National cybersecurity is improving as the public-private partnership broadens but much work remains, a panel of security experts said Wednesday.
Speaking at RSA Conference 2006 in San Jose, the panelists – Dan Mehan, Andy Purdy, Howard Schmidt and James Lewis – largely agreed that great strides have been made to protect the nation's critical infrastructure at a time when attacks are becoming more targeted and profit driven.
Schmidt, former White House cybersecurity adviser, quipped the annual security conference coincides with the one-year anniversary of the last phishing attack he received in his inbox.
On a wider scope, he cited more open-source initiatives, better patch management and less impact when vulnerabilities are discovered as reasons why there has not been a major national security disruption in recent memory.
"From an industry perspective, we're being very successful," said Schmidt, president and chief executive officer of R&H Security Consulting. "It's not just because we're dumb lucking – it's because we're doing very good things."
Others in the discussion, called The National Cyber Security Agenda: Where Have We Been And Where Are We Going, were not as quick to applaud the current environment.
Purdy, acting director of the Department of Homeland Security's National Cyber Security Division, said partnership and collaboration among all parties involved in the product development lifecycle is key.
For security to be achieved, he said, a shared responsibility is required.
"It's not enough to hold the end users responsible," he said.
Mehan, former chief information officer for the Federal Aviation Administration, said legislative action such as the passing of the Federal Information Security Management Act of 2002, helped to set standards for securing the nation's infrastructure.
But cyber incidents still occur on a regular basis. He said the private sector must count on "resilence and self-healing" to keep security incidents at bay.
Lewis, director of the Technology and Public Policy Program at The Center for Strategic and International Studies, said more federal funding for research and development and better organization and information-sharing will improve performance.
Congress, meanwhile, is making IT security a priority, bolstered by growing consumer concerns over data breaches and spyware, said lobbyist Paul Kurtz, executive director of the Cyber Security Industry Alliance.
But Kurtz, speaking at another discussion Tuesday regarding the current legislative climate, said the outlook remains clouded because lawmakers are divided on how to word new laws.
Current bills dealing with spyware and data breaches could be held up by differing philosophies among lawmakers, Kurtz said. Some want the legislation to be very detailed and subject-specific, while others prefer to rely on standards already in place and apply them to the new laws.
But the "congressional frenzy" will continue, meaning businesses must pay attention, Kurtz said.
"They (the bills) will have an impact on your bottom line," he said. "They will have an impact on your business. This is something we used to just talk about. Now it's happening."