LAS VEGAS — CISA shared its plan to foster “secure by design” principles within the U.S. technology ecosystem during a Thursday session at Black Hat USA 2023.
The Black Hat presentation, “Unsafe At Any Speed: CISA’s Plan to Foster Tech Ecosystem Security,” uses former U.S. presidential candidate Ralph Nader’s 1965 book Unsafe at Any Speed: The Designed-In Dangers of the American Automobile as an analogy for modern technology. Nader’s book was about automobile safety and led to the creation of the U.S. Department of Transportation.
CISA senior technical advisors Bob Lord and Jack Cable compared the core theme of Nader’s book — that car manufacturers were averse to spending money on safety — to the way technology vendors and manufacturers can resist prioritizing security at the level they should.
A key part of the presentation came toward the end of the session, when Lord and Cable provided an overview of how CISA intends to establish a technology ecosystem that prioritizes secure by design principles, which are best practices that provide a baseline security expectation before the piece of technology is offered to the public. For example, using memory-safe programming languages.
The presenters referenced three pieces to CISA’s strategy: establishing the agency as a security leader within the technology ecosystem; collecting data and best practices; and driving adoption of secure-by-design best practices.
Cable said CISA will lead the transformation toward a more secure-by-design ecosystem in part through internal and external communications. He said the agency recently held a summit attended by every CISA employee that focused on what secure by design means and how employees can integrate it into their daily work.
Regarding data collection, Cable referenced the limitations technology has regarding its visibility into how and why certain outcomes occur.
“Right now, we don’t have the type of data we have in auto industry,” Cable said. “We don’t know how crashes or cyber attacks are changing over time, we don’t know what the root causes are, and we really don’t know where we need to tackle to get at the bottom of this problem.”
To help solve this problem, he mentioned the Cyber Incident Reporting for Critical Infrastructure Act, a law signed by President Joe Biden last March that requires critical infrastructure entities to report cyber attacks within 72 hours and to report any ransom payments made within 24 hours. Though the rulemaking process of the law is ongoing, Cable said that once it is in effect he expects that “we will have much better sense of what cyber attacks are facing our nation, and how trends are changing over time.”
The third pillar of CISA’s plan is dedicated to driving adoption of these security principles, not only among manufacturers. The agency also wants to educate consumers so they know how to evaluate products on the basis of security.
“We need to be looking at education to ensure that the population of software developers out there are capable of ranking secure code. I studied computer science myself at Stanford — we weren’t required to take a security class,” Cable said. “The vast majority of schools out there today don’t. How can we get to a better place so that future software developers know a thing or two about security?”
To close, CISA announced that in collaboration with the White House Office of the National Cyber Director, it will request public comment on open source software security and memory-safe programming languages. Kemba Walden, acting national cyber director in the Office of the National Cyber Director, announced the request for information (RFI) during her keynote Thursday morning at Black Hat.
The RFI, the press release said, aims to seek “public- and private-sector input as federal leadership develops its strategy and action plan to strengthen the open source software ecosystem.” Walden told Black Hat attendees that their feedback and insight into open source security will help the Biden administration develop realistic and effective policies to better secure open source software.
Responses are due by 5 p.m. EDT Oct. 9.
Alexander Culafi is a writer, journalist and podcaster based in Boston.
Quantum networks hold potential for faster and more secure communication. But true quantum networks are still experimental and …
Nmap scanning helps network teams with network reconnaissance and vulnerability discovery. Common types of scans include TCP SYN,…
Supply chain software maker SDI claims it cut LAN costs by a third with Nile. But Gartner says NaaS is unlikely to become a …
Companies are facing a new executive order and potentially congressional action restricting outbound investments in technologies …
Traditional risk management and enterprise risk management are similar in their aim to mitigate risks that can harm a company. …
OpenAI is facing copyright lawsuits raising questions such as whether AI model creators need permission before using copyrighted …
Apple provides multiple coverage and support options to supplement basic AppleCare, and it can be difficult to determine whether …
With the changes to the structure of Intune and the end of Microsoft Endpoint Manager, organizations will need to reevaluate …
Windows applications are essential to so many businesses, so IT teams need a comprehensive strategy that can handle all types of …
Azure Repos is a tool for IT teams working with repositories and code versions. Get to know the tool better, and see how to use …
AWS has cloud networking services for load balancing, traffic routing, content delivery and more. Learn which services and …
While Kubernetes is often deployed as a cluster on a single cloud, a multi-cloud cluster can provide numerous advantages, such as…
NatWest bank has offered compensation to a former customer affected by a data breach alongside around 1,600 other former and …
CSRB review of cloud security comes in the wake of a major Chinese cyber attack on US government bodies orchestrated through …
Information technology services and consulting company inks partnership with telco’s business services division, with aims of …
All Rights Reserved, Copyright 2000 – 2023, TechTarget
Privacy Policy
Cookie Preferences
Do Not Sell or Share My Personal Information