Regardless of your position on the over-hyped and under-estimated realm of cyber conflict, crime, and espionage, you probably have a few pet fallacies. I thought it might be fun, and possibly instructive, to start a conversation about them. Here are my top five. Feel free to add yours in the comments section.
The TSA fallacy
The TSA approach to airline security has been completely reactive because they focus on the method of attack (e.g., liquids, shoes, underwear) instead of the person. Likewise, Internet security companies focus on the technical characteristics of an attack (e.g., code, malware, exploits) instead of the actors (State and Non-state). As a side note, Harding was going to move TSA towards a more intelligence-driven model. That's precisely what the Internet security industry needs to do as well.
The China fallacy
This fallacy paints China as the number one adversary in anything having to do with cyber conflict in spite of the fact that there isn't a shred of historical evidence to prove it. The Peoples Republic of China has never engaged in military operations utilizing its IW capabilities against another nation state. The same cannot be said for the U.S., the Russian Federation, Georgia, Israel, and the Palestinian National Authority/Hamas. The PRC leadership are not religious extremists (e.g., Iran) or militaristic wildcards (e.g., DPRK, Myanmar). When you paint the PRC as the world's greatest cyber threat, you miss what China is actually excelling at (cyber espionage) and you overlook and/or underestimate the authentic threats from other nation states that are busy eating your lunch without you knowing it.