the very near future, many conflicts will not take place on the open field of battle, but rather in spaces on the Internet, fought with the aid of information soldiers.... This means that a small force of hackers is stronger than the multi-thousand force of the current armed forces. --Former Duma member Nikolai Kuryanovich (1) On 19 July 2008 an Internet security firm reported a distributed denial of service (DDoS) cyber attack against Web sites in the country of Georgia. (2) Three weeks later, on 8 August, security experts observed a second, more substantial round of DDoS attacks against Georgian Web sites. Analysts noted that these additional DDoS attacks appeared to coincide with the movement of Russian troops into South Ossetia in response to Georgian military operations launched a day earlier in the region. By 10 August the DDoS attacks had rendered most Georgian governmental Web sites inoperative. (3) As a result of these attacks, the Georgian government found itself cyber-locked, barely able to communicate on the Internet. In response, the government took the unorthodox step of seeking cyber refuge in the United States. Without first obtaining US government approval, Georgia relocated critical official Internet assets to the United States, Estonia, and Poland. (4) Georgian-Russian hostilities in South Ossetia have generated a substantial amount of analysis and speculation regarding the accompanying cyber conflict. (5) Most of the focus has centered on identifying the parties who conducted the cyber attacks. The Georgian cyber event provides an intriguing opportunity to examine a more subtle and perhaps overlooked aspect of cyber conflict--the concept of cyber neutrality. The Georgian case raises two fundamental questions: (1) How did the combined actions of the Georgian government and US information technology (IT) companies impact American status as a cyber neutral? (2) Can the United States remain neutral (or cyber neutral) during a cyber conflict? The underlying implications of the overall issue should be of great concern to US policymakers and strategists. Even if the United States is not a belligerent in a cyber conflict, incursions against the US Internet infrastructure are likely. Private industry owns and operates the majority of the Internet system. During a cyber conflict, the unregulated actions of third-party actors have the potential of unintentionally impacting US cyber policy, including cyber neutrality. There is little, if any, modern legal precedent. The fact that American IT companies provided assistance to Georgia, a cyber belligerent, apparently without the knowledge or approval of the US government, illustrates what is likely to become a significant policy issue. Although nations still bear ultimate responsibility for the acts of their citizens, applying that dictum to the modern realities of cyber conflict is a complex challenge. Georgia's unconventional response to the August 2008 DDoS attacks, supported by US private industry, adds a new element of complication for cyber strategists. Cyber Neutrality: A Basic Rubric In the United States, the executive branch can choose to follow a neutrality policy as a matter of its constitutional authority regarding foreign relations. In 1908, Woodrow Wilson, then president of Princeton University, posited, One of the greatest of the President's powers I have not yet spoken of at all: his control, which is very absolute, of the foreign relations of the nation. (6) At the beginning of World War I, President Wilson declared the United States a neutral nation, yet American banks provided loans to Britain and France, and American industry sold armaments to those nations. The German government eventually responded by waging submarine warfare and maritime commerce raiding against the United States. Wilson's neutrality stance was more rhetorical than real, in that he did not exercise executive authority to halt US loans and arms shipments to belligerents. …