Cybersecurity

Industry leaders on CISA’s secure-by-design pledge: A great program with some issues

House lawmakers and witnesses weighed in on secure-by-design incentives, subpar developers and the initiative’s future under new CISA leadership.

By Matt Bracken

December 5, 2024

Listen to this article

0:00

This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment.

Rep. Andrew Garbarino, R-N.Y., chair of the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection, holds a hearing on CISA's secure-by-design initiative on Dec. 5, 2024, in Washington, D.C. (Screenshot)

Private-sector tech leaders told House lawmakers Thursday that the Cybersecurity and Infrastructure Security Agency’s secure-by-design push may benefit from more of an incentive structure, but poorly trained developers remain “a real problem” for the nearly two-year-old initiative.

The four witnesses testifying before the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection all characterized CISA’s voluntary secure-by-design pledge as a net positive that has resulted in significant industry-wide progress. The question posed by subcommittee Chair Andrew Garbarino, R-N.Y., and ranking member Eric Swalwell, D-Calif., was how the initiative could level up and better enhance cybersecurity across more U.S. sectors.

Shane Fry, chief technology officer at RunSafe Security, acknowledged that CISA’s secure-by-design program — which now counts over 250 companies as signees — “is making a lot of waves.” But there’s a missing piece, Fry said, in limiting the program to IT systems and not addressing operational technology device manufacturers.

“Let’s work with Congress and find a good way, or CISA to find a good way, to incentivize these companies to actually secure their systems,” Fry said. “Because I think limiting it to just IT systems is a little bit short-sighted.”

Fry also spoke up for incentivizing the development of safety-certified tooling for memory-safe languages. Memory safety vulnerabilities, Fry said, account for roughly 70% of vulnerabilities in critical infrastructure and frequently have the highest severity ratings.

Rewriting software with memory-safe languages is part of a CISA-recommended strategy to reduce entire classes of vulnerabilities, one of seven pillars in the agency’s secure-by-design pledge. But reaching the lofty goals spelled out in that pillar is the most difficult for companies to achieve, according to Jim Richberg, head of cyber policy and global field CISO at Fortinet.

A former Office of the Director of National Intelligence official during the George W. Bush and Barack Obama administrations, Richberg said the elimination of whole classes of vulnerabilities “was intended as the stretch goal for companies like Fortinet and Google. … Even for big companies, it’s going to take us a long time to knock off all of those.”

Heather Adkins, Google’s vice president for security engineering, agreed with Richberg and Fry on the vulnerability pillar as the toughest goal to meet. Though Google has more resources than anyone, the tech giant still relies on some third-party and open-source software. Adkins said that if companies want to better address entire classes of vulnerabilities, there has to be a change in “the way developers work.”

“We don’t have any control over how that [open-source] software is developed,” she said. “We’ve had to spend a lot of time really innovating in that space to make sure that the way we write code is safe.”

Google expects its work with generative AI to help mitigate that issue, Adkins said. But that may not be an option for other software companies due to a lack of resources and an ill-equipped workforce.

Srinivas Mukkamala, an Ivanti alum who serves on the New Mexico Institute of Mining and Technology’s board of regents and as an independent board member of El Paso Electric Company, said it’s too early to tell if machine-generated code will be good or if it will create a new class of weaknesses and vulnerabilities.

At the same time, having a human involved in the writing of code has obvious shortcomings.

“Most of our developers today are not trained in software security. That is a real problem,” Mukkamala said. “And the other thing that’s also causing a real issue is [that the] majority of the software is actually built offshore” by developers that aren’t trained in best security practices.

Conducting exhaustive audits and identifying and replacing legacy systems with secure-by-design products should be a top priority, but multiple witnesses noted that smaller, under-resourced municipalities are at a severe disadvantage.

“That’s where advocacy and potentially funding at the state and federal level can help those smaller municipalities get to secure systems today,” Fry said. “And the faster we can get vendors to do secure-by-design and solve some of these problems today, the faster that funding can be effective.”

Whether CISA’s secure-by-design initiative remains an agency priority appears to be an open question heading into the Trump administration. Garbarino said the agency has been a “trusted partner” to the subcommittee and he would miss working with outgoing CISA Director Jen Easterly.

Swalwell said secure-by-design “is just one example of the many vital projects that CISA carries out. Efforts in the next administration to weaken or abolish CISA could have devastating impacts on our national security, and I hope that we can continue to work as we have this Congress under the chairman’s leadership, in a bipartisan way to support this vital agency.”