Security firms earn tens of billions of dollars from state and corporate contracts but so far have been able to pass the buck when faced with new viral attacks or new malicious software and end up making more money on selling new products, analysts said.
However, an increasing awareness of risks to national security and strategic economic interests has shifted focus to an area long neglected in industry that has grown by leaps and bounds since the 2001 attacks on the United States.
That area is security companies' own responsibility for keeping cyberware up to speed. Numerous successful hacking incidents plus frequent penetration of sensitive cybersystems from a variety of sources has raised awareness that the companies should be doing more to deliver on contracts that earn them vast sums.
Over the years different ideas for regulating the security companies have emerged in public debate and in congressional discussions. But new bipartisan initiatives in Congress would set absolute minimum requirements that companies and government agencies must fulfill in order to function within the lucrative industry.
Congressional discussion has centered on risks posed to U.S. national security by increasingly sophisticated cyberattacks that are seen capable of knocking out communications, power grids, financial operations and day-to-day operations of the government.
Many of the U.S. companies involved in domestic security contracts are multinational. The progress of the current debate on the companies' overall accountability is drawing interest from foreign governments and security agencies elsewhere that contract out work.
Discussions in the Senate drew parallels between a major cyberspace incident and the 2001 attacks and the potential of such an incident to disrupt operations across a spectrum of government and private sectors.
Aside from attacks or attempted attacks on government offices, major corporations also suffered cybercrime. Victims included Citigroup and the Lockheed Martin Corp.
Despite those threats, not everyone seems enthusiastic about too much being written into a new law about cybersecurity. At present both government agencies and private entities are able to pick and choose on the level of security measures they want to adopt.
There is concern that legislation may prove counterproductive if it requires government and private establishments to buy into a prescribed minimum of security infrastructures.
Such a legal requirement would escalate costs, be a boon to the security industry at large but wouldn't necessarily secure those being protected against future attacks.
Instead, analysts said, those providing the security services could be required to be more accountable for the level and quality of services contracted. At present few penalties exist for hardware or software failing to match up to new or anticipated threats.
Security companies have also convinced many lawmakers the biggest risks to cybersecurity come from abroad. Attacks on payrolls and other domestic systems indicate the suspected involvement of home-grown organized crime within the United States.