Search for:
Debevoise Data Blog
CISA

Security by Design and Default: CISA Looks to Drive Changes in Manufacturer Responsibility, Consumer Education and Private-Public Information Sharing

By: , and

In June, the Aspen Institute hosted a fireside chat with Jen Easterly, Director of the Cybersecurity Infrastructure Security Agency (“CISA”) to discuss current developments in cybersecurity and how the government is responding. Aligned with the White House’s National Cybersecurity Strategy released earlier this year and the May 2021 Executive Order on Improving the Nation’s Cybersecurity, Easterly discussed CISA’s security by design and default initiative, which builds upon existing global proposals to shift responsibility for security from consumers to software manufacturers and distributors.

Key observations shared during the event included:

  1. The burden of security has historically been on consumers and small businesses. Introduced first in an article, the security by design and default initiative aims to achieve a cultural shift in our perception of technology and cybersecurity that has to date normalized the idea that technology comes off the shelf with vulnerabilities. Such norms have put the burden of responding to those consequent threats on individuals and small businesses, who often do not have the capacity or knowledge to respond. In turn, that thinking produces an ineffective response to growing cyber threats.
  2. “Secure by design and default” demands that manufacturers consider vulnerabilities up front and that products come with security off the shelf. Under this initiative, software manufacturers would need to ensure that products come hardened so that consumers would need to proactively take measures to make software less safe. For example, on the front end, the use of memory-safe coding languages like Rust, Python and Java can significantly reduce vulnerabilities related to memory unsafety, responsible for nearly two-thirds of all software vulnerabilities. On the consumer side, products that come with multi-factor authentication (“MFA”) by default would require users to reconfigure products to avoid using MFA, rather than having to take affirmative steps to enable MFA.
  3. CISA aims to shift market incentives by helping consumers recognize and demand security from manufacturers. A historical misalignment of incentives, favoring speed to market over safety and security, has left software prone to vulnerabilities. Instead, CISA and the White House are pushing for companies to implement proactive measures, like security labeling, that inform consumers about the security features of software and devices they are purchasing. With such information, consumers could more accurately assess a product’s security level before purchasing products and therefore shift market demand to those products that are, by design, more secure. As with seatbelts in cars, with time, secure by design and default would become commonplace and consumers would know what safe looks like and demand it.
  4. Proactive “default to share” partnerships with the private sector are necessary and effective in countering state- and non-state-sponsored cyber threats. In response to escalating state-sponsored cyber threats, like LOG4J, MOVEit vulnerabilities, and the Chinese VOLT TYPHOON attack, CISA is focused on forging a community response to threats with private sector entities through a “default to share” model, where a threat to one is a threat to all. CISA aims to normalize public and private sector cooperation and informational exchanges with campaigns such as SHIELDS UP and its work with key election stakeholders to bolster cyber, operational and societal resilience.
  5. Generative AI poses new challenges to security and CISA is working to understand the threats. Joining a wave of government agencies in the United States, including the FDA and FTC, and globally, Easterly discussed CISA’s view that there is a need to implement regulatory measures around generative AI and that companies should deploy self-regulation around use cases until the right balance of innovation and regulation can be found. Generative AI’s potential for revolutionary impacts on society also opens the door for misuse, as the desire to “move fast and break things” could lead to unforeseen negative consequences, warranting caution in the space.

In response to CISA’s initiatives and commentary, companies may wish to consider the following:

  • Companies should evaluate risks in the software development life cycle of their products: CISA’s security by design and default initiative builds upon previous guidance for companies to start incorporating such principles into their software development practices. In preparation for possible legislation or market-driven efforts to shift cybersecurity liability to software manufacturers and distributors, companies should consider familiarizing themselves with NIST standards for secure-by-design and the Secure Software Development Framework (“SSDF”), as well as CISA’s technical guidance for secure-by-default. Evaluating for alignment with these standards may help with regulatory risks down the line.
  • Consumers should revisit purchase agreements in software licensing: Consumers (including companies and individuals) may want to examine the terms of their existing software license agreements to be informed about warranties and indemnities, and assess options to ensure favorable terms. In anticipation of further calls to reallocate responsibility for security among consumers, software and device manufacturers and distributors, manufacturers will likely face increasing demands to provide security assurances to consumers.
  • Develop a plan for disclosure of vulnerabilities: As CISA encourages and requires companies to share more information on cyber vulnerabilities, companies should assess the risk of, and any potential vulnerabilities in particular, that their software development and maintenance are consistent with NIST standards and guidelines to take advantage of the proposed safe harbor provision. Companies should also prepare for the possibility of making disclosures to CISA and consider incorporating such processes into existing incident response plans. Vulnerability disclosure programs and bug bounty programs remain valuable tools that companies should consider adopting as part of their comprehensive vulnerability assessment programs.
  • Socialize boards and senior management to the security by design and default concepts: Combining the comments by CISA with the position of the SEC in the new cyber rule for issuers, the role of the boards in cybersecurity is sure to grow. While the board is not likely to dive into the weeds on security by design, both the board and senior management may want to understand the principles and impacts to product development.

The authors would like to thank Debevoise Summer Associate Esther Tetruashvily for her work on this Debevoise Data Blog.

To subscribe to our Data Blog, please click here.

The cover art used in this blog post was generated by DALL-E.

Author

Luke Dembosky is a Debevoise litigation partner based in the firm’s Washington, D.C. office. He is Co-Chair of the firm’s Data Strategy & Security practice and a member of the White Collar & Regulatory Defense Group. His practice focuses on cybersecurity incident preparation and response, internal investigations, civil litigation and regulatory defense, as well as national security issues. He can be reached at ldembosky@debevoise.com.

Author

Erez is a litigation partner and a member of the Debevoise Data Strategy & Security Group. His practice focuses on advising major businesses on a wide range of complex, high-impact cyber-incident response matters and on data-related regulatory requirements. Erez can be reached at eliebermann@debevoise.com

Author

Stephanie D. Thomas is an associate in the Litigation Department and a member of the firm’s Data Strategy & Security Group and the White Collar & Regulatory Defense Group. She can be reached at sdthomas@debevoise.com.

Related Posts