The Cybersecurity and Infrastructure Security Agency (CISA) is looking to change the technology ecosystem through its secure-by-design and -default guidelines, and CISA officials explained the agency’s plan to foster this ecosystem at the Black Hat USA Conference in Las Vegas last week.
CISA unveiled its secure-by-design and -default guidelines back in April, which aim to outline clear steps that technology providers can take to increase the safety of products used around the world.
Officials from CISA offered more details last week on how the agency plans to approach these guidelines in practice – shifting the cybersecurity burden to software companies from individual users and small businesses.
“So, where are we going with all this and how can you get involved with it? … We’re putting together our strategy here at CISA for how we’re really going to lead this transformation towards an ecosystem that is more secure by design,” said Jack Cable, a senior technical advisor at CISA.
First, Cable said CISA is working on spreading the word about its secure-by-design principles both internally and externally. The agency held a summit with every single CISA employee to discuss what secure-by-design means, and it is also doing the same through public outreach – such as spreading the word at Black Hat.
Second, he said CISA is working to get the right data to understand how cyberattacks are evolving over time.
For instance, the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) – which was signed into law in March 2022 – requires CISA to develop and implement regulations requiring covered entities to report cyber incidents and ransomware payments to the government.
The rulemaking process for CIRCIA is ongoing, but once that is in effect, Cable said CISA “will have much better sense of what cyberattacks are facing our nation, and how trends are changing over time.”
Lastly, Cable said CISA is focused on driving adoption of these secure-by-design practices at scale.
“Yes, we of course want the tech manufacturers to start adopting these practices into everything they do. But we know we also need to be looking at the customers to ensure that they know how to evaluate products on the basis of security,” he said. “We need to be working with the open source community … we need to be looking at education to ensure that the population of software developers out there are capable of writing secure code.”
Cable pointed to the request for information (RFI) released by the agency last week, in partnership with the Office of the National Cyber Director (ONCD) and other Federal agencies, which seeks public comment on open-source software security and memory safe programming languages.
“What we’re asking for in this RFI is for you to tell us where we should be focusing our efforts,” he said. “Should we, for instance, be looking at helping rewrite open source components in memory safe programming languages?”
Bob Lord, a senior technical advisor at CISA, added that CISA also needs help to ensure that when shifting the cyber responsibility onto software manufacturers, that it’s not just “the very top organizations” that can afford to do so.
“We want to make sure that the things that some of the tech giants are doing to eliminate entire classes of vulnerability, we want to make sure that we have vigorous conversations about how we can democratize that,” Lord said. “We want to make sure that it’s not the literal top 1 percent of software development houses that can make sure that they eliminate memory safety vulnerabilities.”
“How we do that, we’re going to need your help,” he concluded.
Responses to the RFI are due on Oct. 9.