Ex-NSA CIO blasts US government's 'terrible' cyber security - and companies aren't much better

You're on your own, warns Dr Prescott Winter, even though many companies have 'appalling' cyber security

The US government isn't doing enough when it comes to cyber security policy, claims former National Security Agency (NSA) CIO and CTO, Dr Prescott Winter.

Furthermore, that situation is not going to improve any time soon, so it's up to the enterprise to take the fight to cyber criminals, he added.

Winter, now managing director of security services provider The Chertoff Group, made the damning comments during his keynote speech at Splunk Worldwide Users Conference 2013 in Las Vegas.

"I'm very much concerned about the likelihood that the government will not act forcefully enough in this area for some time. They've got, quite frankly, a terrible track record. That's why you in the enterprise are pretty much on your own," said Winter, who spent 27 years with the NSA.

He warned that unlike during the Cold War, when the government did everything it could to shore up defences, it's not taking the same approach when it comes to cyber threats posed by hackers and cyber criminals.

"It's not like the Cold War when the US government put up missiles and ran defences against the Soviets," said Winter.

"You didn't have to worry about that if you lived in the United States, the government did the best that anybody could do in terms of technology. That is not the case in cyber security, you're on your own, friends," he warned, arguing that it will take time to build up proper cyber defences.

"That's why it's so important to understand how, in fact, for the enterprise, until the government gets it act together, it's going to be a long, slow process."

Earlier in his keynote, Winter labelled cyber security at many top companies as "appalling" and added that many "have fundamentally no idea what they're doing". As a result, better cyber security standards are required across the board, he argued.

"We'd love to see nice, crisp standards, for example, for different types of critical infrastructure protection," Winter told the audience, but suggested that when government gets involved it merely becomes a matter of ticking boxes.

"At the same time, recognise that when the government gets involved with legislating these kinds of very detailed regulatory issues, it tends to take on the flavour of a compliance mandate and it very often ends up looking like a lowest common denominator effort - it becomes a box-checking exercise," he said.

"Even then, even if we had active participation and a fairly clearly defined set of rules, it might not achieve what we'd really like it to achieve," Winter claimed.

"So there are a lot of complexities with this issue. I certainly have no crystal ball to guess when the government may actually get off its behind and get moving on this issue, we'll have to wait and see," he concluded.