The Cost of Unsafe Technology and What We Can Do About It

Strong security should be a standard feature of virtually every technology product, and especially those that support the critical infrastructure that Americans rely on daily.

By: Jen Easterly, Director, Cybersecurity and Infrastructure Security Agency

Last month, I was honored to speak at Carnegie Mellon University in Pittsburgh to meet with students and faculty to discuss the critical topic of technology product safety. One of the world’s most renowned educational institutions and home to one of our nation’s top undergraduate computer science programs and top engineering programs, CMU and similar schools across the country are the key to a more secure future.

As I discussed, as we’ve integrated technology into nearly every facet of our lives, we’ve unwittingly come to accept as normal that such technology is dangerous-by-design.  The situation is not a sustainable one.  Rather, we need a new model where consumer safety is front and center in all phases of the technology product lifecycle—with security designed in from the beginning—and strong safety features enabled right out of the box, without added costs. In short, strong security should be a standard feature of virtually every technology product, and especially those that support the critical infrastructure that Americans rely on daily.

Achieving this outcome will require a significant shift in how technology is produced, including the code used to develop software, but ultimately, such a transition to secure-by-default and secure-by-design products will help both organizations and technology providers: it will mean less time fixing problems, more time focusing on innovation and growth, and importantly, it will make life much harder for our adversaries.

In the speech, I laid out three core principles for technology manufacturers to build product safety into their processes.

First, the burden of safety should never fall solely upon the customer. Technology manufacturers must take ownership of the security outcomes for their customers.

Second, technology manufacturers should embrace radical transparency to disclose and ultimately help us better understand the scope of our consumer safety challenges, as well as a commitment to accountability for the products they bring to market. 

Third, the leaders of technology manufacturers should explicitly focus on building safe products, publishing a roadmap that lays out the company's plan for how products will be developed and updated to be both secure-by-design and secure-by-default.

Encouragingly, an increasing number of technology manufacturers are taking important steps in the right direction—from adopting secure programming practices to enabling strong security measures by default for their customers. Companies are realizing not only strong security benefits from these steps, but also time and cost savings and improved efficiency.

A major part of this equation also lies with universities which can play an important role by weaving security through all computer science coursework. Students need to be well-educated on security—including on memory safety and secure coding practices, and professors have a major role here. Steps taken today at universities around the country can help spur an industry-wide change towards memory safe languages and add more engineering rigor to software development which in turn, will help protect all technology users.

Click and Watch Director Easterly’s Full Speech at CMU.