{"id":6186,"date":"2024-11-12T09:00:00","date_gmt":"2024-11-12T15:00:00","guid":{"rendered":"https:\/\/www.darkreading.com\/vulnerabilities-threats\/power-purse-ensure-security-by-design"},"modified":"2024-11-12T09:00:00","modified_gmt":"2024-11-12T15:00:00","slug":"the-power-of-the-purse-how-to-ensure-security-by-design","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/11\/12\/the-power-of-the-purse-how-to-ensure-security-by-design\/","title":{"rendered":"The Power of the Purse: How to Ensure Security by Design"},"content":{"rendered":"
<\/a><\/div>\n
<\/div>\n

COMMENTARY<\/span><\/span>
Companies across the country are lining up to join the latest cybersecurity trend: the <\/span>Cybersecurity and Infrastructure Security Agency’s (CISA) Secure by Design pledge<\/a><\/span>, a commitment aimed at software manufacturers that compels them to keep up with fundamental cybersecurity strategies. Companies such as Lenovo, Google, AWS, Cloudflare, and Microsoft have already signed on. <\/span><\/p>\n

On the face of it, the Secure by Design pledge is a good thing. Its seven goals each encourage manufacturers to adopt or increase the usage of a key cybersecurity strategy within one year. The goals, such as “implement multifactor authentication (MFA)” are worthy, if basic, and CISA encourages companies to document their progress. If they fall short, they are also encouraged to report that failure to CISA. <\/span><\/p>\n

The problem is that this <\/span>pledge is entirely voluntary<\/a><\/span>. Companies are free to sign it \u2014 or not \u2014 as they wish. And there’s no regulatory compliance factored in. This means that if a company does sign the pledge and falls short of one or more goals, no one may ever know and no action will be taken. It will be as if the pledge never existed in the first place.\u202f  <\/span><\/p>\n

Without teeth, the pledge is essentially worthless. Outside of highlighting the low-bar steps major companies should take to ensure their infrastructure is secured from the most common attacks (which, admittedly, is a good thing), it takes no steps to ensure that companies will actually do so. And it provides no repercussions if they fail.\u202f\ufffd\u202f  <\/span><\/p>\n

Is the Honor System Good Enough?<\/h2>\n

With data breaches <\/span>up 72% in 2023<\/a><\/span> and the average cost of a breach estimated at $4.88 million, can we afford for our nation’s technological infrastructure to be governed by the honor system? What happens when the next big cyberattack takes down a pillar of our society because the company responsible failed to implement <\/span>MFA<\/a><\/span>?  <\/span><\/p>\n

I’d argue for a much more aggressive approach from our federal government. Given the <\/span>potential for widespread disruptions<\/a><\/span> inherent with any cybersecurity failure, we can’t afford to take such a lax attitude toward securing our systems. The sanctity of our nation’s airlines, <\/span>power grids<\/a><\/span>, and other critical infrastructure relies on stringent cybersecurity measures. Merely “suggesting” that companies institute basic protocols is not enough. We need to mandate it \u2014 and punish those who fail. <\/span><\/p>\n

The EU’s Higher Standard<\/h2>\n

I look at the European Union’s approach to setting standards for its electronic devices. In 2022,\u202f the EU <\/span>passed a law<\/a><\/span> mandating electronics manufacturers move to a standardized charging port for their mobile devices. The EU’s stance toward Apple, which famously used a proprietary Lightning charging port for its iPhones, was simply: Adapt or die. Apple adapted. As a result, iPhones in Europe are now sold with the standardized USB-C charging port, alongside every other mobile device. <\/span><\/p>\n

The EU did not fool around with vague suggestions or pledges. It saw the value to consumers of a standardized charging port and demanded that manufacturers make the change. Those that failed to comply were not allowed to sell their devices in Europe. Simple. Effective. <\/span><\/p>\n

You can also look closer to home, to California, for an example of this kind of confident action by the government. The government of California adopted the <\/span>Zero Emissions Vehicle<\/a><\/span> requirements in 1990, and has adjusted the rules over the ensuing decades as technology has evolved. The purpose was to protect the state’s air from automotive pollution. The result has been a near industrywide reduction in auto emissions for the past 30 years. <\/span><\/p>\n

For vehicle manufacturers that want to sell cars in California, the largest economy in the United States, the equation was the same one facing Apple in the EU: Adapt or die. They could either engineer their vehicles to produce fewer emissions or simply not sell them in California. Most elected for the former option, and, as a result, automotive emission control technology has advanced further in the past 30 years than at any point since the automobile was introduced. <\/span><\/p>\n

