Almost 20 years ago, Chris Wysopal was among a group of hackers who testified before Congress, warning of the dangers of the internet.
Unfortunately, the U.S. government is still struggling to act, Wysopal said. "You’re just going to keep ending up with the status quo," he said, pointing to the U.S. government's failure to regulate the tech industry or provide incentives for change.
It’s a feeling that was shared by the experts who attended this week’s RSA cybersecurity show in San Francisco. The U.S. government needs to do more on cybersecurity, but what?
Public and private sector
Perhaps, the need for U.S. action hasn't been more urgent. In last year's election, Russia was accused of hacking U.S. political groups and figures in an effort to influence the outcome.
In addition, major internet companies, including Yahoo, have reported huge data breaches, one of which exposed details to a billion user accounts.
The list of problems goes on and on. However, what the U.S. government's role should be in cybersecurity isn't as clear-cut as one might think. That's because most of the IT infrastructure is in the hands of the private sector, which is constantly churning out new -- and sometimes vulnerable -- tech products. But the private sector is not a big fan of regulation.
"Every year, people talk about improved collaboration between the public and private sectors," said RSA CTO Zulfikar Ramzan. "And of course, every year, it feels like we haven't made that much progress."
He predicts the state of cybersecurity will get worse before it gets better. One relatively simple hack involving a phishing email can affect an entire U.S. election, like it did, last year.
Ramzan recommends that the U.S. fully outline the public and private sectors' roles in cybersecurity, as opposed to leaving this muddled. "That would help things move forward," he said. "Each respective sector can do what they do best."
For instance, the U.S. should be pushing out more standards on IT security, based on guidance from the industry. Meanwhile, the private sector can focus on developing new innovations that government bureaus can beta test and support.
Others, like Wysopal, who is now CTO at Veracode, say the U.S. government is in a unique position to spark change that can reach out across the industry.
Imagine if tech vendors all suddenly decided to build more secure products, not because of any new regulation, but because they wanted to win contracts from a customer.
The U.S. government is one of the biggest customers of technology. It's in a prime position to demand tech vendors secure their products, which would pass those benefits on to other buyers such as enterprises and consumers, Wysopal said.
"It isn’t regulation. It’s securing the government and getting that ripple effect," he said.
"But they've never really done that," he added. "They've never put acquisition requirements in place. There's recommendations. But they're not as stringent as we see with the banks."
Experts at the RSA show also brought up the urgent need for the federal government to train new cybersecurity talent – which is scarce in today's industry – and to readily share its intelligence on the latest cyberthreats, rather than wait until it's too late.
"Don’t tell us what to do, how to do it," said Jeremiah Grossman, chief of security strategy at SentinelOne. "Just tell us what's out there."
"The faster we get the data out to the masses, the sooner we can counteract," he said. "By sharing threat intel data, we force [the hackers] to change their tactics."
But in the cyber realm, perhaps the biggest challenge facing the U.S. government is what to do about state-sponsored hacking.
The U.S. still doesn’t have a clear policy on how to retaliate, which does nothing to discourage foreign governments from striking again. But at the same time, many of these cyberattacks might be considered an act of war, said Mike Rogers, a former congressman who was chairman of the House intelligence committee.
During a panel at the RSA show, he pointed to the example of North Korea's suspected hacking of Sony Pictures in 2014, which costs millions of dollars in damages.
"Is that an act of war?" he asked. "It's so hard to come to that conclusion, because [these cyberattacks] are happening a million times a day."
In 2007, U.S. officials began realizing they needed a policy around cyberwarfare, Rogers said. But the government still isn't close to defining it, despite wrestling with the topic for years.
"We were having a hard time coming to any agreement, and we're not there yet," he said.
But clearly, something needs to change.
"I think the United States is in cyberwar and most Americans don't know it. And I'm not sure we're winning," he said.