A senior U.S. cybersecurity official described adoption of some of Microsoft and Twitter’s security protocols as “disappointing” as part of a broadside against large technology companies’ approach to protecting user accounts.
Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, said in a speech Monday that bad software and unsafe practices are facilitating ransomware attacks that are crippling the nation’s most essential services, spanning energy supply, food production, hospitals and schools.
Microsoft, Twitter and other technology companies should by default enroll users in basic safeguards such as multifactor authentication, according to Easterly. Multifactor authentication is a security method in which users log in to their accounts with a username, password and an additional layer of verification. Twitter on Feb. 17 said it will begin charging users for text-based multifactor authentication, a service that’s traditionally cost nothing.
“Technology manufacturers must take ownership of the security outcomes for their customers,” Easterly said at Carnegie Mellon University, according to prepared remarks shared in advance with Bloomberg News. “The government can also play a role in shifting liability onto those entities that fail to live up to the duty of care they owe their customers.”
She also backed the prospect of legislation to create liability for technology companies if their products include inordinate risk, saying that technology products on sale have thousands of defects and that weak default settings expose customers to undue risk.
Roughly a quarter of Microsoft’s enterprise customers and a third of their administrator accounts, which can access and enable changes on multiple other accounts, use multifactor authentication, Easterly said.
Fewer than 3% of Twitter’s users rely on the same capabilities, according to the company’s 2021 transparency report. Easterly said the Microsoft and Twitter figures are “disappointing.”
“I hope that those numbers go up,” Easterly told Bloomberg News after her speech, referring to her comments that described Microsoft’s multifactor authentication numbers as “too low.”
The CISA director also said she hadn’t contacted Twitter directly about its latest policy change. “We don’t tell social media companies what to do,” she said, adding that she hoped the company would be “more thoughtful” about its approach to MFA.
She added the fact that the companies published their multifactor adoption rates among users was a positive sign, however.
Consumers must have transparency so they can “make a decision” about whether to use a given product based on its safety, she said.
Neither Microsoft nor Twitter immediately responded to requests for comment.
Apple says that 95% of its iCloud users have multifactor authentication enabled because the company activates the setting by default, an example Easterly encouraged other firms to follow.
In addition, Easterly says tech companies should stop charging extra for basic security protections as expensive add-ons, though she didn’t name any specific products or companies.
Tech firms should also fix widespread coding problems with software memory, which have created flaws that she said account for two-thirds of all known software vulnerabilities, Easterly said. The best fix is to write or rewrite code in specific programming languages, she said, citing Go, Java, Python and Rust.
The remarks from the top official at CISA, a unit of the Department of Homeland Security, come as the Biden administration is preparing a national cyber strategy that’s poised to bring up regulation to force companies to tackle hacking threats.