However, one point stood out in the article's analysis:
"...participants [of Cyber Storm II], which included the private sector, were surprised by the "borderless nature" of cyber attacks and the "speed with which they can escalate"."
How can people who call themselves "security professionals" be surprised that the Internet is "borderless" or that attacks (or any online activity) can occur quickly? This lack of understanding the basic nature of threats is mindboggling and one of the most daunting problems in information security.
Too often, the "security experts" (in both the government and private sectors) are simply IT engineers who view security as a technical problem with technical solutions. This myopic world view is not only misguided, it precludes proper threat and risk assessments.
While understanding the technological infrastructure and its vulnerabilities are an important component of any threat assessment, it is just as critical to understand adversary motivations, capabilities and methods. Likewise, threats must be analyzed at both the macro and micro levels.
For some reason, physical security professionals and intelligence analysts "get this". However, IT security engineers not only have difficulty incorporating the "people" element but are often hostile to anything that strays from their technical comfort zone.
It is no wonder that security problems are only growing in numbers and impact and they will continue to do so as long as information security is viewed as an engineering issue and the "experts" are "surprised by the "borderless nature" of cyber attacks".
For more on this topic see:
- Convergence: A holistic approach to risk management (Network Security Journal, May 2007)
- IT security professionals must evolve for changing market (SC Magazine, October 12, 2006)