Cybersecurity and Infrastructure Security Agency Director Jen Easterly called for a transformative shift to put the onus on the technology industry to infuse security into their products during the design phase.
Easterly, speaking Monday in an address at Carnegie Mellon University, said we can no longer continue blaming and shaming technology customers that are being targeted by sophisticated adversaries – including nation-state adversaries like China and Russia – after they are targeted for attack.
Accepting the continued use of unsafe technology products presents a greater risk to the nation than the Chinese spy balloon that was shot down off the coast of South Carolina and cannot be allowed to continue, Easterly said.
“By design, we’ve normalized the fact that technology products are released to market with dozens, hundreds or thousands of defects — such poor construction would be unacceptable in any critical field,” she said during the address.
The burden for cybersecurity has disproportionately been placed on consumers and small organizations who are least aware of the threats or able to protect themselves.
Easterly said no one would be expected to go out and buy a car that lacked seat belts and air bags as standard features, and nobody should be expected to go out and pay additional money for secure technology products.
Government can advance legislation to prevent technology companies from disclaiming liability by establishing higher standards of care, Easterly said. In addition, a safe harbor framework can shield companies that develop secure products.
“In cybersecurity we have put all the responsibility on the consuming organizations, blaming them and discouraging them from disclosing information that would allow others to design safer products,” Mark Horvath, senior director analyst at Gartner, said via email.