The Power of the Purse: How to Ensure Security by Design

The Power of the Purse: How to Ensure Security by Design

November 12, 2024 at 10:03AM

The CISA’s Secure by Design pledge, aimed at improving cybersecurity in software companies, is voluntary and lacks regulatory enforcement, raising concerns about its effectiveness. With rising data breaches, a more aggressive governmental approach, including mandatory compliance measures similar to the EU’s standardization efforts, is necessary to ensure robust cybersecurity.

### Meeting Takeaways

1. **Introduction of Secure by Design Pledge**:
– The Cybersecurity and Infrastructure Security Agency (CISA) has launched the Secure by Design pledge to encourage software manufacturers to adopt essential cybersecurity strategies.
– Prominent companies like Lenovo, Google, AWS, Cloudflare, and Microsoft have signed the pledge.

2. **Nature of the Pledge**:
– The pledge encompasses seven goals focusing on fundamental cybersecurity practices within one year, such as implementing multifactor authentication (MFA).
– Companies are encouraged to document their progress and report failures to CISA.

3. **Voluntary Compliance Issue**:
– The pledge is entirely voluntary, with no regulatory compliance or repercussions for failing to meet the goals.
– This raises concerns about the effectiveness of the pledge in ensuring companies improve their cybersecurity measures.

4. **Rising Cybersecurity Threats**:
– There has been a significant increase in data breaches (72% rise in 2023) with high associated costs ($4.88 million per breach), emphasizing the critical need for robust cybersecurity measures.

5. **Call for Mandatory Regulations**:
– A more aggressive approach is needed from the federal government to enforce stringent cybersecurity regulations.
– The commentary advocates for mandatory compliance rather than relying on voluntary pledges, stressing the importance of safeguarding critical infrastructure.

6. **Comparative Examples**:
– The EU’s regulation mandating standardized charging ports demonstrates the effectiveness of implementing regulatory requirements (Apple adapted similarly to meet these standards).
– California’s Zero Emissions Vehicle requirements have resulted in significant reductions in automotive emissions, illustrating the benefits of regulatory actions.

7. **Recommendations for CISA**:
– CISA should transform its recommendations into mandatory regulations, including:
– Increasing MFA usage.
– Reducing default passwords.
– Enabling measurable reductions in vulnerability classes.
– Enhancing the installation of security patches.
– Publishing vulnerability disclosure policies.
– Ensuring transparency in vulnerability reporting.
– Improving customer evidence collection for cybersecurity incidents.
– Regular audits should be conducted to enforce compliance instead of relying on self-reporting.

8. **Final Statement**:
– Proposed a clear message to software manufacturers: “Adapt or die,” indicating that compliance with cybersecurity standards should be mandatory for selling software in the U.S.
– The commentary emphasizes the high stakes of cybersecurity failures and the urgent need for robust protective measures, comparable to the standards enforced in other industries.

Full Article