Insecure software makers are the real cyber villains – CISA

Software developers who ship buggy, insecure code are the true baddies in the cyber crime story, Jen Easterly, boss of the US government’s Cybersecurity and Infrastructure Security Agency, has argued.

“The truth is: Technology vendors are the characters who are building problems” into their products, which then “open the doors for villains to attack their victims,” declared Easterly during a Wednesday keynote address at Mandiant’s mWise conference.

Easterly also implored the audience to stop “glamorizing” crime gangs with fancy poetic names. How about “Scrawny Nuisance” or “Evil Ferret,” Easterly suggested.

Even calling security holes “software vulnerabilities” is too lenient, she added. This phrase “really diffuses responsibility. We should call them ‘product defects,'” Easterly said. And instead of automatically blaming victims for failing to patch their products quickly enough, “why don’t we ask: Why does software require so many urgent patches? The truth is: We need to demand more of technology vendors.”

Why does software require so many urgent patches? We need to demand more of vendors

While everyone in the audience at the annual infosec conference has job security, Easterly joked, it’s also the industry’s role to make it more difficult for miscreants to compromise systems in the first place.

“Despite a multi-billion-dollar cyber security industry, we still have a multi-trillion-dollar software quality issue leading to a multi-trillion-dollar global cyber crime issue,” Easterly lamented.

While no one would buy a car or board an airplane “entirely at your own risk,” we do that every day with the software that underpins America’s critical infrastructure, she added.

“Unfortunately we have fallen prey to the myth of techno exceptionalism,” Easterly opined. “We don’t have a cyber security problem – we have a software quality problem. We don’t need more security products – we need more secure products.”

This is a drum Easterly has been beating since she took the helm of the US cyber defense agency. She tends to bang it louder at industry events, such as the annual RSA Conference where she told attendees secure code “is the only way we can make ransomware and cyber attacks a shocking anomaly.”

Naturally, if writing flawless code was super easy, it would be done without fail. Some developers are clearly careless or clueless, leading to vulnerabilities and other bugs, and sometimes skilled humans with the best intentions simply make mistakes. In any case, Easterly isn’t happy with the current defect rate.

Also at RSAC, nearly 70 big names – including AWS, Microsoft, Google, Cisco, and IBM – signed CISA’s Secure by Design pledge – a commitment to “make a good-faith effort to work towards” seven secure-software goals within a year, and be able to measurably show their progress.

At mWise, Easterly revealed that number has grown to nearly 200 vendors.

But the pledge remains voluntary, so software companies who fail to follow its guidelines – such as increasing the use of multi-factor authentication across their products and reducing default passwords – aren’t going to be slapped down if they ignore it.

Easterly wants that to change. She suggested technology buyers use their procurement power to pressure software vendors, by asking suppliers if they have signed the pledge – and, hopefully, done more than just put ink to paper in terms of building secure-by-design [PDF] products.

To this end, CISA just published guidance that organizations buying software can use, and questions they should ask manufacturers, to better understand if they are prioritizing security in the product development life cycle.

“Use your voice, take an active role, use your purchasing power to advance secure by design, by demanding it,” Easterly urged.

And then cross your fingers and pray that more and more vendors really do begin to take things like pre-release software testing and secure code to heart. ®