Government officials, the media and others often ask what is needed to ensure strong security for our information, networks and infrastructure. What is really going to make a difference in the state of security online? How do we get where we need to be?

I often answer with the metaphor of a three-legged stool of innovation, legal frameworks and education.

Innovation and legal frameworks
Clearly, technology and innovation will always play the leading role in making sure that we're all protected. Since the emergence of the first computer virus, the Internet has spawned a range of malicious threats. Spyware. Phishing. Botnets. Adware. Rootkits. Image spam. Unsafe websites. These all pose serious threats to anyone who uses a computer, and providing solutions that stay one step ahead of them requires constant effort on the part of the security industry.

Fighting cyber crime and staying secure also creates the need for strong legal frameworks that apply across borders and stay flexible to address emerging threats. Cyber criminals are getting more sophisticated and organized, and we need to keep our laws current with new cyber threats and criminal behavior. We also need to provide law enforcement with the tools it needs to go after cyber criminals, including the ability to cooperate internationally.

We already have made important strides in this effort through the Council of Europe Cyber Crime Treaty. Here in the United States, McAfee's CEO Dave DeWalt is extremely passionate about the issue and has traveled more than once to Washington to meet with lawmakers and advocate for the bipartisan Cyber Security Enhancement Act of 2007. If passed, the legislation would establish tougher criminal penalties against cyber crime, modernize our cyber crime statutes, and provide resources to law enforcement for research, training and equipment.

Propping up the third leg
But in order to protect our information, networks and infrastructures, there is another critical element: cyber security awareness and education. We need to make all types of users―consumers, small businesses, children, schools and company employees―aware of cyber risks and best practices for protecting themselves.

As chairman of the board of the National Cyber Security Alliance, a national nonprofit group dedicated to educating the public about cyber security protection, I personally have seen that we've already come a long way in raising awareness about the threats facing Internet users. McAfee recently partnered with the NCSA to conduct the McAfee-NCSA Online Safety Study, an innovative look at perception of security versus actual security practices. Here’s what we discovered:

• People are concerned about online security: 98 percent believe up-to-date security is important
• They know what harmful dangers exist: 99 percent have heard about spyware, and 75 percent have heard about phishing
• People believe they have taken steps to protect themselves: respondents believe they have anti-virus software (87 percent), firewalls (73 percent) and anti-spyware software (70 percent)

• People still lack essential protection: 78 percent do not have core protections
• They even don't know they lack the most basic protection: 48 percent have expired anti-virus (even though 92 percent think their software is current)

Groups such as the NCSA have been engaged in multi-year public awareness campaigns to address this. In the United States, October is National Cyber Security Awareness Month, a public-private initiative to raise awareness about cyber security issues and practices. The effort, organized by the NCSA in collaboration with the U.S. Department of Homeland Security, Federal Trade Commission and others, is structured to encourage national and local participation. A myriad of grassroots activities are scheduled throughout the country, including proclamations from governors, public service announcements, speeches and events on college campuses (a complete list is available at http://www.staysafeonline.org/events/index.html).

As part of National Cyber Security Awareness Month, the NCSA brought 200 leaders of U.S. industry, government, academia and nonprofit organizations to Washington to discuss where we stand as a country working with all computer users to make sure that they understand basic security practices. (See my blog post at http://siblog.mcafee.com/?p=197.) The attendees agreed that practices, not just software, play a large role in protecting individuals from online harm and that education is a key part of encouraging safer online behavior. A call to action emerged from the summit in support of turning disparate awareness campaigns into a broader movement.

Going global
Cyber security awareness is also steadily gaining attention on an international scale. The U.K. government has led its own awareness campaign efforts since 2004, and Canada's new government issued a statement marking this October as Cyber Security Awareness Month for the first time. At McAfee, we believe that these efforts need to expand to additional countries as well, as the Internet is borderless, and we're only as strong as our weakest link.

A long fight ahead
The challenge of cyber security isn't going away anytime soon. At McAfee, we are working around the clock in the effort to combat the bad guys. But defeating cyber criminals requires collaboration on many levels, as we have done through our work with the NCSA. The joint effort we are seeing between industry and government is definitely on the right track. Yet, as the numbers indicate, we need to do even better, and awareness and education will play an important role in our success.