The tech industry has the power to protect the world from nation-state threat attacks, cyber crime and those wanting to compromise data and manipulate critical infrastructure. But with this power comes great responsibility, which, to be honest, the tech industry has not been that interested in holding.
But at the RSA Conference (RSAC) in San Francisco, the cybersecurity and tech communities took steps to exert some power and take responsibility. They took the Secure by Design pledge, a promise to make a good-faith effort to ensure security measures are built into software and to work toward meeting seven security goals over the coming year.
“With the widespread public use of increasingly connected devices, there is a real urgency that everybody feels and is highly aware of. It is all about developing new and retrofitting old technologies and software with security as a core consideration,” Jen Easterly, Director of the Cybersecurity and Infrastructure Security Agency (CISA), told a full room of representatives from a wide range of tech and cybersecurity companies, both large and small.
However, Easterly added, given the ever-changing and unprecedented level of cyber threats, especially those targeting the government and critical infrastructure, time has taken on a more important role. We can’t wait around for innovations to happen or to develop responses to new attacks.
“We have to make security a priority right now,” Easterly said. That’s the impetus of the Secure by Design movement. “The federal government can’t do this alone.” Private industry — the companies in the best position to address cybersecurity threats — is also best suited to take on the burden of managing security risks from the beginning of the development process.
Taking the pledge
When Secure by Design was introduced in 2023, 17 partners signed on to a white paper that began a global discussion about the principles of Secure by Design. In December 2023, CISA also introduced its Secure by Design alert series, which highlights how software manufacturers can eliminate entire classes of vulnerabilities. One recent alert, for instance, was about SQL injections, while another was on path traversal. These are steps that follow the Biden Administration’s cybersecurity strategy’s goal to take the burden of cybersecurity off the shoulders of business owners and software users and put the onus on the technology companies that can actually fix and prevent security risks.
The next step came on May 8 at RSAC, when nearly 70 companies voluntarily signed the pledge to put greater emphasis on security in features and taking the time to make sure the infrastructure has addressed potential vulnerabilities before the product is pushed to market. Since then, the number of companies signing on to the pledge has increased to nearly 100.
Those companies who have made the pledge include well-known tech giants like IBM, Google and Microsoft, as well as a variety of large and small cybersecurity companies. Many of the companies attending Easterly’s talk have already begun to implement the principles of Secure by Design, including some startups whose business is built around these principles.
What it means to take the Secure by Design pledge
According to CISA, the pledge is structured around seven goals, each with a core criteria. Every software manufacturer participating in the pledge will have the authority to decide how best to meet and demonstrate the core criteria of each goal within the parameters of their business.
These seven goals are:
- Implement multi-factor authentication across products
- Reduce or eliminate default passwords
- Reduce classes of vulnerabilities
- Increase installation of security patches
- Develop and publish a vulnerability disclosure policy that authorizes testing by members of the public on products
- Demonstrate transparency in vulnerability reporting by including accurate Common Weakness Enumeration (CWE) and Common Platform Enumeration (CPE) fields in every Common Vulnerabilities and Exposures (CVE) record for the manufacturer’s products
- Provide customers with the ability to gather evidence of cybersecurity intrusions affecting the manufacturer’s products
CISA is the agency spearheading Secure by Design, but it will be up to each organization that has signed the pledge to put the program into action and make it work. However, all the changes are voluntary, each organization has its own agenda and the technology suggested by the non-technical people may not work — which means that meeting the seven goals of Secure by Design is going to be an uphill battle.
Cloud-native companies may have the advantage since they don’t have legacy vulnerability problems, said Christina Cacioppo, CEO of Vanta, during a panel discussion. But cloud companies can also become lackadaisical about security.
What’s great with this pledge is that it’s a first cut at things we believe software providers should uphold, and the government and industry pressure can help push this along, said Cacioppo.
Why Secure By Design is vital now
Simply put, the threats have changed. Easterly warned that threats from China, for example, are more serious than ever before. Nation-state actors aren’t as interested in data or intellectual property theft as they were in the past. Their goal now is disruption and destruction of the critical infrastructure and the services Americans depend upon for everyday life. These threat actors are able to access critical infrastructure networks because they can find the flaws and defects in the technology.
CISA introduced the Secure by Design concept more than a year ago. Easterly and her team believe that developing fundamentally secure software can address the ongoing pattern of threat actors attacking flaws and companies rushing to find a fix before the real damage is done. The key is ensuring that the technology Americans rely on is built, tested and designed to be Secure by Design.
“It takes real courage to stand up and say you’re willing to make seismic changes to an industry that over decades has not prioritized security,” said Easterly. “I hope this serves as an inspiration to other companies out there.”