Editor’s note: This story is developing and will be updated.
The Cybersecurity and Infrastructure Security Agency, joined by key federal agencies and international partners, released a highly anticipated set of principles and procedures created to push responsibility for product security onto the shoulders of the global technology industry.
The Biden administration is admonishing the world’s largest software makers to make sure these products have security built in as a key component during the design and production phase.
“Ensuring that software manufacturers integrate security into the earliest phases of design for their products is critical to building a secure and resilient technology ecosystem,” CISA Director Jen Easterly said in an emailed statement. “These secure by design and secure by default principles aim to help catalyze industrywide change across the globe to better protect all technology users.”
CISA was joined by the FBI, the National Security Agency and national cybersecurity authorities from the U.K., Canada, Germany, the Netherlands, Australia and New Zealand.
The guidelines are core tenets of the Biden administration’s national cybersecurity strategy, which is a multilayered policy blueprint designed to protect the U.S. and a growing alliance of global partners from a rising wave of malicious cyber activity by rogue nation states and criminal actors.
The goal is to shift liability away from consumers, small businesses and underserved providers of critical infrastructure. The burden, instead, should fall to global software and services providers that make billions of dollars in profits on the backs of customers that are highly dependent on these technologies to perform essential functions.
Officials want these companies to not only incorporate secure practices into product design and production, they want the companies to make full and transparent disclosures when flaws are discovered that could put customers at risk of imminent attack or data breaches.
“We want the organizations to think a lot more about the ways in which they build their products, how they measure quality and how they measure uptake of certain security features,” said Bob Lord, senior technical advisor at CISA, who was one of the lead participants in drafting the guidelines.
Authorities have already begun to engage key stakeholders on the proposed changes, and while leading industry figures have embraced the proposals, there is wide understanding these proposals are going to require massive changes in industry culture and decades long business practices.
Congress will likely need to step in, officials said, to create a strong enforcement mechanism through regulatory changes. However, during the initial phases, technology executives at the highest levels are going to need to drive cultural changes from the top down into their respective companies.
Authorities want software manufacturers to use tailored threat models as part of the product development phase, in order to help prevent potential threats from compromising systems and gaining access to data.
The proposed changes will likely create the need for new investments and a transparent way to measure how well these organizations are doing in terms of reaching these new security goals.
Biden administration officials have already raised the prospect of using federal purchasing power to help the software industry maintain high levels of security in their products.
“The document is remarkable, perhaps less for the specific technical guidance it provides, than the aggressive, wide-reaching vision it promotes,” Dale Gardner, senior director analyst at Gartner, said via email.
Most of the tools and designs listed have been known for years, even decades, according to Gardner.
But the most important aspect of the CISA plan is the recognition that inadequate use of existing technology is a problem that is actually solvable – if the political will exists to do so.
“These changes will not come easily, in no small part because they require a shift in mindsets and priorities – and investments in training, tools and processes,” Gardner said.