Skip to main content
close search
site logo

3 CISA principles for secure by design

The Biden administration is expected to emphasize safer development practices when it rolls out the national security strategy for cyber.

Published Feb. 28, 2023
David Jones's headshot
Reporter
Jen Easterly, CISA director, Black Hat keynote
Samantha Schwartz/Cybersecurity Dive

Federal authorities and leading industry experts have reached a conclusion: technology customers can no longer afford to hunt down every single security flaw embedded in the applications they use.  

This has resulted in a major shift in responsibilities. Biden administration officials are asking technology companies to incorporate better security into their products during the design and development phase. 

“As we’ve integrated technology into nearly every facet of our lives, we’ve unwittingly come to accept as normal that such technology is dangerous by design,” Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, said Monday in an address at Carnegie Mellon University

CISA is working to lay out three core principles for a secure by design ethos: 

  • The burden of safety should never fall solely on the customer and industry needs to take ownership of security outcomes.
  • Manufacturers need to embrace radical transparency to disclose and help consumers better understand the scope of consumer safety challenges.
  • Tech industry leaders need to focus on building safe products and publish road maps explaining how they will develop and update secure by design technology.

CISA is attempting to move the debate away from blaming and shaming customers, many of them small- to medium-sized businesses that lack the sophistication, to tech companies, which are often failing to flag and test many security problems prior to delivery. 

Easterly invoked the 20th century push by consumer advocate Ralph Nader to force Detroit to embed driver safety concerns into the design of their automobiles. 

Like the automotive industry in the 1960s and '70s, when Nader called out the lack of crash protection built into seat belts or the later push for airbags, there is a growing sense that industry can do more to create safer products.  

“It is very clear that the current approach of allowing speed to market to take precedence over safety, security and trustworthiness is not sustainable,” Katell Thielemann, VP analyst at Gartner, said via email. 

Easterly also called out the head in the sand approach of failing to share intelligence, relegating security to the IT people in organizations. 

This enables threat actors to go back to the same playbook over and over again and launch attacks using the same methods that compromise other organizations, she said. 

The pattern of ignoring increasingly severe problems is an example of the “normalization of deviance,” Easterly said, a theory advanced by sociologist Diane Vaughan, in a book written about the 1986 explosion of the space shuttle Challenger. 

Editors' picks

Company Announcements

View all | Post a press release
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
CUSO Financial Services, LP Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
Mystic Valley Elder Services Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
Traceable Releases 2025 State of API Security Report: API Breaches Persist as Fraud, Bot Attac…
From Traceable AI
October 30, 2024
Editors' picks
Latest in Strategy
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell