A top U.S. cybersecurity official launched a warning shot at major technology companies, accusing them of “normalizing” the release of flawed and unsafe products while allowing the blame for safety issues, security breaches and cyberattacks to fall on their customers.
Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly called Monday for new rules and legislation to hold technology and software companies accountable for selling products that she says are released despite known vulnerabilities.
While massive hacking campaigns by China and other adversaries, including Russia, Iran and North Korea, are a major problem, “cyber intrusions are a symptom rather than a cause,” Easterly told an audience at Carnegie Mellon University in Pittsburgh.
“The cause, simply put, is unsafe technology products,” she said. “The risk introduced to all of us by unsafe technology is frankly much more dangerous and pervasive than the [Chinese] spy balloon, but somehow we’ve allowed ourselves to accept it.”
The push for regulation and legislation is not entirely new. Both Easterly and former National Cyber Director Chris Inglis, who stepped down earlier this month, warned during their confirmation hearings more than a year and a half ago that government action could be required if private companies refused to do more.
“Enlightened self-interest, that’s apparently not working. … Market forces, that’s apparently not working,” Inglis said at the time.
Now, with China running a “massive and sophisticated” hacking program, and threats from other countries and from cyber criminals constantly growing, “we have to make a fundamental shift,” Easterly said.
CISA is in the process of laying out a set of core principles, Easterly said. Some of the most critical are to make sure that the burden for safety is never left solely to tech and software customers, that manufacturers be transparent about problems and how to fix them, and that products be “secure by design and secure by default.”
“Technology must be purposefully designed and developed and built and tested to significantly reduce the number of exploitable flaws before they’re introduced into the market for broad use,” Easterly said.
“Ultimately such a transition to secure-by-design and secure-by-default products will help organizations and technology providers, because it’ll mean less time fixing problems, more time focusing on innovation and growth, and importantly it’ll make life much harder for our adversaries.”
Easterly said the U.S. government is already using its purchasing power to help make the change, requiring companies that want government contracts to meet higher security requirements.
She also praised a handful of companies, including Apple, Google, Mozilla and Amazon Web Services for moving to a more secure model but called efforts by others, including Twitter and Microsoft when it comes to the use of multifactor authentication, “disappointing.”
VOA contacted Microsoft and Twitter for their reaction to Easterly’s specific criticism.
Twitter has yet to respond, but Microsoft defended its efforts in a statement shared with VOA on Tuesday.
“Advancing the security posture of our customers is one of Microsoft’s top priorities,” the company said. “We provide MFA [multifactor authentication] defenses at no additional cost for our consumer and enterprise customers.”
But Microsoft said the use of multifactor authentication among its enterprise customers “is relatively lower … since these organizations are in control of their own respective authentication policies.”
CISA’s Easterly, however, said on Monday that change across the industry needs to come faster.
“We’ve normalized the fact that technology products are released to market with dozens, hundreds or thousands of defects when such poor construction would be unacceptable in any other critical field,” Easterly said, adding other industries have found ways to change.
“For the first half of the 20th century, conventional wisdom held that car accidents were solely the fault of bad drivers,” she said. “Cars today are designed to be as safe as possible. … Nobody would think of purchasing a car today that didn’t have seatbelts or airbags included as standard features, and no one would accept paying extra to have these basic security features installed.”