The CEO of the Cybersecurity and Infrastructure Security Agency, Jen Easterly, referred to the current state of commercial cybersecurity as "unsustainable," and she argued that businesses, consumers, and the government as a whole needed to change their expectations so that users, not the major software and hardware manufacturers, would be held accountable for insecure products.
A policy from the Biden administration that will place more of an emphasis on controlling the security and safety design decisions made by technology makers is anticipated to be released in the coming days.
In a speech given on February 27 at Carnegie Mellon University, Easterly claimed that American lawmakers, consumers, and users of third-party products had allowed software programmes rife with flaws or hardware that was vulnerable on practically every level to become the standard.
“We’ve normalized the fact that the cybersecurity burden is placed disproportionately on the shoulders of consumers and small organizations, who are often least aware of the threat and least capable of protecting themselves. We’ve normalized the fact that security is relegated to the IT people in smaller organizations, or to a chief information security officer and enterprises,” stated Easterly. “But few have the resources and influence or accountability to incentivize adoption of products in which safety is appropriately prioritized against cost, and speed to market and features.”
Easterly pointed out that Beijing's decades-long campaign of cyber-enabled espionage and intellectual property theft has been far more detrimental to U.S. economic and national security, even if those intrusions aren't similarly visible to the naked eye. While the U.S. reacted collectively with shock and anger at the sight of a surveillance balloon launched by China that crossed over American borders earlier this month, she noted that Beijing's campaign has been far more damaging to the U.S.
The public hears about hundreds of significant breaches of corporations each year through the mainstream media, legislation requiring breach disclosure, ransomware leak sites, and other sources. They are but a portion of the issue because there are a great number of other invasions that go unnoticed or unreported.
Until the commercial sector prioritises security and safety on the front end, eliminating occasions like "Patch Tuesday" as an anachronism, adversaries like Russia and China, ransomware groups, and hackers will continue to take advantage of that paradigm.
“The cause, simply put, is unsafe technology products, and because the damage caused by these unsafe products is distributed and spread over time, the impact is much more difficult to measure, but like the balloon, it’s there,” said Easterly. “It’s a school district shut down, a patient forced to divert to another hospital, another patient forced to cancel a surgery. A family defrauded of their savings, a gas pipeline shutdown, a 160-year-old college forced to close its doors because of a ransomware attack, and that’s just the tip of the iceberg.”
Role of large businesses
The biggest firms, or "those most capable and in greatest position to do so," should be held accountable by society for protecting technology, according to Easterly. This includes standardising basic security features, such as logging, identity protection, and access controls, into base rate packages rather than as an added feature in higher priced tiers. It also includes having a "radically" transparent disclosure process for vulnerabilities as well as internal statistics around the use of multifactor authentication and other basic protections.
She also suggested a number of legislative options for Congress to take into consideration, such as prohibiting manufacturers from structuring their contracts and terms of service to disclaim all liability for security incidents resulting from the use of their products, establishing higher security standards for software used in specific critical infrastructure sectors, and creating a legal framework to provide Safe Harbor from liability for businesses that do take meaningful security measures.
Later, during a Q&A session, Easterly said she might be in favour of excluding from legal liability businesses that have been attacked by well-funded and knowledgeable nation-states, but she emphasised that these attacks represent just a small portion of the malicious cyber activity that affects American citizens and businesses every day.
Although executives from firms like Google and Microsoft have made public statements endorsing similar principles of moving towards security by design and implemented some initiatives, it is still unknown how much they will ultimately embrace the regulations that Easterly and the Biden administration have in mind. Any legislation would need to clear the Republican-controlled House, which is no easy task, if it were to be pursued during the following two years.
While regulation is anticipated to play a significant role in the Biden administration's cyber strategy, it is just one of many pillars of action that were mentioned in earlier draughts, and Easterly emphasised that regulation won't be able to address all of our problems on its own. Many of the same issues can also be solved through other means, such as using the government's purchasing power to encourage better baseline security among its hundreds of thousands of contractors, continuing collaborative initiatives like the Joint Cyber Defense Collaborative, and encouraging wider adoption of safer software development techniques like memory safe languages and software bills of material.
Easterly cautioned that, despite how challenging this effort will be, continuing with the status quo will cause American consumers and businesses much more harm in the long run – in both the cyber and physical spheres.
"Imagine a world where none of the things we talked about today come to pass, where the burden of security continues to be placed on consumers or technology manufacturers continue to create unsafe products or upsell security as a costly add-on feature, where universities continue to teach unsafe coding practices, where the services that we rely on every day remain vulnerable. This is a world that our adversaries are watching carefully and hoping never changes,” she concluded.