Big Tech Challenged by US Government to Enhance Cybersecurity Measures

Eric Geller

The Biden administration is asking the world’s largest technology companies to publicly commit to tightening the digital security of their software and cloud services.

The voluntary pledge, first reported by WIRED, represents the latest effort by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) to build support for its Secure by Design initiative, which encourages tech vendors to prioritize cybersecurity while developing and configuring their products.

By signing the pledge, companies promise to make a “good-faith effort” to implement seven critical cybersecurity improvements, ranging from soliciting reports of vulnerabilities in their products to expanding the use of multi-factor authentication, a technology that adds an extra login step to the traditional password.

The pledge, set to be announced by CISA at the RSA cybersecurity conference in San Francisco next week, presents a major challenge for the agency. This follows the first anniversary of its Secure by Design initiative, regarded as a top priority by CISA leadership. However, the results of this campaign have been inconsistent, as several businesses persist to ignore its pressing advice. The response from the tech sector to the pledge and, in particular, the amount of software behemoths that sign it will act as an acid test for how the private sector perceives CISA’s ongoing push for greater business investing in cybersecurity. [source]

“We’re really looking forward to the companies that are participating,” states Eric Goldstein, executive assistant director for cybersecurity at CISA, in a conversation with WIRED. Whilst he didn’t disclose the current number of vendors who’ve pledged, he mentions the inclusion of several highly significant tech industry players.

More than three dozen of the world’s largest software companies were queried by WIRED regarding whether they had signed or intended to sign the pledge. Only a select few responded, with login technology provider, Okta, confirming they’d signed, and security vendor, BlackBerry, stating they’re considering it as an option. Interestingly, there wasn’t any mention from software titans Amazon, Google, and Microsoft about whether they’d be signing the pledge.

“CISA claims that they have 50 firms signing and supplying quotes to feature on their website,” comments a tech industry official with knowledge of the situation, who preferred to remain anonymous. “To my knowledge, I’m unaware of any company that has signed.”

The seven goals laid out in the pledge represent security practices that experts say would dramatically improve companies’ cyberdefenses and make it easier for customers to safely use their products.

The goals include significantly increasing users’ use of multi-factor authentication, including by automatically enabling it or prodding users to activate it; eliminating default passwords, including by requiring users to choose strong passwords at product setup; and making it easier for customers to understand hacks of products they use, including by letting them review logs of suspicious network activity for free.

Companies signing the pledge would also commit to hardening their products against entire classes of vulnerabilities, such as by using memory-safe programming languages that completely block memory-based attacks; fostering better software patching, including by making patching easier and automating it when possible; creating vulnerability disclosure programs that encourage users to find and report product flaws; and publishing timely alerts about major new vulnerabilities, as well as including detailed information in all new vulnerability alerts.

Boone Ashworth

Carlton Reid

Amanda Hoover

Reece Rogers

The pledge offers examples of how companies can meet the goals, although it notes that companies “have the discretion to decide how best” to do so. The document also emphasizes the importance of companies publicly demonstrating “measurable progress” on their goals, as well as documenting their techniques “​​so that others can learn.”

CISA developed the pledge in consultation with tech companies, seeking to understand what would be feasible for them while also meeting the agency’s goals, according to Goldstein. That entailed ensuring the commitments were manageable for firms of all sizes, not limited to Silicon Valley giants.

The agency initially attempted using its Joint Cyber Defense Collaborative to motivate companies to sign the pledge, as per the tech industry official, but it backfired when companies queried the application of an operational cyberdefense collaboration group for a “policy and legal issue,” the industry official states.

“Industry showed displeasure about using the JCDC to secure pledges,” the official communicates, and CISA “intelligently took a step back on that effort.”

Subsequently, CISA conducted talks with companies via the Information Technology Sector Coordinating Council and made adjustments to the pledge based on their feedback. Initially, the pledge had over seven objectives, and CISA desired the signing parties to commit to “firm metrics” to exhibit progress, the industry official mentions. Ultimately, CISA eliminated several objectives and “expanded the verbiage” concerning progress measurement.

John Miller, the Senior Vice President of Policy, Trust, Data, and Technology at the Information Technology Industry Council, believes that recent changes were astute. He suggests that measurable progress indicators, such as the quantity of users employing multi-factor authentication, could be misunderstood.

According to Goldstein, the number of individuals who have agreed to the pledge has surpassed his expectations. An industry official indicated they are not aware of any company outright rejecting the pledge. This is largely because suppliers wish to maintain the possibility of agreement after CISA’s launch event at RSA. They explained, “Everyone’s in a sort of wait-and-see mode.”

Legal accountability is a major consideration for companies that may sign. Miller expressed concerns about potential security incidents. He stated that any public declarations made by a company could be used against them in court proceedings.

However, Miller anticipates that certain global firms, which are subject to stringent new European security regulations, will sign the US pledge to gain recognition for their existing compliance.

CISA’s Secure by Design campaign is the centerpiece of the Biden administration’s ambitious plan to shift the burden of cybersecurity from users to vendors, a core theme of the administration’s National Cybersecurity Strategy. The push for corporate cyber responsibility follows years of disruptive supply-chain attacks on critical software makers like Microsoft, SolarWinds, Kaseya, and Change Healthcare, as well as a mounting list of widespread software vulnerabilities that have powered ransomware attacks on schools, hospitals, and other essential services. White House officials say the pattern of costly and often preventable breaches demonstrates the need for increased corporate accountability.

Boone Ashworth

Carlton Reid

Amanda Hoover

Reece Rogers

The Biden administration is using the federal government’s contracting power to set new minimum security standards for the software that agencies buy, with the goal of modeling responsible behavior for the entire industry. White House officials are also studying proposals to make all vendors, not just federal contractors, liable for security failures, but that effort faces an uphill battle in Congress.

With no authority to require better cybersecurity for the entire software industry, the White House has tasked CISA with prodding companies to commit to voluntary improvements. That effort began last April with the publication of specific recommendations for incorporating cybersecurity into the product design, development, and configuration process. CISA consulted with the tech industry and the security research community on refinements to that document and released an updated version last October. At around the same time, CISA announced that it had obtained Secure by Design commitments from six major K-12 educational technology vendors. That move, while limited to one industry, signaled CISA’s clear desire to convert its guidance into public corporate pledges.

“It has long been our goal … to move from just the white papers and the guidance to get companies to say, ‘Yes, we agree, and here’s what we’re doing,’” Goldstein says. “The pledge really is that concrete manifestation of the guidance that we’ve been developing for a year.”

But the efficacy of the voluntary pledge remains to be seen. “Pledging companies will self-assess and self-report,” says Katie Moussouris, CEO and founder of Luta Security, “so only time will tell if they’ve effectively applied the measures and if the pledge proved to be an effective accountability mechanism.”

Miller says he expects the pledge to keep companies accountable because of the potential legal consequences of neglecting promised improvements. In the meantime, government officials are counting on customers to pressure vendors to both sign and abide by the pledge.

“Right now, we see the demand for safe and secure products to really be significant,” Goldstein says. “We think that … customer demand will drive that progress for us.”

Total
0
Shares
Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Article

A Comprehensive Review of Top Spin 2K25: Painting The Lines

Next Article

Palo Alto Enhances SASE Security and Performance Features

Related Posts