The head of the Cybersecurity and Infrastructure Security Agency called the status quo in commercial cybersecurity today “unsustainable,” saying companies, consumers and government must collectively shift their expectations to make major software and hardware manufacturers - not users - responsible for insecure products.
The Biden administration is expected to release a strategy in the coming days that will put a larger emphasis on regulating the security and safety design choices of technology manufacturers.
In a Feb. 27 speech at Carnegie Mellon University, Easterly said U.S. policymakers — as well as consumers and users of third-party products — have allowed software programs riddled with vulnerabilities or hardware that can be attacked at almost every level to become the norm.
“We’ve normalized the fact that the cybersecurity burden is placed disproportionately on the shoulders of consumers and small organizations, who are often least aware of the threat and least capable of protecting themselves. We’ve normalized the fact that security is relegated to the IT people in smaller organizations, or to a chief information security officer and enterprises,” said Easterly. “But few have the resources and influence or accountability to incentivize adoption of products in which safety is appropriately prioritized against cost, and speed to market and features.”
While the U.S. collectively reacted with shock and anger at the sight of a surveillance balloon launched by China that crossed over American borders earlier this month, Easterly noted that Beijing’s decades-long campaign of cyber-enabled espionage and intellectual property theft has been far more damaging to U.S. economic and national security, even if those intrusions aren’t similarly visible to the naked eye.
Every year, the public learns about hundreds of major breaches of organizations through news media, breach disclosure laws, ransomware leak sites and other sources. Those represent just a fraction of the problem, as countless other intrusions go either unreported or undisclosed.
Adversaries like Russia and China, as well as ransomware groups and cybercriminals, will continue to take advantage of that paradigm until the private sector emphasizes security and safety on the front end, rendering events like “Patch Tuesday” as an anachronism.
“The cause, simply put, is unsafe technology products, and because the damage caused by these unsafe products is distributed and spread over time, the impact is much more difficult to measure, but like the balloon, it’s there,” said Easterly. “It’s a school district shut down, a patient forced to divert to another hospital, another patient forced to cancel a surgery. A family defrauded of their savings, a gas pipeline shutdown, a 160-year-old college forced to close its doors because of a ransomware attack, and that’s just the tip of the iceberg.”
Easterly: Manufacturers best-positioned to secure technology
Easterly called for a new model where society places responsibility for securing technology on larger manufacturers, or “those most capable and in best position to do so.” This includes having a “radically” transparent disclosure process for vulnerabilities as well as internal statistics around the use of multifactor authentication and other basic protections, shifting software development to memory-safe programming languages and the standardization of basic security features — like logging, identity protection and access controls — into base rate packages rather than as an added feature in higher priced tiers.
She also threw out a number of possible legislative options for Congress to consider, including barring manufacturers from structuring their contracts and terms of service to disclaim all liability for security incidents that stem from the use of their products, establishing higher security standards for software used in certain critical infrastructure sectors and developing a legal framework to provide Safe Harbor from liability for companies that do take meaningful steps to securely develop and maintain their products.
Later during a Q&A, Easterly said she might be in favor of excluding companies that have been hit by well-resourced and sophisticated nation-states from legal liability, but noted those attacks represent only a small fraction of the malicious cyber activity that hits American citizens and businesses every day.
While executives from companies like Google and Microsoft have made public comments endorsing similar principles of moving towards security by design and put some initiatives in place, it remains to be seen how much they would ultimately embrace the kind of regulations Easterly and the Biden administration have in mind. Such bills, if pursued over the next two years, would also have to pass through a Republican-controlled House, no small feat.
While regulation is expected to be a major component of the Biden administration’s cyber strategy, it is one of numerous pillars of action described in earlier drafts, and Easterly stressed that regulation by itself won’t solve our collective problems. Other avenues — such as using the government’s purchasing power to drive better baseline security among its hundreds of thousands of contractors, continuing cooperative projects like the Joint Cyber Defense Collaborative and the broader adoption of safer software development practices like memory safe languages and software bills of material — can also have a significant impact on many of the same problems.
As difficult as this effort will be, Easterly warned that settling for the status quo will result in far more pain — in both the cyber and physical realms — for American consumers and businesses down the line.
“Imagine a world where none of the things we talked about today come to pass, where the burden of security continues to be placed on consumers or technology manufacturers continue to create unsafe products or upsell security as a costly add-on feature, where universities continue to teach unsafe coding practices, where the services that we rely on every day remain vulnerable. This is a world that our adversaries are watching carefully and hoping never changes,” she said.