.

I was about to write that 'the Internet was not invested as a medium for military conflict', but in fact that’s not entirely accurate. Its underlying structures and design were invented by the US military so the connection has always been there. But its best features, including the web itself, came about from civilian use.

What the Internet lacks right now is a way of firewalling the ‘cyber’ from the ‘warfare’. That could turn out to be important.