SAN FRANCISCO — The Cybersecurity and Infrastructure Security Agency isn’t inclined to call out technology vendors when their fundamental errors impact customers — officials contend they can make a greater impact by discerning and generalizing those mistakes for a broader audience.
“We have to use multiple levers to be able to secure an ecosystem that for years, for decades has been broken,” CISA Director Jen Easterly said Tuesday in a media briefing at the RSA Conference.
“It requires things like calling out companies when companies clearly do things that can damage national security, but it also requires real partnerships with these companies,” Easterly said. “We’re not a regulator, we’re not a law enforcement agency, we are a partnership agency whose success is very much predicated on working by, with and through partners.”
The Cyber Safety Review Board’s report last month about a China-affiliated threat group’s intrusion and compromise of Microsoft Exchange accounts in May 2023 is a clear and recent example of the federal government calling out a specific vendor for its security failings.
Yet, the stinging conclusions and criticism CSRB levied against Microsoft is the exception, not the norm.
The Department of Homeland Security and CISA stood up the 15-member board with a mix of government officials and cybersecurity experts in February 2022. Four private sector executives joined the board earlier this month to replace departing members.
Last month’s CSRB report was the first on a specific vendor — the two previous reports focused on the Log4j vulnerability and the Lapsus$ ransomware group.
The most recent CSRB report exemplifies how a vendor’s business decisions led to insecure and harmful outcomes for its customers, said Eric Goldstein, executive assistant director for cybersecurity at CISA.
“It’s also the case that a given insecure decision by a vendor is likely generalizable across a class of vendors,” Goldstein said.
For CISA, this comes in the form of the agency’s secure by design alert series, which distills specific vulnerabilities and malicious activities into a more widely applicable message and call to action for vendors.
These alerts allow CISA to highlight where businesses can make decisions differently for the good of security at large, Goldstein said.
“We are working to generate a secure-by-demand signal where customers will know what to ask for,” Goldstein said. “That’s actually a more effective way of driving scalable change than just pointing out a single vendor that might be emblematic of a problem.”
CISA leaders aren’t keen to publicly judge or criticize technology vendors by name, in part because many companies are saddled with legacy technology and investment decisions that prioritized speed to market and features, not security.
No CISO wants to be responsible for a major breach or intrusion on the federal civilian executive branch — they all want to create secure products but they’re dealing with decades of business decisions that paid less attention to security, Easterly said.