In past years, I looked at the RSA security conference as a high-tech flea market staffed by the world's best security carnival barkers. Yes, important security topics were discussed, but the real focus of the show was selling products and doing deals.

This year's event has its share of tacky presentations and booth babes, but I'm hearing a lot of chatter about a far more important topic: the state of information security and its impact on us all. Finally, the combination of unending data breaches, sophisticated malware, and the very real cybersecurity threat has everyone paying attention. There is a broad recognition that we security professionals aren't hawking hardware or writing code, we actually have a responsibility to educate, help, and safeguard users.

This theme is evident throughout the event. Microsoft's Scott Charney, a former U.S. Department of Justice attorney, talked about Microsoft's vision for end-to-end trust, describing why this is necessary and how it can be done in simple terms. While security crowds are often skeptical about Microsoft, Charney stated clearly, "It is our responsibility to make technology trustworthy."

Charney was followed later in the day by National Security Agency Director Lt. Gen. Keith Alexander, who talked about NSA capabilities and its role in security cyberspace. Wednesday's speakers include Melissa Hathaway, acting senior director for cyberspace and the individual tasked with researching the state of domestic cybersecurity and reporting her results to President Obama. Finally, the day concludes with one of my favorite authors, James Bamford, who has written several books such as "Body of Secrets" and "The Shadow Factory" that are must-reads for anyone interested in cybersecurity, privacy, and the NSA.

I applaud this group of speakers and their messages, but I truly believe that private-public security cooperation needs to go to another level. Here are a few suggestions where this would help:

1. Security standards. The National Institute of Standards and Technology and the NSA should champion standards across the public sector while cooperating with the security industry on education and promotional programs. I'd like to see this cooperation on standards like the Key Management Interoperability Protocol (KMIP) and the Extensible Access Control Markup Language (XACML). I'd also like to see a standard for data "tagging" so that security requirements travel with the data for distributed security policy enforcement.

2. Information assurance. The defense and intelligence community is pretty good at data discovery, classification, and security. The private sector on the other hand is struggling. I'd like to see government agencies work more closely with the security industry to define standards, create best practices models, and enhance education.

3. Secure software development. This is the Achilles' heel of the technology industry, and secure development programs remain underfunded and behind the scenes. The federal government should flex its purchasing muscles by auditing vendor development processes, demanding that vendors adhere to the Common Weakness Enumeration/SANS Institute list of "Top 25 Most Dangerous Programming Errors," and creating some type of "good housekeeping seal of approval" certification for software vendors. This will stimulate new security training, products, and services and force the private sector into similar requirements.

Talk is cheap and cybersecurity gets worse each day. I hope that the government and security industry can build upon this common understanding to make real and immediate progress.

With all the Internet attacks that exploit Adobe Acrobat Reader people should switch to using an alternative PDF reader, a security expert said at the RSA security conference on Tuesday.

Of the targeted attacks so far this year, more than 47 percent of them exploit holes in Acrobat Reader while six vulnerabilities have been discovered that target the program, Mikko Hypponen, chief research officer of security firm F-Secure, said in a briefing with journalists.

Just last month, Adobe issued a fix for an Acrobat Reader hole that attackers had been exploiting for months, after issuing a patch for a critical vulnerability in Flash player the month before.

In 2008, the favored targeted attack vector was Microsoft Word, which had 15 known vulnerabilities (compared to Acrobat Reader's 19) and which represented 34.5 percent of the attacks (compared to 28.6 percent for Acrobat Reader), he said.

Top-level executives, defense contractors, and other people who have access to specific sensitive corporate or government information are subject to targeted attacks where an attacker sends a file that has malicious code embedded in it. Once the file is opened, the computer is infected typically with a back door that then steals data.

PDF and Flash browser plug-ins are also used in attacks known as "drive-by downloads" in which malware is surreptitiously downloaded onto a computer while the user is surfing the Web. The number of PDF files used in attacks rose from 128 between January 1 and April 16 last year to more than 2,300 in that same time period during this year, said Hypponen.

Adobe should make security a priority, he said.

Adobe "has a lot to learn from, of all places, Microsoft," which offers regular security patches on a monthly basis as part of Patch Tuesday, Hypponen said.

Part of the problem is people don't expect that Acrobat Reader upgrades necessarily contain important security patches like they do with Microsoft software, he said.

Hypponen did not recommend a PDF reader, but said Acrobat Reader alternatives are listed on the PDFReaders.org Web site.

SAN FRANCISCO--Microsoft's operating systems are still vulnerable to attacks, but more often than not it's older versions that are taking the big hits.

That was the message from Scott Charney, corporate vice president in Microsoft's Trustworthy Computing group, when he sat down with me on Tuesday. We chatted about the latest threats, including Conficker. The much-maligned Windows Vista, he noted, wasn't hit in the way that older versions of the operating system were.

"Some of those widespread exploits take advantage of older platforms," Charney said in an interview, following his keynote speech at the RSA 2009 conference here.

With Windows 7, Microsoft is trying to take security into a few more areas, such as extending encryption to removable devices.

Charney also noted that, as a whole, the Internet still should be safer than it is.

"There is still a sense that it is not safe enough," Charney said. "It was not built for the uses that we currently use it for, all these commercial transactions."

One of the answers, he said, is adding more security features into the PC hardware.

"In a nutshell, software is malleable and hardware is harder to tamper with," he said.

For my complete interview with Charney, check out the video below: