Almost 20 years ago, Chris Wysopal was among a group of hackers who testified before U.S. Congress, warning it about the dangers of the internet.
Unfortunately, the U.S. government is still struggling to act, he said. "You’re just going to keep ending up with the status quo," he said, pointing to the U.S. government's failure to regulate the tech industry or incentivize any change.
It’s a feeling that was shared by the experts who attended this week’s RSA cybersecurity show. Clearly, the U.S. government needs to do more on cybersecurity, but what?
Public and Private sector
Perhaps, the need for U.S. action hasn't been more urgent. In last year's election, Russia was accused of hacking U.S. political groups and figures in an effort to influence the outcome.
In addition, major internet companies, including Yahoo, have also reported huge data breaches, one of which exposed details to a billion user accounts.
The list of problems goes on and on. However, what the U.S. government's role should be in cybersecurity isn't as clear-cut as one might think. That's because most of the IT infrastructure is in the hands of the private sector, which is constantly churning out new -- and sometimes vulnerable -- tech products. But it's not always the biggest fan of regulation.
"Every year, people talk about improved collaboration between the public and private sectors," said RSA CTO Zulfikar Ramzan. "And of course, every year, it feels like we haven't made that much progress."
Michael Kan. RSA CTO Zulfikar Ramzan speaks at RSA 2017.
He predicts the state of cybersecurity will first get worse before it gets better. Nowadays, one relatively simple hack involving a phishing email can affect an entire U.S. election, like it did, last year.
Ramzan recommends that the U.S. fully outline the public and private sectors' roles in cybersecurity, as opposed to leaving this muddled. "That would help things move forward," he said. "Each respective sector can do what they do best."
For instance, the U.S. should be pushing out more standards on IT security, based on guidance from the industry. Meanwhile, the private sector can focus on developing new innovations that government bureaus can beta test and support.
Others like Wysopal, who is now CTO at Veracode, think the U.S. government is in a unique position to spark change that can reach out across the industry.
Imagine if tech vendors all suddenly decided to build securer products -- not because of any new regulation -- but because they wanted to win bids from a customer.
The U.S. government happens to be one of the biggest customers of technology. So it's in a prime position to demand tech vendors secure their products, which would pass those benefits on to other buyers such as enterprises and consumers, Wysopal said.
Sign up for CIO Asia eNewsletters.