The Cybersecurity and Infrastructure Security Agency plans to release its secure by design principles this week to encourage the adoption of safe coding practices, which are a core part of the Biden administration’s recently released national cybersecurity strategy.
The document isn’t meant to be the “Holy Grail” on secure by design, said CISA Director Jen Easterly during the CrowdStrike Government Summit in Washington on Tuesday, but it’s an important step when it comes to “shifting the burden to software companies from individual users and small businesses” when it comes to cybersecurity.
The secure by design approach to building software products isn’t a new idea but it is gaining more traction. Before the release of the national cybersecurity strategy, Easterly and Eric Goldstein, CISA’s assistant director for cybersecurity, wrote an op-ed calling on software vendors to “stop passing the buck on cybersecurity.” Easterly also made the case for secure by design during a speech at a recent Carnegie Mellon University event, where she called for three “core principles” for technology manufacturers.
At the CrowdStrike summit, Easterly repeated those principals for software vendors, which are: take ownership of security outcomes for their customers, provide “radical transparency” to their customers, and improving design quality in product by focusing on building safe products. “It’s incredibly important that we now focus on ensuring that the software that powers our lives is secure by design and secure by default,” she said.
One early implementation of secure by design comes from the Department of Energy’s cyber informed engineering strategy, a framework aimed at including cybersecurity in engineering practices.
Easterly noted CISA will focus more in the coming months on issues related to open source software used within industrial control systems. Additionally, she said, CISA will work on the High-Risk Community Protection initiative announced late March.
Easterly also talked about the need to increasingly become more resilient in the face of growing cyber threats, and noted that one major lesson out of the Ukraine war is “the power of societal resilience.”
“I don’t think our country really showed that during Colonial Pipeline and I don’t think we showed it recently under the high-altitude balloon,” she said, referencing the Chinese spy balloons that floated through the U.S. and received widespread media attention.
During the early days of the Colonial Pipeline ransomware incident after the company shut down the pipeline during recovery, fears of a loss of gas lead to long lines at the pump. Easterly continued: “I think at the end of the day, our ability to keep calm and carry the hell on is really going to be the key to deal with very significant nation state threats.”