LAS VEGAS — Despite a stream of devastating cyberattacks or mistakes that halt or disrupt large swaths of the economy, Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, says the war against malicious activity is not lost.
It is possible to elevate organizations’ ability to repel or mitigate attacks and place a greater emphasis on vendors’ responsibilities, Easterly said Wednesday during a media briefing at Black Hat. “We got ourselves into this, we have to get ourselves out,” she said.
Easterly’s optimism isn’t the result of blind trust. “We have made enormous progress, even just over the past several years,” she said.
The U.S. government has strengthened connections with businesses and international partners, and more CEOs and boards are treating cyber risk as a core business function. They're embracing corporate cyber responsibility as a matter of governance, rather than relegating it to IT professionals and security leaders, Easterly said.
But above all else, CISA’s secure by design initiative holds the greatest promise in the fight against malicious activity, according to Easterly. CISA’s most aspirational objective since Easterly joined the agency in 2021 aims to shift the responsibility for security from customers to vendors.
“I think the war will be won when we are truly able to catalyze an approach to secure by design software. That is the one key initiative that we all need to focus on deliberately and it’s a really hard problem,” Easterly said.
The secure by design principles, first introduced in April 2023, took the form of a voluntary pledge in May with 68 technology companies signing on to embrace secure development practices. Nearly 200 companies have signed the pledge to date.
Building secure software from the outset, Easterly said she believes, is the only way to produce a sustainable, scalable approach to cybersecurity.
A year to remember, a year to forget
This year has been ripe with major attacks that exemplify the mess defenders and federal authorities are determined to make less common and less damaging.
A February ransomware attack brought a significant portion of the healthcare industry’s billing operations to a standstill for months, and more than 100 businesses were compromised by a wave of attacks targeting Snowflake customer environments in April.
Last month, an ill-fated CrowdStrike software update took global IT systems and networks offline in what is widely regarded as one of the largest IT outages in history.
That’s just a recap of the big hits of 2024, so far. Yet, Easterly is not deterred and she remains hopeful the tide will turn.
Multiple federal agencies and international partners are trying to address the root of the problem by prodding technology vendors to design, develop, test and deploy software with fewer flaws.
“We have to recognize that the cybersecurity industry exists because technology vendors for decades have been allowed to create defective, flawed, insecure software that prioritizes speed to market features over security,” Easterly said.
“There is more we can do but that’s where the war will be won,” Easterly said. “If we put aside the threat actors and we put aside the victims and we talk about the vendors.”
Disclosure: Black Hat and Cybersecurity Dive are both owned by Informa. Black Hat has no influence over Cybersecurity Dive’s coverage.
