The true size of APT infection is difficult to know because it is so stealthy. "Many CISOs have been operating on the assumption that since they didn't know of anything, there wasn't anything," Barrett says.
On the matter of PCI standards, he feels that businesses need more flexibility in implementing security measures that guard against identified threats. The standards which have been criticized for driving the bulk of security spending for those companies that must comply with them, could use some refinement, he says.
Overall they address important concerns and impose security measures that can only benefit network security, he says. "I simply do not believe that these absolute minimum thresholds will force you to do things you shouldn't be doing already anyway," he says.
But the standards are vague in some areas and others are too specific, he says. For example, under the regulations certain traffic requires stateful packet-inspection firewalls. "What if you used another technology that was the equivalent? Then you'd get in an argument with your QSA [qualified security auditor required by PCI]," he says. "PCI should be more risk-based with more options and less that is proscriptive -- it's both too proscriptive and too vague at the same time."
2011 is a good time for security professionals to help shape needed Internet-security laws, Barrett says. "Technology is not legislators' strong point," he says. "The industry needs to spend some time educating Congress and its staff on issues to ensure what they do makes computing and the Internet safer and not less safe. They need to avoid the law of unintended consequences."
The top issue they should address is enforcement of cybercrime laws. Theft of $10,000 worth of goods online using fraudulent credit cards is unlikely to attract an aggressive prosecution, even if prosecutors knew who did it. The same theft from a brick-and-mortar retail store would attract an aggressive investigation, he says. "It's not lack of interest. It's that prior cases have been based on financial loss. $10,000 is not enough." In prosecuting real-world vs. online crime, there should be no significant difference, Barrett says.
Barrett says the industry should also support creation of a presidential commission to study cybercrime and find out how much is really lost directly or indirectly to cybercrime. He says he's heard estimates ranging from $2 billion to $26 billion in the U.K. alone, and estimates as high as $2 trillion worldwide.
Along with that, the commission should assess how seriously other nations treat cybercrime. For example, he says many people say Russia doesn't investigate cybercrime because of corruption, but that isn't always true. "There may be problems, but it does prosecute and sometimes punishes," he says. The goal should be to figure out how to encourage more reliable prosecutions. "Like terrorism, we need to study other governments and see how seriously they'll treat it."
Sign up for CIO Asia eNewsletters.