Adopting a Similar Approach<\/h2>\n

To protect our cyber infrastructure, we need to adopt a similar approach. Instead of simply making recommendations, our nation’s cybersecurity agency should be empowered to make regulations.  <\/span><\/p>\n

CISA should begin by making its recommended goals mandatory, forcing software companies to do the following: <\/span><\/p>\n

\u25cf\u202f\u202f\u202f\u202f\u202f Increase the use of MFA <\/span><\/p>\n

\u25cf\u202f\u202f\u202f\u202f\u202f Reduce default passwords <\/span><\/p>\n

\u25cf\u202f\u202f\u202f\u202f\u202f Enable a significant measurable reduction in the prevalence of one or more vulnerability classes <\/span><\/p>\n

\u25cf\u202f\u202f\u202f\u202f\u202f Increase the installation of security patches by customers <\/span><\/p>\n

\u25cf\u202f\u202f\u202f\u202f\u202f Publish a vulnerability disclosure policy <\/span><\/p>\n

\u25cf\u202f\u202f\u202f\u202f\u202f Demonstrate transparency in vulnerability reporting. <\/span><\/p>\n

\u25cf\u202f\u202f\u202f\u202f\u202f Increase the ability for customers to gather evidence of cybersecurity intrusions <\/span><\/p>\n

Next, CISA should perform audits to ensure compliance. Relying on companies to self-report is no different from giving them permission not to report. Look closely <\/span>at CISA’s list of pledgees<\/a><\/span> and come back in a year to see how many of these vaunted companies will have willingly admitted they aren’t taking the most basic steps toward protecting their users’ data. <\/span><\/p>\n

Finally, CISA should be empowered to make a simple statement to software manufacturers that want to sell products in the US similar to what the EU said to electronics manufacturers and what California said to automobile manufacturers: Adapt or die. <\/span><\/p>\n

If you want to sell software in the US, you should have to follow basic principles that will ensure your software is safe. This should not be a “nice to have.” It should be mandatory. The stakes are as high if not higher than with charging ports and automobile emissions. As we witnessed with the recent failure of cybersecurity software, the impact was felt across entire industries and resulted in billions of dollars in lost productivity. This is not a realm for timidity.\u202f \u202f <\/span><\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

COMMENTARYCompanies across the country are lining up to join the<\/p>\n","protected":false},"author":12,"featured_media":6187,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[809],"class_list":["post-6186","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-dark-reading"],"featured_image_urls":{"full":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/the-power-of-the-purse-how-to-ensure-security-by-design.jpg?fit=1800%2C1012&ssl=1",1800,1012,false],"thumbnail":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/the-power-of-the-purse-how-to-ensure-security-by-design.jpg?resize=150%2C150&ssl=1",150,150,true],"medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/the-power-of-the-purse-how-to-ensure-security-by-design.jpg?fit=300%2C169&ssl=1",300,169,true],"medium_large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/the-power-of-the-purse-how-to-ensure-security-by-design.jpg?fit=640%2C360&ssl=1",640,360,true],"large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/the-power-of-the-purse-how-to-ensure-security-by-design.jpg?fit=640%2C360&ssl=1",640,360,true],"1536x1536":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/the-power-of-the-purse-how-to-ensure-security-by-design.jpg?fit=1536%2C864&ssl=1",1536,864,true],"2048x2048":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/the-power-of-the-purse-how-to-ensure-security-by-design.jpg?fit=1800%2C1012&ssl=1",1800,1012,true],"chromenews-featured":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/the-power-of-the-purse-how-to-ensure-security-by-design.jpg?fit=1024%2C576&ssl=1",1024,576,true],"chromenews-large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/the-power-of-the-purse-how-to-ensure-security-by-design.jpg?resize=825%2C575&ssl=1",825,575,true],"chromenews-medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/the-power-of-the-purse-how-to-ensure-security-by-design.jpg?resize=590%2C410&ssl=1",590,410,true]},"author_info":{"display_name":"Dark Reading","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/darkreading\/"},"category_info":"Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","jetpack_featured_media_url":"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/the-power-of-the-purse-how-to-ensure-security-by-design.jpg?fit=1800%2C1012&ssl=1","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/6186","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=6186"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/6186\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media\/6187"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=6186"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=6186"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=6186"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}