A CISA secure-by-design guru makes the case for the future of the initiative

One of the chief architects of the Cybersecurity and Infrastructure Security Agency campaign to get software developers to design their products with security in mind said he believes it could be one of the best tools the Trump administration has to counter China.

Jack Cable, who is departing his role as senior technical adviser Thursday, said major hacking campaigns by Chinese hacker groups — like Salt Typhoon’s breach of telecommunications companies and Volt Typhoon’s infiltration of U.S. critical infrastructure networks in advance of any Taiwan conflict — underline the necessity of the secure-by-design initiative.

“We know this is happening, and we know all too often this is leveraging vulnerabilities in network edge devices, and they are relatively simple vulnerabilities,” Cable told CyberScoop in an interview, referring to devices like routers. “Most of them are on the product security bad practices list we published at CISA that we know have been preventable for decades, and not only that, software manufacturers have also known how to prevent these at scale for decades.

“I hope that the incoming administration can recognize that we do have a real ability to partner with the manufacturers of these edge devices,” he said. “The Trump administration has made it clear that they are going to be very active in defending against threats from the PRC [People’s Republic of China].”

Secure by design was one of Cable’s two focus areas at CISA, along with open-source security.

At the idea phase, secure by design didn’t begin with much partnership at all, according to Cable. When the agency brought a draft pledge to companies seeking public commitments to secure-by-design principles, Cable said the answer back was, “this isn’t going to get any traction.”

So CISA workshopped ideas with industry and came back with something Cable said was ambitious, but also something that wasn’t unrealistic.  

It’s a voluntary pledge, one without any mechanisms to force companies to follow up. That doesn’t mean it hasn’t been successful, Cable said. That’s because of other kinds of pressure.

“Part of the reason that pledge has been so effective is that it’s able to really motivate companies to do better, partially through peer pressure, partially through wanting to align with CISA and other governments who have been really defining what it means to be secure by design,” he said. “We’ve now seen over 250 companies sign on to the pledge, ranging from some of the largest in the world — like Google, Microsoft, Amazon Web Services —  to startups and everything in between.”

And they’re not empty commitments, either, Cable said, pointing to the progress reports CISA has published on its website. 

CISA isn’t just pushing secure by design on behalf of the broader community, but also the federal government itself, which, as in the case of a recent breach at the Treasury Department, is sometimes the victim of cyberattacks, too. Cross-agency cooperation to secure federal networks can only accomplish so much without vendors acting responsibly, CISA Director Jen Easterly said Wednesday in remarks at the Foundation for Defense of Democracies.

“Are we still going to have issues like what we saw in Treasury?” she said. “Yes, we will, until you have vendors that we know are specifically focused on secure-by-design software.” 

Congress may have a hand in the next steps, Easterly said.

“We really need to focus on what we need to do to ensure that technology manufacturers and software providers are designing and developing and testing and deploying and delivering software that is specifically designed to dramatically drive down the number of exploitable flaws, and so that’s the campaign around secure by design,” she said. “I do think Congress could play a really important role in this.”

Some potential Trump cyber nominees have said the administration would be likely to roll back Biden administration cyber regulations. But there are also reportedly doubts within CISA and the Biden administration that the new administration is likely to support things like secure by design.

Industry officials have said the program is a good one, albeit with some flaws. Other CISA officials have praised the initiative as they have exited government work.

Cable, who’s worked everywhere from the Hill to the private sector to the defense side, as well as the civilian government side at 24 years of age, said he next plans to start his own company. Its focus? Something in the realm of “helping companies to develop more secure code” in their products, he said.

Derek B. Johnson contributed to this story.