"It isn’t regulation. It’s securing the government and getting that ripple effect," he said.
"But they've never really done that," he added. "They've never put acquisition requirements in place. There's recommendations. But they're not as stringent as we see with the banks."
Experts at the RSA show also brought up the urgent need for the U.S. government to train new cybersecurity talent – which is scarce in today's industry – and to readily share its intelligence on the latest cyber threats, rather than wait until it's too late.
"Don’t tell us what to do, how to do it," said Jeremiah Grossman, chief of security strategy at SentinelOne. "Just tell us what's out there."
"The faster we get the data out to the masses, the sooner we can counteract," he said. "By sharing threat intel data, we force them [the hackers] to change their tactics."
But in the cyber realm, perhaps the biggest challenge facing the U.S. government is what to do about state-sponsored hacking.
The U.S. still doesn’t have a clear policy on how to retaliate, which does nothing to discourage foreign governments from striking again. But at the same time, many of these cyber attacks might be considered an act of war, said Mike Rogers, a former U.S. congressman who was chairman of the House intelligence committee.
Michael Kan. Former U.S. congressman Mike Rogers.
During a panel at the RSA show, he pointed to the example of North Korea's suspected hacking of Sony Pictures in 2014, which costs millions of dollars in damages.
"Is that an act of war?" he asked. "It's so hard to come to that conclusion, because [these cyber attacks] are happening a million times a day."
In 2007, U.S. officials began realizing they needed a policy around cyberwarfare, Rogers said. But the government still isn't close to defining it, despite wrestling with the topic for years.
"We were having a hard time coming to any agreement, and we're not there yet," he said.
But clearly, something needs to change.
"I think the United States is in cyberwar and most Americans don't know it. And I'm not sure we're winning," he said.
Sign up for CIO Asia eNewsletters.