At a CES panel, CISA director Jen Easterly sounded the alarm on the current state of cybersecurity in the U.S. “We cannot accept that ten years from now it will be the same or worse than it is now,” she said. “All the critical infrastructure we rely on is underpinned by a technology base that was created in an insecure way.” As head of the Cybersecurity and Infrastructure Security Agency, Easterly is in a position to assess the coming damage, projected to be $8 trillion this year. Moderator Rajeev Chand, Wing Venture Capital partner led Easterly and CrowdStrike chief executive George Kurtz in a discussion on how to halt the increase of cyber-insecurity.

Kurtz identified poor passwords and “the Achilles heel of backwards compatibility” for creating “gaps” enabling cybercrime. “The curve of technology from version 1.0 to 2.0 and beyond creates gaps because so many older versions remain out there,” he said. “We’re dealing with very insecure protocols to support backwards compatibility with them.”

When Chand asked about the state of preparedness among big companies, Kurtz replied that it depends on the business sector. “Finance companies and others that are regulated have much better preparedness,” he said. “But if it’s a cost-constrained business, it’s harder to spend the money.”

For that reason, CISA is focused on getting C-Suite executives and boards of directors to “really embrace cybersecurity as a matter of good corporate policy”

“We have to think of it as a persistent, transparent relationship between corporation and government,” Easterly said, noting the importance of a shift to “secure-by-design” products. “Decades of insecure design of technology is a fundamental safety issue,” she said. “We’ve accepted that software is developed with all kinds of flaws and we haven’t incentivized companies to keep it safe. This is a serious responsibility that companies need to take, and we can’t let tech off the hook.”

Kurtz concurred with Easterly’s assessment. “A lot of companies at CES are at the leading edge of technology innovation but at the low end of cybersecurity,” he said. “Problems exist if there is an imbalance.” Although Easterly emphasized that, “consumers need to know what is in their technology,” Kurtz countered that, “consumers shouldn’t have to think about security.”

“If you put the onus on the consumer, you’ve already lost,” he suggested.

Easterly agreed. “We put the burden of safety on consumers who least understand the threat and have the ability to defend themselves,” she said. “It’s about how we build the technology that’s the most secure out of the box. And chief executives and boards are responsible for cyber risk.”