Headline
The Power of the Purse: How to Ensure Security by Design
CISA should make its recommended goals mandatory and perform audits to ensure compliance.
Gary Barlet, Public Sector Chief Technology Officer, Illumio
November 12, 2024
5 Min Read
Source: Zoonar GmbH via Alamy Stock Photo
COMMENTARY
Companies across the country are lining up to join the latest cybersecurity trend: the Cybersecurity and Infrastructure Security Agency’s (CISA) Secure by Design pledge, a commitment aimed at software manufacturers that compels them to keep up with fundamental cybersecurity strategies. Companies such as Lenovo, Google, AWS, Cloudflare, and Microsoft have already signed on.
On the face of it, the Secure by Design pledge is a good thing. Its seven goals each encourage manufacturers to adopt or increase the usage of a key cybersecurity strategy within one year. The goals, such as "implement multifactor authentication (MFA)" are worthy, if basic, and CISA encourages companies to document their progress. If they fall short, they are also encouraged to report that failure to CISA.
The problem is that this pledge is entirely voluntary. Companies are free to sign it — or not — as they wish. And there’s no regulatory compliance factored in. This means that if a company does sign the pledge and falls short of one or more goals, no one may ever know and no action will be taken. It will be as if the pledge never existed in the first place.
Without teeth, the pledge is essentially worthless. Outside of highlighting the low-bar steps major companies should take to ensure their infrastructure is secured from the most common attacks (which, admittedly, is a good thing), it takes no steps to ensure that companies will actually do so. And it provides no repercussions if they fail.
Is the Honor System Good Enough?
With data breaches up 72% in 2023 and the average cost of a breach estimated at $4.88 million, can we afford for our nation’s technological infrastructure to be governed by the honor system? What happens when the next big cyberattack takes down a pillar of our society because the company responsible failed to implement MFA?
I’d argue for a much more aggressive approach from our federal government. Given the potential for widespread disruptions inherent with any cybersecurity failure, we can’t afford to take such a lax attitude toward securing our systems. The sanctity of our nation’s airlines, power grids, and other critical infrastructure relies on stringent cybersecurity measures. Merely “suggesting” that companies institute basic protocols is not enough. We need to mandate it — and punish those who fail.
The EU’s Higher Standard
I look at the European Union’s approach to setting standards for its electronic devices. In 2022, the EU passed a law mandating electronics manufacturers move to a standardized charging port for their mobile devices. The EU’s stance toward Apple, which famously used a proprietary Lightning charging port for its iPhones, was simply: Adapt or die. Apple adapted. As a result, iPhones in Europe are now sold with the standardized USB-C charging port, alongside every other mobile device.
The EU did not fool around with vague suggestions or pledges. It saw the value to consumers of a standardized charging port and demanded that manufacturers make the change. Those that failed to comply were not allowed to sell their devices in Europe. Simple. Effective.
You can also look closer to home, to California, for an example of this kind of confident action by the government. The government of California adopted the Zero Emissions Vehicle requirements in 1990, and has adjusted the rules over the ensuing decades as technology has evolved. The purpose was to protect the state’s air from automotive pollution. The result has been a near industrywide reduction in auto emissions for the past 30 years.
For vehicle manufacturers that want to sell cars in California, the largest economy in the United States, the equation was the same one facing Apple in the EU: Adapt or die. They could either engineer their vehicles to produce fewer emissions or simply not sell them in California. Most elected for the former option, and, as a result, automotive emission control technology has advanced further in the past 30 years than at any point since the automobile was introduced.
Adopting a Similar Approach
To protect our cyber infrastructure, we need to adopt a similar approach. Instead of simply making recommendations, our nation’s cybersecurity agency should be empowered to make regulations.
CISA should begin by making its recommended goals mandatory, forcing software companies to do the following:
● Increase the use of MFA
● Reduce default passwords
● Enable a significant measurable reduction in the prevalence of one or more vulnerability classes
● Increase the installation of security patches by customers
● Publish a vulnerability disclosure policy
● Demonstrate transparency in vulnerability reporting.
● Increase the ability for customers to gather evidence of cybersecurity intrusions
Next, CISA should perform audits to ensure compliance. Relying on companies to self-report is no different from giving them permission not to report. Look closely at CISA’s list of pledgees and come back in a year to see how many of these vaunted companies will have willingly admitted they aren’t taking the most basic steps toward protecting their users’ data.
Finally, CISA should be empowered to make a simple statement to software manufacturers that want to sell products in the US similar to what the EU said to electronics manufacturers and what California said to automobile manufacturers: Adapt or die.
If you want to sell software in the US, you should have to follow basic principles that will ensure your software is safe. This should not be a “nice to have.” It should be mandatory. The stakes are as high if not higher than with charging ports and automobile emissions. As we witnessed with the recent failure of cybersecurity software, the impact was felt across entire industries and resulted in billions of dollars in lost productivity. This is not a realm for timidity.
Hi all – please add this to all of your content at the bottom between now and Thursday – I’m adding it to this week’s news items now. Rashid, Fahmida Donahue, Jim Bracken, Becky Spiegelman, Karen Beek, Kristina
Don’t miss the upcoming free Dark Reading Virtual Event, “Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors,” Nov. 14 at 11 a.m. ET. Don’t miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larsen from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, and Elvia Finalle from Omdia. Register now!
About the Author
Public Sector Chief Technology Officer, Illumio
Gary Barlet has nearly three decades of cloud, cybersecurity, and network experience in the US federal government leading security and IT teams in both civilian agencies and the Department of Defense (DoD). At Illumio, Gary works with government agencies, contractors, and the broader ecosystem to build in zero-trust segmentation as a strategic component of the government’s zero-trust architecture. Before joining Illumio, Gary served as the chief information officer at the Office of the Inspector General for the US Postal Service and served in the Air Force in several technology leadership capacities, retiring from his role as cyber operations officer.