CISA shares 'secure by design' plan for US tech ecosystem

LAS VEGAS -- CISA shared its plan to foster "secure by design" principles within the U.S. technology ecosystem during a Thursday session at Black Hat USA 2023.

The Black Hat presentation, "Unsafe At Any Speed: CISA's Plan to Foster Tech Ecosystem Security," uses former U.S. presidential candidate Ralph Nader's 1965 book Unsafe at Any Speed: The Designed-In Dangers of the American Automobile as an analogy for modern technology. Nader's book was about automobile safety and led to the creation of the U.S. Department of Transportation.

CISA senior technical advisors Bob Lord and Jack Cable compared the core theme of Nader's book -- that car manufacturers were averse to spending money on safety -- to the way technology vendors and manufacturers can resist prioritizing security at the level they should.

A key part of the presentation came toward the end of the session, when Lord and Cable provided an overview of how CISA intends to establish a technology ecosystem that prioritizes secure by design principles, which are best practices that provide a baseline security expectation before the piece of technology is offered to the public. For example, using memory-safe programming languages.

The presenters referenced three pieces to CISA's strategy: establishing the agency as a security leader within the technology ecosystem; collecting data and best practices; and driving adoption of secure-by-design best practices.

Cable said CISA will lead the transformation toward a more secure-by-design ecosystem in part through internal and external communications. He said the agency recently held a summit attended by every CISA employee that focused on what secure by design means and how employees can integrate it into their daily work.

Regarding data collection, Cable referenced the limitations technology has regarding its visibility into how and why certain outcomes occur.

"Right now, we don't have the type of data we have in auto industry," Cable said. "We don't know how crashes or cyber attacks are changing over time, we don't know what the root causes are, and we really don't know where we need to tackle to get at the bottom of this problem."

To help solve this problem, he mentioned the Cyber Incident Reporting for Critical Infrastructure Act, a law signed by President Joe Biden last March that requires critical infrastructure entities to report cyber attacks within 72 hours and to report any ransom payments made within 24 hours. Though the rulemaking process of the law is ongoing, Cable said that once it is in effect he expects that "we will have much better sense of what cyber attacks are facing our nation, and how trends are changing over time."

The third pillar of CISA's plan is dedicated to driving adoption of these security principles, not only among manufacturers. The agency also wants to educate consumers so they know how to evaluate products on the basis of security.

"We need to be looking at education to ensure that the population of software developers out there are capable of ranking secure code. I studied computer science myself at Stanford -- we weren't required to take a security class," Cable said. "The vast majority of schools out there today don't. How can we get to a better place so that future software developers know a thing or two about security?"

To close, CISA announced that in collaboration with the White House Office of the National Cyber Director, it will request public comment on open source software security and memory-safe programming languages. Kemba Walden, acting national cyber director in the Office of the National Cyber Director, announced the request for information (RFI) during her keynote Thursday morning at Black Hat.

The RFI, the press release said, aims to seek "public- and private-sector input as federal leadership develops its strategy and action plan to strengthen the open source software ecosystem." Walden told Black Hat attendees that their feedback and insight into open source security will help the Biden administration develop realistic and effective policies to better secure open source software.

Responses are due by 5 p.m. EDT Oct. 9.

Alexander Culafi is a writer, journalist and podcaster based in Boston.