"This is a new war. We need a new strategy," said Larry Clinton, operations officer, Internet Security Alliance. "We can't use 19th century regulatory models."
Tax incentives or tying insurance rates to security best practices would be more effective than government mandates, he added.
Implementing a "culture of security" requires collective action by end users, corporations, and government, said Howard Schmidt, CISO, eBay.
"I've not seen many people on the hill who are good at writing legislation and also at writing code," he said, adding that the private sector is making progress in improving software security.
The panel, entitled "Digital Pearl Harbor: How Real is the Cybersecurity Threat, and Who's Responsible Anyway?" was co-hosted by the Cato Institute, a public-policy research group that espouses limited government and free markets.
Last fall, industry and business groups reacted quickly against a proposal by Rep. Adam Putnam (R-Fla.) to require publicly traded companies, as part of their annual filings with the Securities and Exchange Commission, to submit and certify their infosec plan. Putnam tabled the draft bill in favor of a working group that developed alternatives, which Putnam is reviewing, according to a House subcommittee staffer.
"The government needs to focus on computer criminals, not cyber regulations," said Wayne Crews, director of technology policy at the Cato Institute.
Ben Golub, senior vice president of marketing and corporate affairs at VeriSign, said the mindset of preventing attacks should be changed to a focus on limiting the damage when attacks occur.
"No one company or government can secure cyberspace," he said. "We need market incentives for individual and corporate security."
Schmidt said he rejects the term cyberterrorism: "We need to focus on the weapons of mass disruption in the IT space." Collective action on cybersecurity will reduce the disruption, he said.