Easterly: Cybersecurity is a software quality problem | CyberScoop<\/title> <meta name=\"description\" content=\"The head of the Cybersecurity and Infrastructure Security Agency wants to see major changes in how companies develop software.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/easterly-secure-by-design-black-hat\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Easterly: Cybersecurity is a software quality problem \"> <meta property=\"og:description\" content=\"The head of the Cybersecurity and Infrastructure Security Agency wants to see major changes in how companies develop software.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/easterly-secure-by-design-black-hat\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2024-08-09T17:46:20+00:00\"> <meta property=\"article:modified_time\" content=\"2024-08-09T17:46:21+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/easterly-cybersecurity-is-a-software-quality-problem-2.jpg\"> <meta property=\"og:image:width\" content=\"1920\"> <meta property=\"og:image:height\" content=\"1280\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"eliasgroll\"> <meta name=\"twitter:card\" content=\"summary_large_image\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1721926675g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1721767167g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1721764637g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=ada0ad45b21fc79c6694\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/81368\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.6.1\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=81368\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Feasterly-secure-by-design-black-hat%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Feasterly-secure-by-design-black-hat%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-81368 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/easterly-secure-by-design-black-hat\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--event js-stickybar\">\n<div class=\"stickybar__details\" readability=\"4.952380952381\">\n<div class=\"stickybar__info js-sticky-bar-content\" readability=\"32\">\n<p>Voting is open for the 2024 CyberScoop 50 awards! <\/p>\n<\/div>\n<p> <a class=\"stickybar__link button button-tertiary\" href=\"https:\/\/cyberscoop.com\/cyberscoop50\/vote\/\">Click here!<\/a> <\/div>\n<p> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \">\n<div class=\"single-article__header-content\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/news\/cybersecurity\/\"> <span>Cybersecurity<\/span> <\/a> <\/li>\n<\/ul><\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"426\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/easterly-cybersecurity-is-a-software-quality-problem.jpg?resize=640%2C426&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/easterly-cybersecurity-is-a-software-quality-problem-2.jpg 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/easterly-cybersecurity-is-a-software-quality-problem-2.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/easterly-cybersecurity-is-a-software-quality-problem-2.jpg?resize=768,512 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/easterly-cybersecurity-is-a-software-quality-problem-2.jpg?resize=1024,683 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/easterly-cybersecurity-is-a-software-quality-problem-2.jpg?resize=1536,1024 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/easterly-cybersecurity-is-a-software-quality-problem-2.jpg?resize=600,400 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/easterly-cybersecurity-is-a-software-quality-problem-2.jpg?resize=252,168 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/easterly-cybersecurity-is-a-software-quality-problem-2.jpg?resize=506,337 506w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/easterly-cybersecurity-is-a-software-quality-problem-2.jpg?resize=1013,675 1013w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/easterly-cybersecurity-is-a-software-quality-problem-2.jpg?resize=1265,843 1265w\" sizes=\"(max-width: 1013px) 100vw, 1013px\"><figcaption> Jen Easterly, director of the Homeland Security Department’s Cybersecurity and Infrastructure Security Agency, testifies before the House (Select) Strategic Competition Between the United States and the Chinese Communist Party Committee on Capitol Hill on January 31, 2024 in Washington, DC. (Photo by Kevin Dietsch\/Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"38.00238410596\"><body readability=\"78.538961038961\"><\/p>\n<p>LAS VEGAS \u2014 Jen Easterly, the head of the Cybersecurity and Infrastructure Security Agency, told attendees at the Black Hat security conference on Thursday that delivering major improvements in computer security will require a sea change in how companies approach building software. <\/p>\n<p>Amid an epidemic of breaches, Easterly laid the blame squarely at the feet of the technology industry. \u201cWe don\u2019t have a cybersecurity problem. We have a software quality problem,\u201d she said. <\/p>\n<p>\u201cWe have a multi-billion dollar cybersecurity industry because for decades, technology vendors have been allowed to create defective, insecure, flawed software,\u201d Easterly said in her remarks.<\/p>\n<p>To address that issue, Easterly and CISA have <a href=\"https:\/\/cyberscoop.com\/cisa-secure-by-design-commitments-tech-companies\/\">launched a secure by design pledge<\/a>, the signatories of which commit to <a href=\"https:\/\/www.cisa.gov\/securebydesign\/pledge\">a series of principles<\/a> to improve the security of how products are developed and deployed. Easterly said 200 companies have now signed that pledge since its launch in March. