Speaking at the Black Hat security conference in Las Vegas, Jen Easterly, head of the Cybersecurity and Infrastructure Security Agency (CISA), emphasized the urgent need for the technology industry to overhaul its approach to software development. Addressing a significant audience, Easterly highlighted that fixing cybersecurity issues requires addressing the root cause: the quality of software. This marks a pivotal moment where industry practices face serious scrutiny, and substantial changes are expected in how software is crafted and deployed.
Easterly’s comments come amid a series of high-profile security breaches that have spotlighted the vulnerabilities inherent in current software products. In past discussions, experts have often focused on external threats and the need for robust cybersecurity defenses. However, Easterly shifted the spotlight to internal processes within tech companies. Her remarks underscored the idea that the security flaws are not just external threats but are deeply embedded in the software development lifecycle.
Blaming the Industry
Easterly did not mince words in her critique of the technology industry, stating,
“We don’t have a cybersecurity problem. We have a software quality problem,”
and further adding,
“We have a multi-billion dollar cybersecurity industry because for decades, technology vendors have been allowed to create defective, insecure, flawed software.”
These statements underscore the significant responsibility placed upon vendors to improve their development practices.
Secure by Design Pledge
To tackle these issues, Easterly announced that CISA has launched a secure by design pledge, which has garnered the support of 200 companies since March. This initiative aims to ensure that security principles are integrated from the start in product development. Easterly argued that the time has come for software vendors to stop viewing vulnerabilities as unavoidable and start treating them as serious defects, comparable to those in other industries.
Policy and Regulation
The Biden administration is contemplating software liability reform to hold companies accountable for security flaws. This would potentially allow those affected by software issues to seek legal recourse. A recent example involving Delta and cybersecurity vendor CrowdStrike highlighted the limitations of current liability waivers. Delta considered suing after an update disrupted operations, but noted that liability was capped at a minimal amount. Easterly and National Cyber Director Harry Coker both called for legislative action to reform liability standards and improve resilience against cyberattacks, particularly those impacting critical infrastructure.
As part of a broader strategy, Coker expressed support for a bipartisan Senate bill aimed at harmonizing regulatory requirements to streamline cybersecurity mandates. He also mentioned ongoing efforts by the Department of Treasury to develop a federal cyber insurance backstop for catastrophic events, although this initiative is still in its early stages.
Easterly’s call for a transformative shift in how software is developed and secured reflects a growing consensus that quality and security must be foundational elements, not afterthoughts. The secure by design pledge and potential liability reforms could mark significant steps towards addressing these long-standing issues. For readers and industry professionals, these developments indicate a critical juncture where proactive measures could lead to more secure and reliable technological ecosystems.
