According to Jen Easterly, director of the U.S. government’s Cybersecurity and Infrastructure Security Agency, software developers who release faulty, insecure code are the real culprits in the world of cybercrime.
“The truth is, technology vendors are the ones building vulnerabilities” into their products, which then “open the door for bad guys to attack their victims,” Easterly said during a speech Wednesday at Mandiant’s mWise conference.
Easterly also implored the audience to stop “glamorizing” criminal gangs with fancy poetic names. How about “Scrawny Nuisance” or “Evil Ferret,” Easterly suggested.
Even calling security holes “software vulnerabilities” is too mild, she added. The phrase “really spreads responsibility. We should be calling them ‘product defects,’” Easterly said. And instead of automatically blaming victims for not patching their products quickly enough, “why don’t we ask: Why does software need so many urgent patches? The truth is: We need to demand more from technology vendors.”
Why does software need so many urgent patches? We need to demand more from vendors
While everyone in the audience at the annual infosec conference has a job, Easterly joked, it’s also the industry’s job to make it harder for criminals to hack systems.
“Despite a multi-trillion dollar cybersecurity industry, we still have a trillion-dollar software quality problem, which leads to a trillion-dollar global cybercrime problem,” Easterly lamented.
While no one would buy a car or get on a plane “entirely at their own risk,” we do so every day with the software that supports America’s critical infrastructure, she added.
“Unfortunately, we’ve fallen prey to the myth of techno exceptionalism,” Easterly said. “We don’t have a cybersecurity problem — we have a software quality problem. We don’t need more security products — we need more secure products.”
It’s a drum Easterly has been beating since she took the helm of the U.S. cyber defense agency. She typically beats it harder at industry events, such as the annual RSA conference, where she told attendees that secure code “is the only way to make ransomware and cyberattacks a shocking anomaly.”
If writing bug-free code were super easy, it would obviously be done without fail. Some developers are clearly careless or ignorant, leading to vulnerabilities and other bugs, and sometimes competent people with the best intentions simply make mistakes. Either way, Easterly is not happy with the current defect rate.
Also at RSAC, nearly 70 big names, including AWS, Microsoft, Google, Cisco and IBM, signed CISA’s Secure by Design pledge. The pledge commits them to “a good faith effort to work toward” seven secure software goals within one year and to measurably demonstrate their progress.
On mWise, Easterly announced that the number has grown to nearly 200 suppliers.
But the pledge remains voluntary, so software companies that don’t follow the guidelines (such as using multi-factor authentication in their products and reducing default passwords) won’t face penalties for ignoring the pledge.
Google says replacing C/C++ in firmware with Rust is easy
READ MORE
Easterly wants to change that. She proposed that technology buyers use their purchasing power to put pressure on software vendors, asking vendors if they’ve signed the pledge—and hopefully done more than just put ink on paper in terms of building secure-by-design (PDF) products.
With this in mind, CISA recently published guidance that organizations buying software can use, as well as questions they should ask manufacturers to better understand whether they are prioritizing security throughout the product development lifecycle.
“Use your voice, take an active role, use your purchasing power to promote safety by demanding it,” Easterly urged.
And then we can only hope that more and more suppliers take things like pre-release software testing and secure code to heart. ®