The Cybersecurity and Infrastructure Security Agency plans to release an overview of the Biden administration’s secure-by-design principles Thursday, providing the technology industry with a roadmap to hold software producers and other manufacturers accountable for product security.
CISA Director Jen Easterly teased the plan during a fireside chat with CrowdStrike CEO George Kurtz at the CrowdStrike Government Summit Tuesday.
The plan represents a major shift by federal authorities to push the technology industry into making products with built in security protocols. CISA has been working with federal agencies and international partners to formulate the plan.
“For years and years, we’ve accepted software that is focused on speed to market, cool features, driving down the costs, but not on safety and security,” Easterly told Kurtz. “It’s incredibly important that we now focus on ensuring that the software that powers our lives is both secure by design and secure by default.”
Instead of blaming targeted organizations for cybersecurity breaches, Easterly said there needs to be a greater focus on the underlying causes of breaches. For example, software users should not be forced to continuously apply patches in order to maintain security, flawed security needs to be addressed up front.
Easterly and Kemba Walden, acting national cyber director, have emphasized in recent appearances that the burden of maintaining software security needs to shift. Security maitenance should move from consumers and small businesses to those organizations with the funding, expertise and personnel to invest in software security.
Easterly also said there needs to be a way to migrate to memory-safe code, such as Rust, Java, Python or C#. Easterly touched on this during a historic address earlier this year at Carnegie Mellon University.
There is an economic aspect to the secure by design push that will also need to be addressed, Kurtz said.
Kurtz doesn’t think any software coder or software company wants to build crappy software, but there needs to be an assessment of the product life cycle and how to make sure a product can remain secure over a certain period of time.
Several key stakeholders have publicly embraced the administration push, including Google, which came out in support of the industry taking greater ownership of software security. Google and other stakeholders have engaged the administration in ongoing talks about how to move forward, as the new posture would likely require congressional action and other changes.
“We support the administration's emphasis on secure by design, and we look forward to continued collaboration with the government on developing this concept further,” a Google spokesperson said last week via email.