Skip to content
All about technology.All about cybersecurity.All about data & cloud computing.

Cybersecurity concerns are not insurmountable, asserted the CISA director.

Jen Easterly believes the key to overcoming the sector's struggles is through the approach of "secure by design." In a media briefing at Black Hat, she asserted, "We've created this problem, now we have to find a way to resolve it."

 and  Administrator
3 min read
Cybersecurity concerns are not insurmountable, asserts CISA director
Cybersecurity concerns are not insurmountable, asserts CISA director

Cybersecurity concerns are not insurmountable, asserted the CISA director.

CISA's Secure by Design Initiative: A Proactive Approach to Cybersecurity

The Cybersecurity and Infrastructure Security Agency (CISA) has introduced a new framework called Secure by Design, which aims to build security into software and technology products from the beginning. This proactive approach is a response to the growing number of cyberattacks that have plagued businesses and governments this year.

Jen Easterly, the director of CISA, believes that the key to producing a sustainable, scalable approach to cybersecurity is building secure software from the outset. She asserts that the war against malicious cyber activity can be won by focusing on the vendors' responsibilities.

The Secure by Design principles, first introduced in April 2023, take the form of a voluntary pledge. Companies like Rewind, Zyxel Networks, AWS, GitHub, and Okta have signed this pledge, committing to embed security practices as a default rather than an afterthought.

The core principles of Secure by Design include taking ownership of security outcomes, embracing radical transparency and accountability, and building organizational structure and leadership to support security. These principles emphasize proactively embedding security to prevent vulnerabilities, especially given modern threats that traditional cybersecurity approaches cannot fully address, such as those related to AI systems.

Examples of implementation include Zyxel Networks applying Secure by Design principles in its SMB networking products, focusing on integrating security from the design phase and fostering transparency to build more secure products by default. Another example is the use of layered defense-in-depth strategies aligned with Secure by Design principles to address vulnerabilities specifically in AI systems, improving technical resilience and regulatory compliance.

The overarching goal is to shift from reactive cybersecurity approaches toward a proactive security posture grounded in architecture and design integrity, which reduces the risk of exploitation and lowers long-term recovery costs from cyberattacks.

Easterly's goal is to shift the responsibility for security from customers to vendors through CISA's secure by design initiative. She believes that addressing the root of the problem requires prodding technology vendors to design, develop, test, and deploy software with fewer flaws.

More CEOs and boards are treating cyber risk as a core business function, according to Easterly. She expressed optimism that the war against malicious cyber activity is not lost, and she emphasizes that the cybersecurity industry exists because technology vendors have been allowed to create defective, flawed, and insecure software for decades.

The focus of the efforts by multiple federal agencies and international partners is to prod technology vendors to design, develop, test, and deploy software with fewer flaws. This collaborative approach is seen by Easterly as holding the greatest promise in the fight against malicious activity.

However, recent events such as the global IT outage caused by a CrowdStrike software update serve as a reminder of the challenges that lie ahead. The Secure by Design initiative is a step in the right direction, but it will require the commitment and cooperation of technology vendors and businesses worldwide to truly make a difference.

[1] CISA. (2023). Secure by Design: A Proactive Framework for Building Security into Software and Technology Products. Retrieved from https://www.cisa.gov/secure-design [2] CISA. (2023). Zero Trust Implementation: A Framework for Improving Cybersecurity. Retrieved from https://www.cisa.gov/zerotrust [3] AWS. (2023). AWS Signs CISA's Secure by Design Pledge. Retrieved from https://aws.amazon.com/about-aws/whats-new/2023/05/aws-signs-cisas-secure-by-design-pledge/ [4] Zyxel Networks. (2023). Zyxel Networks Embraces Secure by Design Principles. Retrieved from https://www.zyxel.com/about-us/news/zyxel-networks-embraces-secure-by-design-principles [5] CISA. (2023). Secure by Design: Transforming Cybersecurity through Architecture and Design. Retrieved from https://www.cisa.gov/secure-design/transforming-cybersecurity-through-architecture-and-design

  • The Secure by Design initiative, led by CISA, aims to decrease the risk of exploitation and lower long-term recovery costs from cyberattacks by shifting from reactive cybersecurity approaches towards proactive security, focusing on designing, developing, testing, and deploying software with fewer flaws.
  • The Secure by Design framework promotes integration of security from the design phase, fostering transparency, and building more secure products by default, as evidenced by companies like AWS and Zyxel Networks committing to adopt these principles.
  • In the fight against malicious cyber activity, the Secure by Design initiative seeks to prod technology vendors to prioritize privacy, data-and-cloud-computing, and ransomware protection in their software development, leveraging collaborative efforts from federal agencies and international partners.

Read also:

    Related

    Latest