LAS VEGAS—Two government officials came to Black Hat here this week with some security tips that got a whole lot more specific than the high-level talking points attendees might have expected to come out of Washington.
Among the actionable advice offered by Bob Lord and Jack Cable, both senior technical advisors at the Cybersecurity and Infrastructure Security Agency (CISA), to tech vendors:
- Switch to writing software in memory-safe languages that resist buffer-overflow attacks;
- Provide a software bill of materials for each release so there’s no mystery about its components and libraries;
- Maintain a vulnerability disclosure policy with legal safe harbor for security researchers;
- Eliminate default passwords that users may never change;
- Offer single-sign-on at no extra cost instead of charging extra for each user employing this safer authentication option;
- Provide multi-factor authentication to ensure that the compromise of a password doesn’t result in the loss of an account;
- Offer high-quality audit logs at no extra charge;
- Make the concept of a “hardening guide” telling customers how to lock down the product obsolete by ensuring that it’s secure out of the box.
This advice came as part of CISA’s Secure By Design effort, in which that agency is trying to foster the adoption of security best practices by tech vendors so that customers are no longer left with their own security to-do lists.
“We want them to be owning security outcomes for their product,” Cable said. “Wherever it’s deployed, by default, by design, it’s secure.”
He urged them to practice “radical transparency and accountability”—adding that this doesn’t just mean coming clean about failings but also celebrating security wins—and build organizational structures that enshrine security as a top-level priority instead of relegating it to a CISO. “Security needs to be seen as a priority, because if it’s not, speed to market always wins,” Cable said.
Lord compared the current state of things to how the government left much of car safety up to individual manufacturers decades ago. The briefing’s title, “Unsafe At Any Speed: CISA’s Plan to Foster Tech Ecosystem Security,” evoked Ralph Nader’s 1965 book denouncing Detroit’s practices.
He advised developers and engineers to remember that their work will be used by people without their technical background or experience, saying, “we want them to think about what is actually happening in the field.”
Lord said the secure approach should be like a well-lit path, not something users have to navigate on their own. “We want those well-lit paths to be ubiquitous,” he said. “How we do that, we’re going to need your help.”
Lord has seen what can happen when an organization leaves too much to the attention and good will of employees, having done CISO stints at the Democratic National Committee and Yahoo after each suffered massive hacks.
The two noted that the government isn’t just talking to tech vendors but also listening to them: Thursday morning, a group of agencies—including CISA, the National Science Foundation (NSF) and the Defense Advanced Research Projects Agency (DARPA)—announced a Request for Information seeking comment on how the feds can foster the adoption of memory-safe languages and improve the security of open-source software.
That announcement and this Black Hat talk follow months of work by the Biden administration to strengthen the country’s cybersecurity posture. The White House has imposed stronger requirements on government IT contractors, set up a Cyber Safety Review Board modeled after the National Transportation Safety Board to investigate such system-level failings as the Log4j vulnerability, and launched a voluntary “Cyber Trust Mark” security-label program for Internet-of-Things devices.
Wednesday at Black Hat, DARPA added to that agenda by announcing an AI Cyber Challenge contest, with almost $20 million in prizes, to find ways to use AI tools to improve the security of existing software and infrastructure.