Last week, CISA and 9 U.S. and international cybersecurity agencies released a whitepaper titled "Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and Default." For those of you playing along at home, 10 agencies signing onto a document is a record number for us at CISA. The document argues that we need to significantly reshape the way software is created to prioritize safety as a non-negotiable foundation. That is, we need to bake security into product development. This is directly in line with the vision laid out in the recently-released National Cybersecurity Strategy, which states that “Today, end users bear too great a burden for mitigating cyber risks” and that “we must ask more of the most capable and best-positioned actors.”
When we released the paper a number of prominent tech companies, think tanks and analysts agreed that the burden of cybersecurity is placed too much on the user and believe this whitepaper is a step in the right direction to solving the problem. Others pointed out that while techniques for developing secure by design software exist, they have not been widely adopted.
And there were people who (rightfully) noted that this is not a new idea. In fact, in other more mature industries, the same basic concept appears under the banner of terms like “product quality” or “safety engineering.” Even in the software industry, numerous others have pointed these problems out before us, in some cases going back decades.
So why haven’t we, as a nation, made the change already? There’s not really a single root cause, only a long list of slippery contributing factors. Those factors include customer demand for new features at a rapid pace, the manufacturers’ use of unvetted third-party components and tools, the complexity of even seemingly simple software, a seemingly never-ending requirement for backwards compatibility, the desire to connect systems together, the need to allow customers to extend the software, and so on.
But cutting across all of these factors is the tug of economic incentives. Unlike in other industries, we don’t have laws of physics or centuries of building codes to constrain our development activities to something “safe.”
The three of us have seen firsthand the technological challenges at play here. Bob, through his time as a Chief Information Security Officer (CISO) at both large technology companies and resource constrained organizations, has seen how even relatively well-resourced organizations struggle to bear the burden placed upon them by large software manufacturers to securely configure their products. Jack, through his time as a security researcher discovering vulnerabilities in some of the world’s biggest companies, has seen how most attacks and vulnerabilities aren’t due to some sophisticated advanced threat, but rather classes of vulnerabilities that can be readily prevented through techniques that have been around for decades. And Grant, through his time architecting security-critical infrastructure at scale at a large technology manufacturer, has seen that product development changes to enable better security by design are indeed possible.
Change on this scale must come from the top, and the jointly developed paper released last week was designed to show business leaders that the well-known techniques and tactics outlined within it are worth adopting. To help frame the conversation about security by design, we developed three principles that manufacturers should include in their strategic plan to improve security in their products.
To that end, the principles are:
- Take ownership for the security outcomes of the customers. The burden of staying cyber safe shouldn’t rest on the customer’s ability to afford additional products or services, or to implement a complex hardening guide. We understand this is a new framing, and that each organization will need to find ways of implementing this principle in multiple phases over time.
- Embrace radical transparency. Major improvements in security will require a major increase in publicly available data. We are a young industry, and we lack the sorts of data and best practices that more mature industries take for granted. For a variety of reasons, many elements of cybersecurity, especially failures and near-misses, are kept inside an organization, depriving the larger ecosystem of intelligence to improve their products and services. Transparency can take the form of processes as well as data. For example, everyone in the ecosystem benefits when organizations demonstrate a commitment to coordinated vulnerability disclosure that gives researchers legal safe harbor and allows them to talk publicly about findings. The ecosystem also benefits when organizations ensure their CVEs are correct and complete.
- Build the organizational structure to achieve these goals. We observe that many times key decisions about security are made at lower parts of the organization, missing the opportunity to treat the security of the product as a strategic business goal. Measuring and improving quality of all kinds benefits from the kinds of analysis performed by business leaders, not just technical leaders. We can’t say this enough: It’s not sufficient to get “executive buy-in”. The mandate for security quality must come from the top.
Collaboration is the key to a secure future
While implementing any plan to make products secure by design and by default will require significant use of technology, we wanted to generate more conversation about outcomes and business decisions.
We know that neither the government nor industry can solve this problem alone. But we can do it together. So we call on every tech executive to commit to our top-line principles and take that critical next step of publishing a roadmap that lays out their plan to create products that are secure by design and by default. What’s more, tech leaders must actively participate in shaping our understanding of best practices. What works in practice? What doesn’t? We need all the creativity and smart thinking we can get, whether from tech, think tanks, academia, standards organizations, and others.
The three principles articulate a vision for a much more robust and resilient technology ecosystem that American’s deserve and should demand. Making that transition requires recognizing that insecure software is a national security risk for the United States and needs to be treated as such. The good news is that this is just the first chapter and there is plenty of work to do, together, as a community. If you’d like to share your ideas, please email us at SecureByDesign@cisa.dhs.gov, and be sure to visit Secure by Design, Secure by Default for more information.