U.S. Cybersecurity and Infrastructure Security Agency (CISA) director Jen Easterly is calling on hardware and software makers to remove the majority burden on users to protect their systems from cyber intruders.
In remarks at Carnegie Mellon University, Easterly urged IT companies to cyber lock down their products that are “embedded into the very foundations of our society.” She specifically pointed to Apple Computer as an example of taking the security of its products and platforms seriously.
“As we’ve integrated technology into nearly every facet in our lives, we’ve unwittingly come to accept as normal that such technology is dangerous by design,” Easterly said. Apple recently disclosed that 95% of iCloud users enable multi-factor authentication (MFA). Easterly said the high adoption rate is a result of Apple making MFA the default option. By comparison, she called out Microsoft and Twitter for their poor MFA adoption, at 25% and 3%, respectively, which she called “disappointing.”
Easterly's comments come as the Biden Administration is lining up an aggressive stance mandating private industry make systems cyber safe. The White House has long urged IT makers to voluntarily bake cyber protections into their products but is becoming more aggressive by mandating that system makers at large companies build in security by design.
SolarWinds and Kaseya
The impetus for Washington’s security strategy appears to be the SolarWinds supply chain hack in which dozens of managed security providers (MSPs) were compromised to get to larger targets. These targets included government agencies and large businesses, the Kaseya ransomware hack that deployed similar tactics and the Colonial Pipeline critical infrastructure ransomware event.
Those events sparked a wave of new legislation to require critical infrastructure owners and operators to report ransomware events and payments within a 48-hour window or face fines and penalties. Similar bills that have not been passed suggested the same apply to private industry.
Easterly said that the IT industry has “normalized” that the cybersecurity onus is placed on users to regularly patch vulnerabilities to keep them safe. “The burden is placed on you as the user and that’s what we have to collectively stop.” Users are often uninformed about how to protect themselves from a cyber attack.
Ironically, CISA regularly publishes cyber guidelines cautioning businesses to patch software flaws as soon as possible. “We often blame a company today that has a security breach because they didn’t patch a known vulnerability. What about the manufacturer that produced the technology that required too many patches in the first place?” Easterly said.
“Every organization should demand transparency regarding the practices and controls adopted by technology providers and then demand adoption of such practices as basic criteria for acceptability before procurement or use,” she said.