“Radical transparency” required for revamp of US cyber model

A senior US government cybersecurity leader has called for universities around the country to help spur an industry-wide change to denormalise potentially dangerous technology developments.

“As we’ve integrated technology into nearly every facet of our lives, we’ve unwittingly come to accept as normal that such technology is dangerous-by-design,” says Jen Easterly, Director of the Cybersecurity and Infrastructure Security Agency (CISA). “The situation is not a sustainable one. Rather, we need a new model where consumer safety is front and centre in all phases of the technology product lifecycle — with security designed in from the beginning — and strong safety features enabled right out of the box, without added costs.”

Virtually all technology products, especially those that support critical American infrastructure, must come equipped with strong security features as a standard, says Easterly. Achieving this goal will require a significant shift in the way technology is produced, including the code used to develop software. 

However, transitioning to secure-by-default and secure-by-design products will benefit both organisations and technology providers, allowing them to focus more on innovation and growth rather than fixing security problems, she says, and will make it harder for adversaries to carry out attacks.

Manufacturers must take responsibility

During a recent speech at Carnegie Mellon University in Pittsburgh, Easterly outlined three core principles that technology manufacturers should follow in order to integrate product safety into their processes. Firstly, technology manufacturers should take responsibility for ensuring the security outcomes of their customers, rather than placing the burden solely on the customers themselves. 

Secondly, manufacturers should adopt “radical transparency” to disclose and better understand consumer safety challenges, as well as commit to being accountable for their products. 

Finally, technology leaders should explicitly focus on building safe products and provide a roadmap outlining how products will be developed and updated to be secure-by-design and secure-by-default.

“Encouragingly, an increasing number of technology manufacturers are taking important steps in the right direction — from adopting secure programming practices to enabling strong security measures by default for their customers,” says Easterly. “Companies are realising not only strong security benefits from these steps, but also time and cost savings and improved efficiency.”

A major part of this equation also lies with universities which can play an important role by weaving security through all computer science coursework. Students need to be well-educated on security, including on memory safety and secure coding practices, and professors have a major role here. 

“Steps taken today at universities around the country can help spur an industry-wide change towards memory safe languages and add more engineering rigour to software development which in turn, will help protect all technology users,” she says.