CISA’s Goldstein wants to ditch ‘patch faster, fix faster’ model
Addressing computer security vulnerabilities by quickly finding and patching flaws is a fundamentally broken model in need of being overhauled, Eric Goldstein, a top cybersecurity official at the Cybersecurity and Infrastructure Security Agency, said Friday.
“To say that our solution to cybersecurity is at least in part, patch faster, fix faster, that is a failed model,” Goldstein said at an event held by the nonprofit International Information System Security Certification Consortium. “It is a model that does not account for the capability and the acceleration of the adversaries who we’re up against.”
Goldstein, the executive assistant director for cybersecurity at CISA, argued that delivering broad gains in computer security requires a “philosophical shift” that puts a smaller burden on school districts, water utilities, and small businesses to maintain secure systems, and asks more of the large companies to provide secure software and hardware.
“If you’re a school district, a water utility, a small business, you’re fundamentally not going to repeatedly succeed over time against the malicious actors that we are trying to manage every day,” Goldstein said.
Indeed, just within this past week, a Pennsylvania water facility was forced to go into manual operations after Iranian-linked hackers broke into their networks, a Texas water facility was hacked by a ransomware gang, and dozens of hospitals in several states were impacted by a ransomware attack that forced ambulances to be diverted.
Goldstein said that CISA is calling on technology providers to “take accountability” for the security of their customers by doing things like enabling default security controls such as multi-factor authentication, making security logs available, using secure development practices and embracing memory safe languages such as Rust.
“What we’re seeing today, we believe, is systematic cost transference from technology providers who make decisions to design products a certain way to customers, who then have to bear the burden to patch, to mitigate, to respond,” Goldstein said. “It doesn’t make sense to us, at least as applied to smaller organizations that really can’t bear that burden.”
Goldstein also expressed hope that artificial intelligence can help speed up efforts to find and fix vulnerabilities in legacy code, discover tactics, techniques and procedures used by malicious hackers, and to assist in writing secure code.
CISA is currently assessing AI risks for the sectors it oversees in conjunction with sector risk management agencies and industry as directed by a recent executive order. On Sunday, the U.S. and U.K. released voluntary guidelines for how to securely develop and deploy AI systems.
