CISA Boss: Makers Of Insecure Software Are The Real Cyber Villains

Software suppliers who ship buggy, insecure code are the true baddies in the cyber crime story, Jen Easterly, boss of the US government's Cybersecurity and Infrastructure Security Agency, has argued.

"The truth is: Technology vendors are the characters who are building problems" into their products, which then "open the doors for villains to attack their victims," declared Easterly during a Wednesday keynote address at Mandiant's mWise conference.

Easterly also implored the audience to stop "glamorizing" crime gangs with fancy poetic names. How about "Scrawny Nuisance" or "Evil Ferret," Easterly suggested.

Even calling security holes "software vulnerabilities" is too lenient, she added. This phrase "really diffuses responsibility. We should call them 'product defects,'" Easterly said. And instead of automatically blaming victims for failing to patch their products quickly enough, "why don't we ask: Why does software require so many urgent patches? The truth is: We need to demand more of technology vendors."

Why does software require so many urgent patches? We need to demand more of vendors

While everyone in the audience at the annual infosec conference has job security, Easterly joked, it's also the industry's role to make it more difficult for miscreants to compromise systems in the first place.

"Despite a multi-billion-dollar cyber security industry, we still have a multi-trillion-dollar software quality issue leading to a multi-trillion-dollar global cyber crime issue," Easterly lamented.

While no one would buy a car or board an airplane "entirely at your own risk," we do that every day with the software that underpins America's critical infrastructure, she added.

"Unfortunately we have fallen prey to the myth of techno exceptionalism," Easterly opined. "We don't have a cyber security problem – we have a software quality problem. We don't need more security products – we need more secure products."

This is a drum Easterly has been beating since she took the helm of the US cyber defense agency. She tends to bang it louder at industry events, such as the annual RSA Conference where she told attendees secure code "is the only way we can make ransomware and cyber attacks a shocking anomaly."

Naturally, if writing flawless code was super easy, it would be done without fail. Some developers are clearly careless or clueless, leading to vulnerabilities and other bugs, and sometimes skilled humans with the best intentions simply make mistakes. In any case, Easterly isn't happy with the current defect rate.

Also at RSAC, nearly 70 big names – including AWS, Microsoft, Google, Cisco, and IBM – signed CISA's Secure by Design pledge – a commitment to "make a good-faith effort to work towards" seven secure-software goals within a year, and be able to measurably show their progress.

At mWise, Easterly revealed that number has grown to nearly 200 vendors.

But the pledge remains voluntary, so software companies who fail to follow its guidelines – such as increasing the use of multi-factor authentication across their products and reducing default passwords – aren't going to be slapped down if they ignore it.

Easterly wants that to change. She suggested technology buyers use their procurement power to pressure software vendors, by asking suppliers if they have signed the pledge – and, hopefully, done more than just put ink to paper in terms of building secure-by-design [PDF] products.

To this end, CISA just published guidance that organizations buying software can use, and questions they should ask manufacturers, to better understand if they are prioritizing security in the product development life cycle.

"Use your voice, take an active role, use your purchasing power to advance secure by design, by demanding it," Easterly urged.

And then cross your fingers and pray that more and more vendors really do begin to take things like pre-release software testing and secure code to heart. ®

RECENT NEWS

From Chip War To Cloud War: The Next Frontier In Global Tech Competition

The global chip war, characterized by intense competition among nations and corporations for supremacy in semiconductor ... Read more

The High Stakes Of Tech Regulation: Security Risks And Market Dynamics

The influence of tech giants in the global economy continues to grow, raising crucial questions about how to balance sec... Read more

The Tyranny Of Instagram Interiors: Why It's Time To Break Free From Algorithm-Driven Aesthetics

Instagram has become a dominant force in shaping interior design trends, offering a seemingly endless stream of inspirat... Read more

The Data Crunch In AI: Strategies For Sustainability

Exploring solutions to the imminent exhaustion of internet data for AI training.As the artificial intelligence (AI) indu... Read more

Google Abandons Four-Year Effort To Remove Cookies From Chrome Browser

After four years of dedicated effort, Google has decided to abandon its plan to remove third-party cookies from its Chro... Read more

LinkedIn Embraces AI And Gamification To Drive User Engagement And Revenue

In an effort to tackle slowing revenue growth and enhance user engagement, LinkedIn is turning to artificial intelligenc... Read more