CISA’s next version of secure-by-design guidance expected in ‘coming weeks’
Software manufacturers could see the next iteration of guidance on embedding cybersecurity into their design processes for technology products in the near future, according to a Cybersecurity and Infrastructure Security Agency (CISA) official.
“At CISA, we are really excited to be releasing the next version of our secure-by-design guidance in the coming weeks,” Eric Goldstein, the agency’s executive assistant director for cybersecurity, said at an event hosted by the Washington Post on Tuesday.
He added: “We have a vast array of countries who are aligned with us on this effort, and we’ll also be putting that out for some public comment to make sure that we are getting the best sense of the global community in that guidance.”
Goldstein didn’t elaborate on what the next version of that guidance would include. A CISA spokesperson declined to comment beyond Goldstein’s remarks.
The initial April guidance spelled out key principles for shifting responsibility for cybersecurity to manufacturers by building software security into their processes before product development and distribution. CISA has touted that guidance as a major first-of-its-kind joint effort between U.S. agencies and cyber authorities in several other countries and reportedly brought on well-known hacker Peiter “Mudge” Zatko to join the effort.
“This is perhaps the most fundamental shift in cybersecurity of this administration because the core point is we’ve been asking the wrong questions around cybersecurity,” Goldstein said at the Tuesday event.
Instead of asking what victim organizations could have done differently after a cyber breach, the question should be whether the technology products it relies on were “designed in a way that was reasonably likely to reduce the prevalence of the intrusion that impacted that victim,” he said.
Contrary to the way other industries operate, Goldstein said, “with technology products, we just accept this culture of ‘go into production with a high likelihood of exploitable flaws.’ That needs to change.”
The guidance from CISA has received some criticism for its high expectations for industry. Staff for the Atlantic Council’s Cyber Statecraft Initiative, in a July piece for TechCrunch, pointed to potential danger with rhetoric that suggests “cybersecurity problems and challenges exist only because technology vendors cut corners or that all cybersecurity risk can be avoided by following a simple set of straightforward practices.”
CISA Director Jen Easterly said earlier this year that the federal government, through its vast purchasing power, can play a large role in incentivizing and driving private companies to employ secure-by-design software principles just by choosing to do business with the ones that do. She acknowledged that CISA was looking at the Federal Acquisition Regulation to potentially create rules that could require or incentivize federal agencies to buy from vendors that have software that’s secure by design.
