Jen Easterly, director of the U.S. Cybersecurity and Infrastructure Security Agency, called on technology companies to take greater responsibility when it comes to the cybersecurity of their products that “are embedded into the very foundations of our society.”
The remarks at a Carnegie Mellon University event on Monday echo a recent call to action from CISA for tech companies to “fundamentally shift” product design to one that embraces cybersecurity as a safety and product design issue. “As we’ve integrated technology into nearly every facet in our lives, we’ve unwittingly come to accept as normal that such technology is dangerous by design,” Easterly said.
The CISA director’s push to hold software makers more accountable for Americans’ cybersecurity comes as the Biden administration is considering moves to compel the tech sector to shoulder more responsibility for the digital safety of critical U.S. industries. The forthcoming national cybersecurity strategy is widely expected to demand greater investments in security from industries that prop up sectors such as energy, water and health care.
Indeed, the technology that underlines critical services are often rife with vulnerabilities and are difficult to manage due to the need for constant uptime that limits patching. Additionally, the increasing digitization of critical infrastructure is adding more vectors of attack if not properly configured.
Easterly painted a scenario where attack against critical infrastructure could pollute U.S. water systems or cripple telecommunications to incite public panic and ultimately influence U.S. policy and public opinion. “Attacks against our critical infrastructure in the event of a Chinese invasion of Taiwan is unfortunately not farfetched.”
Easterly also pointed to the added burden to the American consumer who has to consider complex topics when buying a new device such as a phone or a computer. “The American people have accepted the fact that they’re constantly going to have to update their software,” she said. “The burden is placed on you as the user and that’s what we have to collectively stop.”
Easterly continued: “We’ve normalized the fact that the cybersecurity burden is placed disproportionately on the shoulders of consumers and small organizations who are often least aware of the threat and least capable of protecting themselves.”
Easterly pointed to various customs within the cybersecurity community such as “Patch Tuesday” as an example of how used the security community is to insecure products or the blame game that often occurs when a company is hit by a cyberattack through a known vulnerability.
“We often blame a company today that has a security breach because they didn’t patch a known vulnerability. What about the manufacturer that produced the technology that required too many patches in the first place?” Easterly said.
Such as culture has created a “multi-billion dollar cybersecurity industry because technology companies were not incentivized to create safe technology,” Easterly said in remarks after the speech. She pointed to examples like using memory safe languages such as Rust, transparent vulnerability disclosure policy, commit to accountability in their products, and secure coding practices as how vendors can build product safety into core practices.
Easterly championed certain companies such as Google for including the memory-safe language Rust in their latest Android 13 release and Mozilla’s integrating Rust into the Firefox browser. By using such languages “these vulnerabilities can be eliminated,” Easterly said.
On multi-factor authentication, Easterly pointed to Apple as an “impressive” example as the company says that 95% of iCloud users use multi-factor authentication. Other larger tech companies such as Twitter and Microsoft only have less than 3% and around a 25% respectively using MFA, which Easterly called “disappointing” but noted that the companies should be lauded for the transparency around MFA adoption.
However, the onus is not just on manufacturers said Easterly, who added that government has a role to play besides more regulation which the director said “is not a panacea.”
“Government can work to advance legislation to prevent technology manufacturers from disclaiming liability by contact, establishing higher standards of care for software and specific critical infrastructure entities and driving the development of the safe harbor framework to shield from liability companies that securely develop and maintain their software products and services,” Easterly said.