Industry experts addressed the House Homeland Security Subcommittee, discussing the effectiveness of the Cybersecurity and Infrastructure Security Agency’s (CISA) secure-by-design initiative. They acknowledged progress made over the past two years but emphasized the need for enhanced incentives and better-trained developers. The discourse also touched on the integration of operational technology and the role of emerging technologies like generative AI in improving cybersecurity measures.
Tech leaders have previously supported CISA’s efforts, noting incremental advancements in industry-wide cybersecurity practices. However, the current discussions reveal persistent issues such as inadequate training for developers and the exclusion of operational technology, which were not as prominently highlighted in earlier evaluations of the initiative.
How Can Incentives Improve the Secure-by-Design Initiative?
Shane Fry, RunSafe Security’s CTO, suggested that providing incentives could encourage more companies to adopt secure-by-design practices.
“Let’s work with Congress and find a good way, or CISA to find a good way, to incentivize these companies to actually secure their systems,”
he stated, pointing out the limitation of focusing solely on IT systems.
What Role Do Memory-Safe Languages Play in Enhancing Security?
Jim Richberg from Fortinet highlighted the importance of developing tools for memory-safe languages to reduce vulnerabilities.
“Eliminating whole classes of vulnerabilities was intended as the stretch goal for companies like Fortinet and Google,”
Richberg explained, noting the significant challenges even large companies face in achieving these goals.
Can Generative AI Address Developer Training Shortcomings?
Heather Adkins of Google believes that generative AI could aid in mitigating security issues related to developer training.
“We’ve had to spend a lot of time really innovating in that space to make sure that the way we write code is safe,”
Adkins mentioned, though she acknowledged that not all companies have the resources to leverage AI effectively.
Addressing the persistent challenge of undertrained developers remains critical for the success of CISA’s initiative. Enhancing training programs and expanding the scope to include operational technologies could provide a more comprehensive security framework. Additionally, fostering collaboration between government agencies and the private sector might offer the necessary support and resources to overcome current obstacles.
The ongoing commitment of both CISA and industry leaders is essential to strengthen the secure-by-design framework. By tackling the identified shortcomings, the initiative can better protect critical infrastructure and enhance national cybersecurity resilience. Future legislative support and continuous innovation will play pivotal roles in sustaining and advancing these security efforts.
