Dozens of tech companies pledge to build safer, more secure tech
SAN FRANCISCO — More than 60 private-sector companies publicly promised to make cybersecurity a larger focus in their technology design process, including tech heavyweights like Google, Microsoft, Cisco, IBM and Amazon Web Services.
The pledge was formally unveiled Wednesday during a signing event at the RSA Conference hosted by the Cybersecurity and Infrastructure Security Agency as part of its Secure by Design initiative. CISA has waged a massive public campaign to prod technology companies to do more to create more resilient products as foreign nations, ransomware actors and cybercriminals have feasted on governments and companies over the past decade, largely by exploiting insecure software, hardware and products where security features either aren’t enabled by default or are sold as premium features.
“There is a real urgency that everybody in this room not only feels but is highly aware of, and it is all about developing new and retrofitting older technologies and software with security as a core consideration,” CISA Director Jen Easterly said.
In addition to major tech companies, dozens of prominent software, hardware and cybersecurity businesses have also signed onto the commitment, including Palo Alto Networks, Lenovo, BlackBerry, Hewlett Packard, GitHub, Ivanti and CrowdStrike.
The signatories commit to taking a series of actions over the next year to reduce the vulnerability of their products, including building default multifactor authentication and other forms of phishing-resistant authentication protections and reducing the use of default or hardcoded passwords. The pledge also presses software providers to make dedicated efforts to reduce the prevalence of commonly exploited types of vulnerabilities and increase the number of customers who are quickly installing security patches.
The companies also committed to being more transparent about disclosing security vulnerabilities through official channels, publish vulnerability disclosure policies to assist third-party security researchers who probe their systems and increase logging capabilities to help customers better detect when they’ve suffered a breach or intrusion.
The increase in logging capabilities is particularly relevant for the federal government. A breach of Microsoft last year by a Chinese-linked threat actor group known as Storm 0558 resulted in the theft of emails from high-level officials at the Departments of State and Commerce ahead of high-level talks between the White House and China.
The extent of that breach was obscured by the lack of logging capabilities built into Microsoft’s standard commercial offerings, with enhanced logging only available to premium customers. That breach was the subject of a scathing review by the Cyber Safety Review Board last month, which concluded that the incident was preventable and caused by the company’s failure to appropriately prioritize security.
But the problem extends well beyond a single company or provider. Referencing the breach at an RSA presentation Wednesday, former NSA Cybersecurity Director Rob Joyce said that as more companies have moved their data to cloud environments, it’s become harder to monitor for signs of malicious behavior, as many providers have policies in place that wipe security logs after 90, 60 or even 15 days.
“We’ve got to now have the trust in the cloud, because frankly we lose some of our visibility into the environment,” Joyce said. “Sometimes you don’t have access to all the logs that a provider would have.”
The pledge is voluntary, leading to some skepticism about how far some companies will go in implementing its principles, but CISA officials said they are committed to measuring progress by the signatories across key commitments over the next year.
Other officials said gaining broad-based consensus on the issue is an important and necessary step toward building a more durable security culture within the American technology industry. Lauren Zabierek, a senior cybersecurity policy adviser at CISA, said the agency views the commitments as the beginning, not the end, of a collaborative process between government and industry, likening it to early efforts by automobile safety advocates to make seatbelts and other safety features standard.
“Before a safer car could be made, we had to believe in the idea of a safer car,” Zabierek said. “And that’s what we’re asking with technology.”