The first one is that as we advance in technology, criminals will continue to exploit the great benefits we get from the technology and turn it into something they can benefit from. The second is that the responsibility does not rely solely on the government or law enforcement to protect people from these criminals. We [the private sector] have a responsibility also. The third thing is that as we build new products, services, technology and hardware, they must be built by taking into consideration some of the things the bad guys might do with it. If you couple those three things, we could go a long way in reducing the size of the next book 20 years from now that looks back and says 'gee, we've come a long way and solved a lot of these problems.' You served for a time as a White House cybersecurity advisor, and as you are aware some have criticized the U.S. government for not doing enough to safeguard the nation's IT infrastructure. Is this fair criticism?
I don't think it's a fair criticism at all. In fact, I think it's quite the contrary. Going back to 1997, when we first had the President's Commission on Critical Infrastructure Protection, all the way up to the release of the National Strategy to Secure Cyberspace in 2003, the focus has been that industry owns and operates the vast majority of critical infrastructure and IT that we work in on a daily basis. Private industry must recognize there are interdependencies that they have to each other across various sectors and that we as a nation depend on them. It's not about the government telling industry how to run or secure their systems. Industry knows how to do that. In that respect I'm extremely pleased with what industry has done. Industry has put a lot of effort into developing products and services and dedicating certain personnel to work with the government. The awareness and execution in private industry is higher now than it's ever been in our history. What about the government's efforts to secure its own systems? There has been criticism that the government hasn't put enough effort into securing its own house separate from what's being done in private industry.
There's a tremendous challenge. If you compare resources and the amount of taxpayer dollars allocated to government agencies to what's being spent in the private sector there's a fairly good disparity. There's also disparity in what the government can pay people. I testified before Congress one time and was asked how we keep from losing talented people. My answer was that you just can't compete with private industry as far as benefits, salaries and things like that. What really incentivizes a lot of people is a good solid working environment that makes security personnel feel they are making a difference. Until the government agencies recognize the need to invest more in their people and technologies and realize they are susceptible to the same attacks as private industry, you will continue to see slow progress. There have been a number of efforts to engage government agencies to do a better job, but just creating reports [on government security] for the sake of creating reports isn't enough to get the job done.
The people there now have a tremendous challenge and they're working very hard at it. Over time, as it goes through more reorganization, it will better adjust to the needs of the country. Keep in mind that the agency was set up in the aftermath of 9-11. The way we viewed homeland security at that time has changed in the last six years. As for what's been done, the most important one was to appoint an assistant secretary for cybersecurity and telecommunications. It raises the level of authority and visibility of that position in that department, which sends a clear message to the private sector that this is an important issue from the government's perspective. The second thing it does is it starts to bring that convergence of telecommunications and cybersecurity closer than ever before. You've been speaking out lately about the security challenges of VoIP. Do you think companies are adopting the technology far faster than their ability to properly secure it?
I think this is a case where one size doesn't fit all. I think it would be a challenge to say unilaterally that companies are or are not doing something. I think some companies are looking to enhance security as they deploy new technology such as VoIP. The good news is there are now companies focused specifically on VoIP security. But this falls in that category where as new technology is rolled out, we have to consider not only the great benefits we get from them, but also the risk that is out there. Those who recognize that are having a much easier job of it. In the big picture, do you think the good guys are winning the cybersecurity battle?
I don't think we're losing ground as we were at one point. There's more enforcement. More bad guys are being discovered, arrested and prosecuted. A wider net is being cast by industry. People are being better trained and industry is building better products. Microsoft, Oracle, Sun, IBM and HP have specifically focused on making things better.