Hi, much of this seems like hyperbole. Self selected folks meeting and declaring the world is an insecure place. Just today there was an article in WSJ that lays out why much of such talk is without substance:

http://online.wsj.com/article/SB10001424052748704370704575228653351323986.html

Excerpt:

Perfect security—in cyberspace or in the real world—has huge political and social costs, and most democratic societies would find it undesirable. There may be no petty crime in North Korea, but achieving such "security" requires accepting all other demands of living in an Orwellian police state. Just like we don't put up armed guards to protect every city wall from graffiti, we should not overreact in cyberspace.

It's easy to dismiss any discussion of cyber war as hype, but as Mark points out, "we need to build more trusted international relationships to better govern ourselves and build the new Internet of the next decade."

A number of the important conversations are not about the network technology, but the processes which customers, governments, CERTs and vendors should follow in a genuine crisis.

While inter-goverment collaboration might be strong between the 'Usual 5' (US, UK, Australia, Canada and New Zealand) there remain open questions on how best to share awareness of, and respond to international cyber events. For example, If a new form of attack is detected in Europe, how will operators in Asia be made aware of the need to protect themselves?

As they say, If you want peace you must prepare for war.

The WSJ article posted in one of the above posts takes a stance that I believe has needed to be taken for a long time; but let's not stop there, I would highlight to mention that the article simply makes some suggestions that we don't over react to all the fear mongering. Face it, in any society there will be beneficiaries in times of need. Some people sold snake oil and sugar tablets, and others studied bacteria in milk until they revolutionized the way that dairy products are processed across the world, and thus prevented a lot of people from becoming ill.

The security industry is a necessity because there are dangers when you join the Internet. I recommend the Marcus J. Ranum TED talk to fully understand some of the hilarious nature on how some of the security industry was created, basically due to the FTP protocol. It's a really good plain-talking perspective on what happened, and that a lot of technologies and businesses have been driven to take some interesting roads because someone was lazy or didn't make the most elegant protocol.

Now about the concerns on the Internet; yes they are real, and the attacks are now very sophisticated. Have all attacks become sophisticated? No, it's even worse than that; we still have all the background noise of the common sweep scans, banners scans, malformed packets, brute force attacks on SSH and HTTP auth; but now we even have attacks on SIP, attacks that target voice mail systems by faking caller ID as a means of authentication, and covert channels across onion routers (TOR) that carry control channels for bot nets, click jacking, XSS, to name a few. And yes, a lot of money is fueling this industry but the profiteers this time are not the vendors, it's the other team.

Mark is spot on, we need to collaborate on security, we need to understand how security is changing all together. Take for example IPv6 adoption in service providers. Today we block SPAM and malware distribution sites with real time black lists, and this works with IPv4; can you imagine how hard this will be when a single network has more addresses than the entire Internet does today?