What can those government agencies getting dismal scores on their computer security report cards do to get better?

There's some pending legislation on The Hill that will redirect the focus and give government agencies [the power] to make security changes rather than just spending all their time and money generating the [security] report. They are doing more paperwork than fixing anything.

We're hearing a lot about the Chinese breaking into US government networks. How secure is the US against these kinds of attacks?

Go back to the mid-1990s. Sen. Sam Nunn, in a meeting at the Pentagon, asked me: if there was a technological war and another country was to attack us, on a scale of 1 to 10 (10 they have no chance of affecting us and 1 is they would devastate us and own everything we have), [how would we fare]? I said we'd be sitting somewhere around a 5 or 6. If we were on the attacking end, I felt we would have more gain than losses attacking their system. Today, that has changed dramatically. I think we're in a much better situation. We're much more secure and we're reducing our attack vectors. In terms of withstanding an attack, we'd be closer to an 8 or a 9. We have the ability to turn back attacks. We also could shut down systems that might be under attack and bring them internal.

You've said that you worry that cyber security will be reduced to a "second-tier issue" - to where we just respond to attacks and are not proactive in protecting against them. Is that still a problem?

Look at the world post 9/11. One of the struggles has been trying to convince the government to protect the IT infrastructure as much as our planes and trains. Everyone has spent a lot of money, time and energy looking at the physical attacks. And, yes, that is where people get killed. But we can't make cyber infrastructure a second-tier issue. Look at medical records being stored electronically. People get medications based on electronic records. You could wind up with someone who has an allergy to penicillin getting penicillin. That would be deadly. The argument I get is you can't have more than one Priority One. I argue that you have to be able to multi-task in your protection plan.

Yah, I think we have looked at it as a second-tier. The government has recognized that work has to be done. We're getting much closer to having them on equal footing.