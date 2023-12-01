By Katie Bowen, Vice President for Public Sector, Synack, Inc.

U.S. cybersecurity officials are ratcheting up pressure on software manufacturers, unveiling an alert program this week that could shift how some technology companies handle cyber vulnerabilities.

The Cybersecurity and Infrastructure Security Agency, the nation’s top civilian cyber authority, said Wednesday it will issue a so-called “Secure by Design Alert” whenever its experts spot a vulnerability or hacking intrusion “that could have been reasonably avoided” if the software manufacturer deployed secure by design principles.

Simply put, “we’ll call it out,” CISA said.

The campaign’s goal is not to name and shame specific software vendors into acting on their vulnerabilities. Still, two publicly traded companies – plus two private ones – earned mentions in CISA’s inaugural alert under the new program, albeit in a footnote. The alert itself centered on risks to web management interfaces, which have seen a barrage of malicious cyber activity that, according to CISA, “can be avoided at scale.”

Clearly the heat is on for tech companies to act on their digital weak spots. If not, they risk drawing the ire of regulatory authorities or getting tried in the court of public opinion.

For software companies, the writing was on the wall back in March, when the Biden administration issued its National Cybersecurity Strategy. That policy roadmap proposed a new model for holding software manufacturers legally accountable for big vulnerabilities in their products.

“Too many vendors ignore best practices for secure development, ship products with insecure default configurations or known vulnerabilities, and integrate third-party software of unvetted or unknown provenance,” the White House said at the time. “We must begin to shift liability onto those entities that fail to take reasonable precautions to secure their software while recognizing that even the most advanced software security programs cannot prevent all vulnerabilities.”

Secure by Design

Make no mistake: Malicious hackers are ultimately behind the cybersecurity crisis we see today. But because cyberthreats aren’t going away anytime soon, it’s critical for public and private sector organizations to be vigilant about weaknesses in their digital infrastructure.

Enter “secure by design,” the idea that the software products that underpin so much of our digital lives should have good security practices baked in from the very beginning. This can include everything from applying design principles like Defense-in-Depth to practicing effective vulnerability management and disclosure.

The Biden administration has thrown its weight behind the secure by design concept, whether in a recent executive order on AI that called for “secure development practices” or in the halls of CISA, the FBI and the NSA. Those three agencies joined several international partners in issuing a secure by design framework in October that urged “every technology manufacturer to build their products based on reducing the burden of cybersecurity on customers,” among other recommendations.

The latest secure by design alert calls on software companies to “embrace radical transparency and accountability” when it comes to inevitable flaws in their code. The end goal is to help others avoid replicating the same categories of vulnerabilities in their own products, perpetuating an endless cycle of cybersecurity breaches.

CISA is evidently seeking to strike a delicate balance with its alerts; the program isn’t paired with the threat of fines or other regulatory actions. (Unlike, say, the recent Securities and Exchange Commission enforcement action taken against software maker SolarWinds and its chief information security officer.) Instead the agency says it’s trying to “invert the dialogue” of blaming software vendors “by focusing on how vendor decisions can reduce harm at a global scale.”

However diplomatic CISA may be in its messaging, its underlying point is clear: Secure by design is here to stay. Best start paying attention.

The views and opinions expressed herein are the views and opinions of the author and do not necessarily reflect those of Nasdaq, Inc.