New legislation that been introduced in the House and Senate the past two months aimed at codifying the Department of Homeland Security’s responsibilities for working with the private sector and the rest of government regarding cyber security matters as well as improving information sharing between the private sector and the government on cyber issues is a good start but needs to go further, two former high ranking government officials said yesterday.

These bills are “absolutely necessary” but they are also “insufficient,” Mike McConnell, a former director of National Intelligence and director of the National Security Agency, said at a forum hosted by the Homeland Security Policy Institute to examine pending cyber legislation.

McConnell, who is currently the vice chairman at the consulting and services firm Booz Allen Hamilton [BAH], said the two biggest hurdles to more effective cyber legislation revolve around privacy concerns and reluctance to create regulations for private sector behavior.

The nation is facing a threat as significant as it did during the Cold War but “there is no forcing function to cause us to do something as significant as we need to do,” McConnell said. Based on his experiences in government and business, McConnell noted that the pending pieces of legislation discuss information sharing between the federal and private sectors but said that “unless it’s required by law or it’s incentivized in a very significant way, you will not have information sharing.”

Regarding privacy considerations, which McConnell said are a “serious concern” and need to be addressed in the law, he said that for the nation’s cyber defenses to be effective they need to take advantage of the unique capabilities resident within the government, in particular the National Security Agency.

“NSA can see the globe…at network speed,” McConnell said. So if you can see it, it has to be done with machines. To react to it, you have do to it with machines. If you see an attack or penetration or whatever it might be, you have to block it at network speed.”

McConnell said that none of the pending legislation goes far enough to “harness the best of government, what’s needed from government and what’s needed from the private sector, in a way that we share the information and we move at network speed.”

Michael Chertoff, who served as DHS secretary in the Bush administration, said he agrees with McConnell but said the legislation is a “starting point” and that while it “may not be [the] end point, but [we] don’t want to lose a good start by making perfect the enemy of the good.”

The “area of greatest pushback” is around the aversion to regulation, Chertoff said. He disagrees with arguments that the market by itself will take care of security.

“If I own an enterprise, and it’s worth $1 million, I’m not going to spend $10 million to secure it,” Chertoff said. “But if that $1 million enterprise fails and the collateral consequences are $1 billion in losses, then I’ve got a cost to failure that far exceeds the value of the enterprise and far exceeds what I’ll invest to protect it. So as long as we have interdependencies, as long as we rely on critical infrastructure…we do need to make sure that there are adequate incentives for them to invest appropriately.”

Those incentives should not lead to micro-management and costly intrusion by the government, Chertoff said. He added that the playing field also needs to be level so that “people the people that are lazy or want to under invest can’t to hide in the weeds hoping to get by with those who do invest.”

Without appropriate information sharing between the government and private sector, there will be “isolated” stovepipes in terms of companies having to defend themselves.

“The way you learn about problems in cyber space is by getting experience in what those problems are,” Chertoff said. “When everybody fights alone, everybody’s at their weakest. When you’re dealing with network threats, the ability to observe them, [and] analyze them, the ability to disseminate information is critical to avoiding replication of the threat elsewhere.”

McConnell said that not a single company in the United States can “successfully defend itself.” The companies with the best cyber defenses “have been penetrated to the point of capturing source code, business plans or innovation or research and development. Everyone of them.”

Tommy Ross, the senior defense and intelligence adviser to Senate Majority Leader Harry Reid (D-Nev.), said comprehensive cyber security legislation introduced last week in the Senate that Reid plans to bring to the floor for debate said that “where the market is able to drive security and drive innovation, that’s what we want to see and that’s absolutely right and I don’t think anybody wants to legislate to get in the way of that.”

However, Ross said there are instances such as in the transportation, utility and other sectors, such as electric and nuclear power firms where there may be no competition and thus no incentive to innovate for security. He also said that some threats may not generate an investment in cyber security.

Where there is a low probability of a threat but with relatively high consequences, such as an attack leading to a nuclear meltdown, that is the area of great concern, Ross said. Given the low probability, Ross believes there isn’t an incentive to invest. Instead, companies invest to guard against the high probability attacks but low consequence attacks, “which require fewer resources.”