LAS VEGAS - The U.S. Cybersecurity and Infrastructure Agency (CISA) at the Black Hat USA conference this week detailed how it plans to foster an ecosystem that supports a concept that the agency calls “secure by design,” where the security of customers is a core business requirement for product manufacturers, as opposed to a technical feature.
Today, businesses bear the brunt of the responsibility for securing the products that they use, including applying patches, monitoring security logs and configuring the products securely. When cyberattacks occur, the ensuing fallout and processes - including incident response - also fall to the end users. But officials with CISA said manufacturers that create these insecure environments need to shoulder some of this responsibility by securely developing their products from the start.
“I think in this industry, we find ourselves glamorizing and talking a lot about what the villains do right to compromise people, we talk a lot about what the victims did wrong - they didn’t patch fast enough, they didn’t turn on MFA on this one account - but there’s another component to this that we don’t talk about enough, which is the vendors that make the software and create the environment in which we see these accidents not just occur but in some cases become likely,” said Bob Lord, senior technical advisory with CISA, on Thursday.
CISA has heavily touted the idea of “secure by design” over the past year, but at Black Hat the agency gave further details about how it is approaching this concept in practice. A crucial piece here is driving adoption for manufacturers, by encouraging companies to design secure products at the outset and ultimately own security outcomes for their customers. This will include adopting memory safe programing languages, securing the hardware foundation and software components or creating flaw disclosure policies with legal safe harbor.
“So it’s not enough for a software manufacturer to build a product, ship it out and then whatever happens happens and it’s up to the user of that product to bear that responsibility,” said Jack Cable, senior technical advisor at CISA. “The manufacturer has to make sure that wherever it’s deployed, by default, by design, the product is secure, so customers don’t have to bear that responsibility.”
“The manufacturer has to make sure that wherever it’s deployed, by default, by design, the product is secure, so customers don’t have to bear that responsibility.”
CISA also wants to focus on collecting the right data, which could help manufacturers better understand root causes of vulnerabilities in their products, for instance. Cyber incident reporting is key here, and CISA hopes that recent efforts like the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) will help it analyze more data around the risks and threats facing various critical infrastructure products, said Cable.
This is not a concept being embraced solely by CISA. One of the core pillars of the National Cybersecurity Strategy released earlier this year by the Office of the National Cyber Director (ONCD) aims to shift the burden of security away from those less capable - small businesses, state and local governments, nonprofits and school systems - to companies that are more capable of building security into their products. In its implementation document for the strategy, the ONCD said that it will develop a software liability framework through working with Congress, the private sector, academic researchers and others. The ONCD will also develop materials in order to encourage the use of federal grants in aiding manufacturers to build in various security measures.
There are still challenges that need to be fleshed out, and this is by no means something that will happen overnight. While secure by design seems like a fairly simple concept at a high level, manufacturers have historically prioritized factors like time-to-market or product functionality, and the actual implementation of this concept will have deep implications, financially, operationally - and at the core, culturally - for how they develop, roll out and maintain their products.
Moving forward, the U.S. government wants input from industry experts that can help it understand and address these challenges. As a starting point, the ONCD on Thursday announced they are seeking public comments from the public and private sector on open-source software security and memory safe programming languages, so that the government can “develop and implement long-term and sustainable policy solutions.”
During a Black Hat USA session on Thursday, Kemba Walden, the acting national cyber director for the ONCD, said that the overall aim here is to try to figure out what policy solutions can help to “rebalance” the responsibility model so that larger, more capable organizations like cloud service providers, large enterprises and the federal government can better bear the risk.
“We’ve made some great progress, but what we’ve noticed is that we’ve allowed cybersecurity to devolve to those that are least capable,” said Walden. “Those of us that are more capable should be able to bear down on cybersecurity risk… We’ll never get down to zero, but you have to make sure that when there is a cybersecurity attack, that downtimes are minimal, that uptimes are swift, that cyberspace is resilient.”