Importance of building safety into tech products

#futureofcyber

My thoughts on the white paper by CISA Director Jen Easterly and Executive Assistant Director for Cybersecurity Eric Goldstein on “Why companies must build safety into tech products” (Foreign Affairs: Stop Passing the Buck on Cybersecurity).

CISA is very forward-looking about the future of cybersecurity. They see the current model of relegating cybersecurity to the “IT people” or the CISO as untenable, because as stated, “They are given this responsibility, but not the resources, influence, or accountability to ensure that security is appropriately prioritized against cost, performance, speed to market, and new features.”

The new model they would like to see is one where problems are fixed at the earliest stage; when technology is designed rather than when it is being used. I concur with their assessment that cybersecurity should ultimately be the responsibility of the CEO and board. This is the only way to ensure that cybersecurity receives the resources needed to execute the responsibilities it is given.

To achieve the expectation that cybersecurity products purchased by consumers from reputable providers should not carry risk of harm, will require a fundamental shift in responsibility. It would be essential for technology providers and software developers to assume responsibility for the security of their customers, rather than viewing each product as a mere buyer beware situation. To accomplish this, every technology provider should prioritize the development of products that are inherently secure from the start, CISA calls this “secure by default” and “secure by design”.

Secure by default as defined by ?CISA: These concepts are related but distinct. Secure-by-default products have strong security features—akin to seatbelts and airbags—at the time of purchase, without additional costs.

Secure by design as defined by CISA: ?This is the expectation that technology is purposely designed, built, tested, and maintained to significantly reduce the number of exploitable flaws before it is introduced to the market for broad use

The changes to the business and cybersecurity culture that CISA is purposing are not inconsequential, they would be transformative, if they were to be adopted. CISA recognizes that in order for their recommendations to gain any momentum, requires rethinking how governments and industries interact with one another.

General Paul Nakasone, head of the U.S. Cyber Command, wrote a few years ago about the doctrine of persistent collaboration. “Such a culture shift requires sharing becoming the default response, where information about malicious activity, including intrusions, is presumed necessary for the common good and urgently shared between industry and government. Government and industry must work together with reciprocal expectations of transparency and value, where industry does not have to be concerned about punitive sanction. Finally, interactions between the government and the private sector should be frictionless, so that collaboration emphasizes scale, shared platforms, and data-driven analysis.”

This makes sense and I think would improve our cybersecurity posture, for this to happen corporations would need to see their participation as a benefit to competitiveness and profitability. Our goal should be product security improvement and safety. By fostering trust and collaboration between the government and private sector, a safer cyberspace can be created, benefiting everyone involved.?