The Cybersecurity and Infrastructure Security Agency (CISA) published its secure-by-design and -default guidance today, which CISA Director Jen Easterly said is all about driving down cyber vulnerabilities to near zero.
Easterly joined the Axonius Federal Forum 2023: Adapt event in Washington, D.C. today, where she explained how the new principles aim to keep Americans safe in today’s technology ecosystem by putting the responsibility on the technology manufacturer instead of the user.
“It is really about starting a conversation that helps to move the needle on incentives that have been misaligned for decades,” she said. “The internet was not built for safety. Software was not built for safety … so we want to have this conversation.”
“At the end of the day, software makers want to produce safe tech, consumers want safe tech – it’s just the incentives are now misaligned because it’s about speed to market. It’s about cost. And there is imperfect information,” she added. “As a consumer, I don’t know what’s in my software.”
Easterly explained how the software that we rely on every day comes to us “full of flaws and vulnerabilities,” and we are then expected to constantly update that software. However, the CISA director said constant software updates should not be the norm – rather, building secure tech products should be.
The 15-page guidance released today – in collaboration with the FBI, the National Security Agency, and six of the agency’s international partners – outlines several core principles to guide software manufacturers in building software security into their design from the start. Three of these core principles include:
- Taking ownership of the security outcomes of their technology products, shifting the burden of security from the customers;
- Embracing radical transparency and accountability; and
- Building the right organizational structure that fosters executive-level commitment for software manufacturers to prioritize security.
Easterly said CISA will hold listening sessions on the new principles at the RSA Conference in San Francisco later this month, as well as next week at CYBERUK, the United Kingdom’s flagship cybersecurity event.
“We’ll hopefully get feedback to help make this product better and better so we are driving down vulnerabilities,” she said. “I don’t want to live in a world where every month I have 100 flaws that I have to take care of – seven of which might be critical.”
There are always going to be vulnerabilities in code, Easterly said, but we can “significantly” decrease the number of vulnerabilities by shifting the incentives around.
“I think success looks like a world where it’s only these exotic zero days. Success is a world where threat actors are not able to take advantage of common vulnerabilities,” she said. “And frankly, we drive down the number of common vulnerabilities to near zero.”
“At the end of the day, the ultimate goal is: let’s drive those vulnerabilities down to near zero in terms of those that can be publicly can be exploited by our adversaries,” she concluded.