Some of the biggest names in the tech industry signed onto a public pledge, backed by the US Cybersecurity and Infrastructure Security Agency, promising to implement important software security measures in their products.
The CISA “Secure By Design” pledge outlines seven areas in which signatories are expected to make significant improvements. Multifactor authentication should be used by default, default passwords should be randomized or mandatorily changed on first use, and SQL injection attacks should be eliminated by, for example, enforcing parametrized queries. The pledge also asks signers to implement regular patching, vulnerability disclosure policies, transparent CVEs, and forensic data about intrusions.
Among large vendors who signed the pledge are Cisco, AWS, Google, IBM, Microsoft, Lenovo, and other mainstays of enterprise IT architectures.
“This pledge seeks to complement and build on existing software security best practices, including those developed by CISA, NIST, other federal agencies, and international and industry best practices,” CISA said in a statement. “CISA continues to support adoption of complementary measures that advance a secure-by-design posture.”
Security-by-default has been a key policy goal of CISA Director Jen Easterly, who was appointed in July 2021, and who has since spoken publicly about what she calls the “dangerous-by-design” nature of many technologies, warning that the public has become inured to bugs and security flaws in computer technology that they would never accept in other industries.
“We find ourselves blaming the user for unsafe technology,” Easterly said in a speech at Carnegie Mellon University in February. “In place of building in effective security from the start, technology manufacturers are using us, the users, as their crash test dummies — and we’re feeling the effects of those crashes every day with real-world consequences.”
But will CISA’s pledge make a difference?
More concept than needle mover for CSOs
The government, however, has limited tools available to help alleviate such problems, according to Katell Thielemann, Gartner VP distinguished analyst.
“On the whole, the pledge is sort of an effort to push this concept around secure by design and secure by default, and it should be acknowledged and celebrated, but it should be understood in the context of other efforts,” she said, highlighting a 2021 executive order on cybersecurity that implemented disclosure mandates on companies contracting with the federal government.
The pledge, which isn’t legally binding and is completely voluntary in any case, is unlikely to move the needle as far as industry-wide efforts to normalize its principles. And it misses the mark in a couple of important areas, according to Thielemann.
“One of the things that is missing from my perspective is that it very specifically excludes physical products,” she said. “Software, increasingly, is built into all of these cyber-physical systems that underpin everything we do, from Tesla to the electrical grid.”
Ultimately, the CISA pledge is a step in the right direction, Thielemann said, but is unlikely to be a determining factor in how CSOs make decisions. With 68 companies on board — out of the thousands of possible vendors in the market — the pledge isn’t yet ready to stand in as a meaningful seal of approval.
CISA’s efforts to improve the cybersecurity climate in the US have progressed across multiple fronts this week, as the agency announced that it would add 30 days to the comment period for its proposed rulemaking on CIRCIA, a 2022 law that mandates reporting cyberattacks and ransom payments.
“One of the things they have to do, by law, is to adjudicate every single comment they receive, which obviously takes time,” Thielemann noted. “They’re kind of between a rock and a hard place, in the sense that Congress told them to do something … and now industry’s on the other side coming out saying ‘this is so onerous.’”
CIRCIA has established a 72-hour period on reporting any attack, with ransom payments required to be reported within 24 hours. Detractors balk at having to adhere to more disclosure deadlines, and CISA has been left to work with those the law is meant to regulate in formulating its rulemaking.