Easterly: Cybersecurity is a software quality problem
LAS VEGAS — Jen Easterly, the head of the Cybersecurity and Infrastructure Security Agency, told attendees at the Black Hat security conference on Thursday that delivering major improvements in computer security will require a sea change in how companies approach building software.
Amid an epidemic of breaches, Easterly laid the blame squarely at the feet of the technology industry. “We don’t have a cybersecurity problem. We have a software quality problem,” she said.
“We have a multi-billion dollar cybersecurity industry because for decades, technology vendors have been allowed to create defective, insecure, flawed software,” Easterly said in her remarks.
To address that issue, Easterly and CISA have launched a secure by design pledge, the signatories of which commit to a series of principles to improve the security of how products are developed and deployed. Easterly said 200 companies have now signed that pledge since its launch in March.
Easterly said it’s past time that software vendors no longer consider vulnerabilities “as an inevitable act of nature,” when other industries would consider similar flaws as alarming as “product defects.”
To force companies to devote greater resources to the security of their products, the Biden administration is considering how to carry out software liability reform, which in theory would allow those affected by software flaws to sue the makers of that product. As it stands, restrictive liability waivers ensure that when technology companies make mistakes, they generally can’t be sued for them.
That dynamic is currently playing between Delta and cybersecurity vendor CrowdStrike, whose recent errant software update crippled the airline’s operation, along with numerous other services. Delta has threatened to sue, but the company has noted that its liability toward the airline is capped in the single-digit millions.
Easterly argued Congress needs to step in to reform this dynamic. “Congress can also have a transformative impact by establishing a software liability regime with an articulable standard of care and safe harbor provisions for those vendors that innovate responsibly, prioritizing secure development processes,” Easterly said.
National Cyber Director Harry Coker, who also spoke at Black Hat on Thursday, said that both individuals and organizations need to become more resilient in order to “operate through” cyberattacks, especially if an incident affects critical infrastructure.
Coker also voiced his support a bipartisan Senate bill on regulatory harmonization that calls for a committee to streamline cybersecurity mandates for industry. Harmonization has been a top policy initiative for the administration.
“What that bill will do is give our office, the National Cyber Director, the opportunity to bring together regulators to apply logic and good teamwork and collaboration to a vexing, hard problem that the public sector, private sector and our business associations all want to happen,” Coker said.
Coker also noted that the Department of Treasury is working on a federal cyber insurance backstop for catastrophic cyber events, as outlined in the national cybersecurity strategy.
The Biden administration has said it would explore the creation of a backstop, but such a mechanism is far from being enacted.