Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly said her agency is due to reveal later on Wednesday at the RSA Conference in San Francisco that 60 tech companies will be signing onto a voluntary secure-by-design pledge to make their technology products more secure against ransomware and other forms of cyberattacks.
CISA first launched its Secure by Design effort in April 2023, focused around guidance that urges “software manufacturers to take urgent steps necessary to ship products that are secure by design and revamp their design and development programs to permit only secure by design products to be shipped to customers.”
The agency followed up earlier this year with release of an attestation form and repository that software makers can use for their products that will help Federal agencies ensure that the software they buy has been created using secure development practices.
Speaking during a panel session at the RSA Conference on May 7, Easterly said that since the 2023 launch, the “good news is that we are starting to see real change.”
“We’ve had this campaign for about a year,” she said. “One of the levers we have that we’re using is procurement power, and frankly, it’s a lever that anybody who buys technology should use to demand that what we get from technology manufacturers is as safe and secure as possible.”
“That’s why we’re using our Federal acquisition regulations,” to guide technology makers toward secure-by-design principles, she said. “That’s why we’re using a software attestation form that has to be signed off by CEOs or their designees.”
Easterly said CISA will reveal on Wednesday evening EST that more than 60 tech companies have signed onto a pledge “that says we are committed to taking these steps to ensure that the ecosystem is much more secure than it is today.”
She said the pledge being taken by tech makers is voluntary, but added, “the great thing is we have a platform to be able to advance radical transparency and so consumers that have to make decisions about what technology they buy will see whether these technology manufacturers actually took the steps.”
When CISA unveils the pledge, Easterly said, “you’ll see we’ve actually put in objectives, measurements of what right looks like and how we know we’ve actually achieved it.”
“We’re excited about it,” she said. “We’re clear-eyed about it because this is a major effort that we are undertaking, but quite frankly, I think it is the only way that we can make ransomware and cyber attacks a shocking anomaly, and that is to ensure the technology is much more secure.”