CISA Head Criticises Tech Vendors for Insecure Software, Calls for Greater Accountability
Jen Easterly, the head of the Cybersecurity and Infrastructure Security Agency (CISA), recently underscored a pressing concern at Mandiant’s mWise conference: the profound shortcomings of software vendors in delivering secure products. Easterly pointed out that these vendors often sow the seeds of cybercrime by producing faulty code, which, in turn, boosts the capabilities of malicious actors.
Easterly’s stance is a sharp critique of the industry’s reliance on vague terminologies such as “software vulnerabilities.” She argues that these terms downplay the seriousness of the issues at hand, calling instead for the use of more direct language, such as “product defects.” This shift in terminology is not merely semantic; it reflects a deeper need to hold technology suppliers accountable for flaws that lead to exploitable opportunities for cybercriminals.
The context is alarming. Despite the existence of a multi-billion-dollar cybersecurity industry, Easterly lamented the ongoing multi-trillion-dollar issues surrounding software quality that fuel cybercrime. She made a striking analogy, equating our reliance on flawed software to the absurdity of boarding an airplane or driving a car that lacked safety assurances. This comparison is a wake-up call for stakeholders in tech procurement. If consumers of software—be it individuals or organizations—remain oblivious to the importance of software security, the risks are incredibly high.
In her role at CISA, Easterly has consistently advocated for improvements in software quality. As cyber threats become more sophisticated, the integrity of the code that underpins essential services cannot be overlooked. It is unacceptable, she argues, that consumers are often held responsible for “not patching” their software quickly enough when the root of the problem lies in the vendors’ production practices. This point raises a crucial question for the industry: Why are so many urgent updates needed in the first place?
At the recent RSA Conference, the challenge echoed loudly when nearly 70 technology giants—ranging from Amazon Web Services to Google—signed CISA’s Secure by Design pledge, aimed at enhancing software security practices. Encouragingly, the number of signatories increased to almost 200. However, Easterly expressed concerns over the voluntary nature of this commitment. She advocates for leveraging procurement power, urging organizations to interrogate software suppliers on their alignment with security best practices and whether they have committed to the aforementioned pledge.
To support this initiative, CISA has released guidance that aids organizations in assessing the security commitments of software manufacturers during the procurement process. This framework not only establishes expectations but also paves the way for a more rigorous evaluation of technology vendors.
Take, for example, a hypothetical company considering new software for critical operations. By utilizing CISA’s guidelines, such a company could ask pointed questions about how the software was developed, what kind of security testing was performed, and whether the vendor adheres to the Secure by Design principles. Such proactive measures could lead to better-informed purchasing decisions, ensuring that the tools they utilize contribute to, rather than undermine, cybersecurity.
The current landscape shows a glaring contradiction: while millions are spent on cybersecurity solutions, backwards policies by software vendors continue to compromise efforts for a safer digital infrastructure. The need for accountability is paramount, as Easterly is keen to stress. With increasing dependency on digital tools, software security cannot be treated as an afterthought. It must be an integral component of product development and vendor relationships.
The question now is whether the industry at large is prepared to adapt. Accountability should not rest solely with consumers but must also encompass the entities producing software meant for critical infrastructure. Easterly’s remarks embody a pivotal moment in the cybersecurity dialogue, urging a shift toward a more accountable and secure software development culture.
In conclusion, the call for greater accountability from tech vendors is a reminder that the fight against cybercrime does not solely rest on the shoulders of cybersecurity professionals or organizations. It requires a systemic change in how software is produced, emphasizing quality and security as priorities rather than afterthoughts. This shift not only benefits individual organizations but, ultimately, protects the integrity of the digital landscape as a whole.