Just following following up on my post on cyber security preparedness rankings yesterday, I received an email this morning from Kim Andreasson, managing director of DAKA advisory and editor of Cybersecurity: Public Sector Threats and Responses, offering his take on the report. I'm going to publish his thoughts in full as I think it's a useful take. The most intereting insight I think, though, is the point he makes at the end about one of the simplest ways countries can improve preparedness.
"In my opinion, the report reflects the relative level of cyber development in the world. For example, that the Scandinavian countries, particularly Sweden, are out in front is expected given their level of dependence on IT systems, which in turn leads to better cyber awareness, education and security. Similarly, the emerging BRIC markets (Brazil, Russia, India, and China) lag behind because they have yet to reach the level of reliance – and development – on ICTs in general.
"Asian countries generally rank relatively low. One would expect Australia and Japan to do better because of their general level of development and reliance on the Internet. In addition, the distributed denial of service (DDOS) attacks in South Korea in July 2009 served as a wake-up call in the region, perhaps particularly for Japan, which created a new cyber security strategy in response to it, yet the country faired poorly in the ranking.
"The report concluded that greater sharing of information globally is necessary to stay ahead of threats and that law enforcement needs empowerment to fight cross-border crime.
"I agree that there’s a basic problem in regards to sharing information. As I explain in my book, Cybersecurity: Public Sector Threats and Responses, threats can be viewed as either politically motivated, such as cyber warfare, cyber terrorism, espionage, and hacktivism, or non-political, including financially motivated, intellectual property theft, and fraud, as well as hacking for personal reasons, like a disgruntled employee. What’s interesting about this categorization is the notion that cooperation is difficult between countries in regards to politically motivated threats while there is often agreement regarding cyber crime.
"Stuxnet might have been the first cyber attack with critical infrastructure consequences, but it won’t be the last. Many countries around the world are responding by establishing cyber security strategies. Such efforts will help to create an international dialogue around mitigating non-political threats, but it will be a lot harder to develop policies for politically motivated threats.
"Yet, surprisingly few countries – and individual organizations for that matter – currently have cyber security strategies in place. Policymakers often don’t understand the technical issues involved, and an important initiative therefore to improve cyber security is to translate technical terms into something they – and the population at large – can understand. It may sound trivial, but studies often show that a majority of breaches can be prevented by educating users and maintaining clear policies that are communicated at all levels."