- The multibillion-dollar cybersecurity industry is the result of misaligned incentives, where the technology industry prioritized speed to market over security, said Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, at a Hack the Capitol event Wednesday.
- Easterly's comments build on the federal push to place the burden of security on technology providers rather than their customers, a core part of the recently released national cyber strategy.
- As artificial intelligence and generative AI solutions descend into the technology ecosystem, the same concerns of security falling to the wayside apply. "I think we need to be very, very mindful of making some of the mistakes with artificial intelligence that we've made with technology," Easterly said.
U.S. cybersecurity officials are out in force to drive home the core tenets of the national cyber strategy in an effort to shore up critical infrastructure. This week Acting National Cyber Director Kemba Walden touched on how the strategy was mostly well received. And Anne Neuberger, deputy national security advisor for cyber and emerging technologies, outlined efforts to counter ransomware, with some consideration for a ban on ransom payments.
Easterly, too, is doing her part to rally the technology industry and critical infrastructure maintainers to rethink security.
"We don't have a cyber problem, we have a technology and culture problem," Easterly said. "Because at the end of the day, we have allowed speed to market and features to really put safety and security in the backseat."
No place in technology embodies the rush of speed to market better than generative AI. The craze OpenAI sparked through its release of ChatGPT has launched a race to incorporate the technology into every facet of the enterprise tool chain.
Microsoft, Google and AWS moved to weave in generative AI offerings, and this week IBM followed suit. Vendors are incorporating AI into core products end users work with, from Slack to Google's productivity suite, including Docs and Sheets.
That's not to say these products are insecure. Rather, they've just hit the market rapidly and are overhauling how users interact with technology.
For Easterly, the primary way to catalyze a more sustainable approach to security that's not talking about how many attacks have happened post-mortem is to shift security as far left as possible.
That way technology manufacturers and software providers, which are trillion-dollar companies, bear a much greater burden, she said.
"They're owning the outcomes of security, which means that they're developing technology that's secure by design, meaning that they're tested and developed to reduce vulnerabilities as much as possible," Easterly said. "It's not going to go to zero."
But, Easterly said, companies can drive down the number of vulnerabilities without expecting customers to rush to patch every month when vulnerabilities are released.