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Easterly said it\u2019s past time that software vendors no longer consider vulnerabilities \u201cas an inevitable act of nature,\u201d when other industries would consider similar flaws as alarming as \u201cproduct defects.\u201d <\/p>\n<p>To force companies to devote greater resources to the security of their products, the Biden administration is considering how to carry out software liability reform, which in theory would allow those affected by software flaws to sue the makers of that product. As it stands, restrictive liability waivers ensure that when technology companies make mistakes, they generally can\u2019t be sued for them.<\/p>\n<p>That dynamic is currently playing between Delta and cybersecurity vendor CrowdStrike, <a href=\"https:\/\/cyberscoop.com\/crowdstrike-falcon-flaw-microsoft-outage-flights-grounded-windows\/\">whose recent errant software update<\/a> crippled the airline\u2019s operation, along with numerous other services. Delta has threatened to sue, but the company <a href=\"https:\/\/cyberscoop.com\/crowdstrike-points-finger-back-at-delta-after-airline-threatened-to-sue-over-outages\/\">has noted that its liability<\/a> toward the airline is capped in the single-digit millions. <\/p>\n<p>Easterly argued Congress needs to step in to reform this dynamic. \u201cCongress can also have a transformative impact by establishing a software liability regime with an articulable standard of care and safe harbor provisions for those vendors that innovate responsibly, prioritizing secure development processes,\u201d Easterly said.<\/p>\n<p>National Cyber Director Harry Coker, who also spoke at Black Hat on Thursday, said that both individuals and organizations need to become more resilient in order to \u201coperate through\u201d cyberattacks, especially if an incident affects critical infrastructure.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Coker also voiced his support <a href=\"https:\/\/cyberscoop.com\/cybersecurity-regulations-harmonization-federal-agencies-senate-bill\/\">a bipartisan Senate bill<\/a> on regulatory harmonization that calls for a committee to streamline cybersecurity mandates for industry. Harmonization has been a top policy initiative for the administration. <\/p>\n<p>\u201cWhat that bill will do is give our office, the National Cyber Director, the opportunity to bring together regulators to apply logic and good teamwork and collaboration to a vexing, hard problem that the public sector, private sector and our business associations all want to happen,\u201d Coker said.<\/p>\n<p>Coker also noted that the Department of Treasury is working on a federal cyber insurance backstop for catastrophic cyber events, as outlined in the national cybersecurity strategy. <\/p>\n<p>The Biden administration has said it would explore the creation of a backstop, but such a mechanism is far from being enacted.<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"1.3108808290155\">\n<div class=\"author-card\" readability=\"9\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/easterly-cybersecurity-is-a-software-quality-problem-1.jpg?w=640&ssl=1\" alt=\"Christian Vasquez\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Christian Vasquez<\/h4>\n<p> Christian covers industrial cybersecurity for CyberScoop News. He previously wrote for E&E News at POLITICO covering cybersecurity in the energy sector. Reach out: christian.vasquez at cyberscoop dot com <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Geopolitics<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/easterly-secure-by-design-black-hat\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Easterly: Cybersecurity is a software quality problem | CyberScoop Skip<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[78,452,293,722,1276],"tags":[86,454,299,723,1278],"class_list":["post-4794","post","type-post","status-publish","format-standard","hentry","category-cybersecurity","category-cybersecurity-and-infrastructure-security-agency-cisa","category-department-of-homeland-security-dhs","category-jen-easterly","category-secure-by-design","tag-cybersecurity","tag-cybersecurity-and-infrastructure-security-agency-cisa","tag-department-of-homeland-security-dhs","tag-jen-easterly","tag-secure-by-design"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity-and-infrastructure-security-agency-cisa\/\" rel=\"category tag\">Cybersecurity and Infrastructure Security Agency (CISA)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/department-of-homeland-security-dhs\/\" rel=\"category tag\">Department of Homeland Security (DHS)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/jen-easterly\/\" rel=\"category tag\">Jen Easterly<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/secure-by-design\/\" rel=\"category tag\">secure-by-design<\/a>","tag_info":"secure-by-design","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/4794","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=4794"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/4794\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=4794"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=4794"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=4794"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":4794,"date":"2024-08-09T12:46:20","date_gmt":"2024-08-09T17:46:20","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=81368"},"modified":"2024-08-09T12:46:20","modified_gmt":"2024-08-09T17:46:20","slug":"easterly-cybersecurity-is-a-software-quality-problem","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/08\/09\/easterly-cybersecurity-is-a-software-quality-problem\/","title":{"rendered":"Easterly: Cybersecurity is a software quality problem\u00a0"},"content":{"rendered":"