May 29, 2024 By Sue Poremba 4 min read

The tech industry has the power to protect the world from nation-state threat attacks, cyber crime and those wanting to compromise data and manipulate critical infrastructure. But with this power comes great responsibility, which, to be honest, the tech industry has not been that interested in holding.

But at the RSA Conference (RSAC) in San Francisco, the cybersecurity and tech communities took steps to exert some power and take responsibility. They took the Secure by Design pledge, a promise to make a good-faith effort to ensure security measures are built into software and to work toward meeting seven security goals over the coming year.

“With the widespread public use of increasingly connected devices, there is a real urgency that everybody feels and is highly aware of. It is all about developing new and retrofitting old technologies and software with security as a core consideration,” Jen Easterly, Director of the Cybersecurity and Infrastructure Security Agency (CISA), told a full room of representatives from a wide range of tech and cybersecurity companies, both large and small.

However, Easterly added, given the ever-changing and unprecedented level of cyber threats, especially those targeting the government and critical infrastructure, time has taken on a more important role. We can’t wait around for innovations to happen or to develop responses to new attacks.

“We have to make security a priority right now,” Easterly said. That’s the impetus of the Secure by Design movement. “The federal government can’t do this alone.” Private industry — the companies in the best position to address cybersecurity threats — is also best suited to take on the burden of managing security risks from the beginning of the development process.

Taking the pledge

When Secure by Design was introduced in 2023, 17 partners signed on to a white paper that began a global discussion about the principles of Secure by Design. In December 2023, CISA also introduced its Secure by Design alert series, which highlights how software manufacturers can eliminate entire classes of vulnerabilities. One recent alert, for instance, was about SQL injections, while another was on path traversal. These are steps that follow the Biden Administration’s cybersecurity strategy’s goal to take the burden of cybersecurity off the shoulders of business owners and software users and put the onus on the technology companies that can actually fix and prevent security risks.

The next step came on May 8 at RSAC, when nearly 70 companies voluntarily signed the pledge to put greater emphasis on security in features and taking the time to make sure the infrastructure has addressed potential vulnerabilities before the product is pushed to market. Since then, the number of companies signing on to the pledge has increased to nearly 100.

Those companies who have made the pledge include well-known tech giants like IBM, Google and Microsoft, as well as a variety of large and small cybersecurity companies. Many of the companies attending Easterly’s talk have already begun to implement the principles of Secure by Design, including some startups whose business is built around these principles.

What it means to take the Secure by Design pledge

According to CISA, the pledge is structured around seven goals, each with a core criteria. Every software manufacturer participating in the pledge will have the authority to decide how best to meet and demonstrate the core criteria of each goal within the parameters of their business.

These seven goals are:

  • Implement multi-factor authentication across products
  • Reduce or eliminate default passwords
  • Reduce classes of vulnerabilities
  • Increase installation of security patches
  • Develop and publish a vulnerability disclosure policy that authorizes testing by members of the public on products
  • Demonstrate transparency in vulnerability reporting by including accurate Common Weakness Enumeration (CWE) and Common Platform Enumeration (CPE) fields in every Common Vulnerabilities and Exposures (CVE) record for the manufacturer’s products
  • Provide customers with the ability to gather evidence of cybersecurity intrusions affecting the manufacturer’s products

CISA is the agency spearheading Secure by Design, but it will be up to each organization that has signed the pledge to put the program into action and make it work. However, all the changes are voluntary, each organization has its own agenda and the technology suggested by the non-technical people may not work — which means that meeting the seven goals of Secure by Design is going to be an uphill battle.

Cloud-native companies may have the advantage since they don’t have legacy vulnerability problems, said Christina Cacioppo, CEO of Vanta, during a panel discussion. But cloud companies can also become lackadaisical about security.

What’s great with this pledge is that it’s a first cut at things we believe software providers should uphold, and the government and industry pressure can help push this along, said Cacioppo.

Why Secure By Design is vital now

Simply put, the threats have changed. Easterly warned that threats from China, for example, are more serious than ever before. Nation-state actors aren’t as interested in data or intellectual property theft as they were in the past. Their goal now is disruption and destruction of the critical infrastructure and the services Americans depend upon for everyday life. These threat actors are able to access critical infrastructure networks because they can find the flaws and defects in the technology.

CISA introduced the Secure by Design concept more than a year ago. Easterly and her team believe that developing fundamentally secure software can address the ongoing pattern of threat actors attacking flaws and companies rushing to find a fix before the real damage is done. The key is ensuring that the technology Americans rely on is built, tested and designed to be Secure by Design.

“It takes real courage to stand up and say you’re willing to make seismic changes to an industry that over decades has not prioritized security,” said Easterly. “I hope this serves as an inspiration to other companies out there.”

More from News

Regulatory harmonization in OT-critical infrastructure faces hurdles

3 min read - In an effort to enhance cyber resilience across critical infrastructure, the Office of the National Cyber Director (ONCD) has recently released a summary of feedback from its 2023 Cybersecurity Regulatory Harmonization Request for Information (RFI). The responses reveal major concerns from critical infrastructure industries related to operational technology (OT), such as energy, transport and manufacturing. Their worries include the current fragmented regulatory landscape and difficulty adapting to new cyber regulations. The frustration appears to be unanimous. Meanwhile, the magnitude of…

Why the Christie’s auction house hack is different

3 min read - Christie's, one of the world's leading auction houses, was hacked in May, and the cyber group RansomHub has claimed responsibility. On May 12, Christie’s CEO Guillaume Cerutti announced on LinkedIn that the company had “experienced a technology security incident.” RansomHub threatened to leak “sensitive personal information” from exfiltrated ID document data, including names, dates of birth and nationalities. On the group’s dark website, RansomHub claims to possess 2GB of data on “at least 500,000” Christie’s clients from around the world.…

Should there be a total ban on ransomware payments?

3 min read - The debate about the United States government banning companies from making ransomware payments is back in the headlines. Recently, the Ransomware Task Force for the Institute for Security and Technology released a memo on the topic. The task force stated that making a ban on ransomware payments in the U.S. at the current time will worsen the harm to victims, society and the economy. Additionally, small businesses cannot withstand a lengthy business disruption and might go out of business after…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today