The Cybersecurity and Infrastructure Security Agency wants receipts from all parties involved far and wide as it advances on its quest to push the responsibility for security to manufacturers and vendors instead of customers.
Following CISA’s revised guidance urging technology companies to prove they are incorporating security into their products with detailed data and logs, Bob Lord, senior technical advisor at CISA, explained how these responsibilities fall on various hardware and software stakeholders in a Thursday blog post.
“The security of consumer and enterprise products are not acts of fate. Security is the result of many conscious and continuous choices made by manufacturers starting even before products are designed,” Lord said.
Lord framed secure-by-design principles in the context of "juice-jacking," where malware is installed on mobile phones via public USB charging stations. While evidence of juice-jacking is lacking, and reports are unconfirmed, it’s not impossible because any code can have security defects and unsafe defaults, Lord said.
The hypothetical, according to Lord, presents some key questions:
- How are phone manufacturers responding to the vulnerabilities linked to these attacks? Did they commit to fixing the problem, and by when?
- Are specific pieces of hardware more vulnerable than others?
- Does this alleged threat affect all mobile device operating systems?
- Can users change any settings or configurations to prevent these attacks? Can manufacturers make those settings the default in future versions?
- How can users check their phones for signs of compromise? Can manufacturers improve dialogs or confirmation alerts to help users take more appropriate actions?
The focus should be on what manufacturers are doing to keep their customers safe, not the damage attackers might be inflicting on their victims, Lord said.
“We should frame the debate in terms of empowerment rather than continue to imply our helplessness,” Lord said. “Simply put, manufacturers must develop products that are secure by design rather than putting the burden of safety on customers.”