In March of 2023, the administration’s National Cybersecurity Strategy called out the failure of the market to adequately distribute the responsibility of data security and the protection of digital systems. In response to this structural shortcoming Cybersecurity and Infrastructure Security Agency (CISA) kicked off an effort to “shift the balance of cybersecurity risk” by pushing firms to adopt secure-by-design practices. This collaborative effort includes several government agencies, as well as industry organizations to promote earlier adoption of secure software development practices for improving the safety and security of their products from the design phase and throughout the life cycle.
CISA has since worked with K-12 software manufacturers to implement secure by design practices while pledging to not charge extra for basic security features. This pledge also includes manufacturers to publish a secure by design roadmap. This practice has since been added into computer science programs at higher education institutions.
Alongside other government and industry organizations, CISA published a joint guidance document for artificial intelligence systems, with recommendations for secure-by-design practices throughout the development lifecycle.
Recent Efforts – Federal Level
In October 2023, CISA partnered with several government agencies including the NSA and FBI to release an updated Cybersecurity Information Sheet with additional guidelines for manufacturers to ensure their products follow the practices of the program. The report titled, Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software, recommends software manufacturers to implement the strategies and take ownership of the security outcomes of their customers. The new information sheet is intended to create international conversation about key priorities for building a safer future in technology.
On a worldwide scale, secure by design aims to be a disruptive practice towards breaking the cycle of creating and applying fixes to products already available to the public. This is a high standard of security that can only be achieved by working with manufacturers to prioritize the integration of product security as a critical prerequisite to these products. The hope is that well before development, products designed with the safety of customers in mind will become a core business goal, rather than a technical feature.
“We need to continue working together to proactively design, build, and deploy secure products for our critical systems,” said Rob Joyce, NSA Cybersecurity Director. “The implementation of secure by design and default principles not only increases the security posture of manufacturers’ products, but customers as well.” – Rob Joyce, NSA Cybersecurity Director.
Achieving Secure by Default
Similar to how businesses employ environmental initiatives towards reaching net zero emissions, secure by design aims to achieve technological products that are secure by default. Secure by default means that products are secure to use out of the box, with little to no configuration changes needed and no extra cost to the consumer. As explained by two of CISA’s Senior Technical Advisors, Jack Cable and Bob Lord in their discussion Unsafe at Any Speed, the criteria for secure by default includes:
- Secure configurations out of the box
- Manufacturer Responsibility
- Multi-Factor Authorization-defaults
- No “loosening guides” or “hardening guides”
- No added costs or new licenses
- Default in every product
Examples of practices that can make products secure by default include eliminating default passwords, allowing single sign-on at no additional cost, high-quality audit logs at no charge, and a user experience that allows for security settings across the industry ecosystem.
Shifting the Burden
By regulating technologies for consumers that are more secure by default, we can help alleviate a system of misplaced cybersecurity burdens placed on the shoulders of the consumer. This new program aims to create a new model where consumers can trust the technologies they use every day. CISA is proud to announce this guidance, which is a major first-of-its-kind joint effort between US Agencies, cyber authorities of various countries, and well-known hacker Peiter “Mudge” Zatko.
Achieving these goals on a widespread scale requires the bridging of the cybersecurity skills gap in America. By upskilling America’s workforce we can implement these practices and build from a new foundation. ThriveDX fully supports the National Cybersecurity Strategy as it directly aligns with our mission to bridge the skills gap and address the talent shortage in the cybersecurity and overall tech industry. Alongside 65 other high-impact Federal initiatives, we’re pleased to see the current administration’s commitment to practical cybersecurity solutions and making real strides toward advancing improved cybersecurity standards.
To learn more about upskilling and reskilling as well as security awareness training your cyber workforce, visit www.thrivedx.com