Dive Brief:
- The Cybersecurity and Infrastructure Security Agency said Wednesday that 68 technology companies — ranging from Microsoft and Google to Palo Alto Networks — made voluntary commitments to embrace secure development practices as part of a larger push to lower the risk of malicious attacks.
- The firms signed a secure-by-design pledge, which asks organizations over the next 12 months to build security safeguards into their products, such as increasing the use of multifactor authentication and reducing the use of default passwords.
- The companies also agreed to create more transparency around vulnerability disclosures and share information about security incidents affecting their products.
Dive Insight:
The pledge is part of a larger effort by CISA to push secure-by-design practices, in which software makers and other technology companies build security into their products during the design and development stages.
CISA Director Jen Easterly, speaking at the RSA Conference Wednesday, said the past year has been a very challenging one for the industry with malicious activity from Volt Typhoon and other threats.
Neither the federal government, nor the security community could truly stand up to these growing threats, she said.
“I have to say, it takes real courage to stand up and say that you are willing to take, to make seismic changes to an industry that over decades really was not prioritizing security at the very top,” Easterly said. “It was always that security was bolt on.”
What is unclear about the pledge is just how willing these companies would be to follow through on the commitments; the pledge is voluntary and CISA lacks an enforcement mechanism.
Bret Arsenault, corporate VP and chief cybersecurity advisor at Microsoft, said the pledge was in line with many of the commitments the company recently made as part of its Secure Future Initiative, during a panel discussion held at the pledge rollout event.