CISA Director Jen Easterly: Software Vendors ‘Should Own The Security Outcomes For Their Customers’
During a conversation with CrowdStrike CEO George Kurtz at an event Tuesday, Easterly said that shifting the burden of securing software from customers to vendors remains a top priority for CISA.
If you haven’t heard, CISA Director Jen Easterly is not a fan of “Patch Tuesday.”
In a discussion Tuesday — which happened to coincide with Microsoft’s monthly “Patch Tuesday” software release fixing scores of vulnerabilities — Easterly reiterated her view that the monthly routine is a highly visible sign of what’s wrong with the tech industry when it comes to the security of software products.
Rather than releasing software that is “secure by default” or “secure by design,” software vendors are placing an undue burden for stopping cyberattacks onto customers, including those who are least able to handle the threats such as small businesses, Easterly said.
Easterly, who heads the U.S. Cybersecurity and Infrastructure Security Agency (CISA), has been vocal on the topic since last fall. On Tuesday, during CrowdStrike’s inaugural Government Summit in Washington, Easterly discussed the issue after it was raised by CrowdStrike Co-Founder and CEO George Kurtz, disclosing that CISA plans to release a list of principles for “security by design / security by default” on Thursday.
Too often, after a breach occurs, the victim is blamed for falling short on implementing security measures, such as failing to patch their systems against known vulnerabilities, Easterly said.
“But let’s look at the underlying cause. Why did that software have so many vulnerabilities, that had to constantly be [addressed] in this patch cycle?” she said. “It’s not a trivial thing to patch your stuff at all. Things can break. You’ve got to open for business in Asia. And there’s always the balance between what [the business] wants and what security guys want.”
It’s a massive problem, Easterly said, “to be in this constant patch cycle — Patch Tuesday and then all the off cycles.” Organizations are expected to somehow keep up with “thousands and thousands of critical vulnerabilities,” she said.
Instead, “we need to expect that software manufacturers are going to be driving down vulnerabilities” before they reach end users, Easterly said, “so you’re not putting all the burden on users and small businesses.”
‘Own The Security Outcomes’
In sentiments that were reflected in the Biden administration’s recently released National Cybersecurity Strategy, Easterly said the key going forward will be to shift the burden on security of products “to software companies from individual users and small businesses.”
Doing so will come down to three key changes that will need to be made going forward, she said.
First, software vendors “should own the security outcomes for their customers,” Easterly said. Secondly, “software vendors should provide radical transparency” about where they are at in terms of making their products secure by default, and should stop charging extra for security logs and single sign-on (SSO) support, she said.
And third, software vendor executives should be focused on designing secure products “as a business decision,” she said. “At the end of the day, software is so important. We need software makers to be laser-focused on safe software.”
The set of “security by design” principles that CISA plans to release Thursday is “not the Holy Grail,” Easterly said. “But it is really important data to start a robust conversation about the importance of shifting the burden” of securing software to the software makers themselves, she said.
In early March, the White House said that a top goal of its National Cybersecurity Strategy was to “begin to shift liability onto those entities that fail to take reasonable precautions to secure their software.”
“Companies that make software must have the freedom to innovate, but they must also be held liable when they fail to live up to the duty of care they owe consumers, businesses or critical infrastructure providers,” the White House said in the strategy.
The White House strategy, and CISA’s continued attention on the issue of “secure by default,” don’t have the power to make vendors do anything differently, of course. But the moves do serve as a signal of where things may be headed on the legislative and regulatory front—which in itself can sometimes cause changes as businesses work to get out ahead of actions by the government.
On the goal of incentivizing the industry to develop products with fewer security issues, “would it solve all the problems that we have? No. But I think it would solve some of them,” said Dawn Sizer, CEO of 3rd Element Consulting, a Mechanicsburg, Pa.-based MSP, in a previous interview with CRN.
In remarks in late February at Carnegie Mellon University, Easterly said that “while it will not be possible to prevent all software vulnerabilities, the fact that we’ve accepted a monthly ‘Patch Tuesday’ as normal is further evidence of our willingness to operate dangerously.”
On Tuesday, Microsoft released patches addressing 100 vulnerabilities in software including Windows, Office, Windows Defender, Dynamics, SharePoint Server and Windows Hyper-V, according to Dustin Childs of Trend Micro’s Zero Day Initiative.
“Of the patches released today, seven are rated Critical and 90 are rated Important in severity,” Childs wrote in a post. “While this volume does seem to be in line with past years, the number of remote code execution (RCE) bugs makes up nearly half the release. It’s unusual to see that many RCE fixes in a single month.”