Panelists struggle to find answers to cyber threats

Greg Garcia, the cyber-security czar for the Homeland Security Department, said that when customers or partners refuse to do business with companies that do not meet certain cyber standards, "that's when the groundswell [for improving security] is going to come."

Speaking Thursday to the Armed Forces Communications and Electronics Association, Garcia also did not rule out having his department someday bestow the equivalent of the "Good Housekeeping seal of approval" on systems that meet certain criteria.

At a panel discussion following Garcia's speech, Larry Clinton, the chief operations officer for the Internet Security Alliance, expressed frustration with getting companies to comply with best practices in cyber security.

Clinton also railed against a voluntary standardization and accreditation program that would be created under a broad security bill, S.4, being debated this week in the Senate. He questioned whether it really would be voluntary.

"I'd suggest if it really will be completely voluntary, it really will completely fail," Clinton said. "Industry doesn't need a federal law to tell us we can voluntarily comply with standards that we have voluntarily created."

He and others on the panel want government to encourage companies to adopt best practices. Clinton cited a PricewaterhouseCoopers study that said firms using them did not face the downtime and revenue loss as others even though they faced the same number of attacks.

Panelists said incentive programs had worked for other industries like agriculture or for flood insurance. They also said better information-sharing about cyber attacks is needed but were at a loss for how to do it.

"The liabilities with sharing are huge," said Al Edmunds, president and CEO of Edmunds Enterprise Services. While information technology departments want to share information, they are blocked by their own companies' legal departments, he said.

Another impediment to sharing information on attacks is privacy concerns, said John Nagengast, a program director for AT&T.

Edmunds said, however, that companies are doing better at protecting themselves but ultimately will need to do more to protect the rest of the system.

Jerry Dixon, who works for Homeland Security's cyber division, said businesses also need to test their disaster-recovery plans by actually operating on them. He said it is "amazing" how many businesses have never done that.

Karl Brondell, a consultant for the Business Roundtable, said the nation needs a better early-warning system for attacks and a plan for who does what when recovering from a major attack. He said institutions that have a role in that now are "clearly stepping over one another's feet."