US cybersecurity officials step up push for companies to adopt secure by design practices
SAN FRANCISCO — Top U.S. cybersecurity officials have been meeting with industry representatives and tech executives to press the need for companies to adopt secure by design principles that are a core part of the Biden administration’s national cybersecurity strategy.
The push is part of an effort championed by the White House and the Cybersecurity and Infrastructure Agency to reduce the number of vulnerabilities in commercial software and shift the burden for maintaining cybersecurity from consumers back to tech vendors.
“Small and medium businesses, local school districts, water utilities, local hospitals, are not going to be successful in managing cybersecurity risk alone if they ever get in the crosshairs of a ransomware gang or an APT actor,” said Eric Goldstein on Wednesday during the annual RSA Conference here that brings together government officials and industry executive. “Those who can bear the burden are held accountable for providing services that are safe and secure by design by default.”
Jack Cable, a senior technical adviser at CISA, told CyberScoop that CISA held two listening sessions recently with industry partners as well as one with the open-source community. He said the agency plans to build on secure by design principles recently outlined in a white paper the agency published. “This is the first chapter of the story here and we want to work closely with industry and governmental partners with this.”
A related and complimentary effort at the Department of Energy’s cyber informed engineering program is designed to help industrial organizations apply secure by design strategies to operational technology. “They’re very much connected as we really move toward a converged infrastructure future,” said Cherri Caddy, deputy assistant national cyber director at the Office of the National Cyber Director, during an RSA panel here on Wednesday. “So how can we shift the liability for software security, for system security onto the makers and away from the end users?”
The Energy Department’s cyber informed engineering approach was announced last year after Congress mandated the development of a strategy in the 2020 National Defense Authorization Act to fund the development of a plan to reduce the risk of cyberattacks on physical plants.
“We have systems that are built to withstand extremes of weather … but an adversary that is deliberately attacking a system doesn’t usually fall into the calculus,” said Caddy, who was previously worked at DOE before joining the White House.
“We wrote the strategy with the flavor of the energy sector and electrical systems, but also with the intention of expanding it out,” she said. “This is for all engineers, not just electrical engineers. It’s everything, it’s building systems, it’s space systems, it’s weapons platforms, it’s really all of these physically engineered systems.”
Universities such as the Auburn University have already begun to establish cyber informed engineering in their courses, either as a separate course or building it into already existing classes. “We’re driving toward a broader community center of excellence concept of how can we get more resources that we could share with the whole community to advance this practice,” Caddy said.