The Cybersecurity and Infrastructure Security Agency launched a new phase of its Secure by Design effort Tuesday in a bid to get manufacturers to incorporate greater security into their software and other products.
CISA, along with 17 U.S. and international partner agencies, rolled out the revised guidance after months of feedback from companies, individuals and non-profit organizations.
CISA plans to issue a request for information in the next few weeks to address Secure by Design engineering, according to a Tuesday blog post. CISA is also urging software manufacturers to demonstrate evidence they are incorporating security into their products through the use of artifacts.
Software artifacts are pieces of data or test results gleaned during the development process that can demonstrate that a product has been developed in a secure environment. This includes design documents, developer training certificates and build logs.
The updated guidance also includes language on how security needs to apply to artificial intelligence software as well.
The multibillion-dollar cybersecurity industry has been developed around misaligned incentives, CISA Director Jen Easterly said Tuesday at the Singapore International Cyber Week conference.
“We have perversely normalized a world where the technology that underpins the critical services that we rely on for water, for healthcare, for power, for transportation, for communication — the devices we rely on every minute of every day, are all built on an insecure technology foundation,” Easterly said during a panel discussion at the conference.
The burden for security falls on small businesses and individuals who can least afford it. The tech industry focuses on speed to market, driving down costs and adding cool features instead of emphasizing security, furthering the normalization of misaligned incentives, according to Easterly.
“Essentially, it’s given us a shaky technology platform,” Easterly said. “And it is unacceptable.”
The revised guidance includes an emphasis on making sure manufacturers develop products secure by default.
The Biden administration, as part of its national cybersecurity strategy, called for software and other technology firms to incorporate secure by design concepts into their development process.
A core tenet of the strategy has been to hold the technology industry accountable for making sure security is built into their products at the development stage, and has signaled plans to go to Congress to enforce those ideas into law.
This means software needs to be secure out of the box and does not require customers to make multiple configuration changes or pay additional fees to add security features.
The focus on default security was highlighted by the malicious attack against Microsoft, which led to thousands of State Department and other government emails being stolen by suspected state-backed hackers linked to the China.
Microsoft entered a partnership with CISA to end its policy of charging customers for security logs, after federal officials tipped off the company that it was being hacked.