CISA recently unveiled its 'Secure by Design Alert Series', which places more responsibility on software vendors to help prevent cyber attacks. Learn how this initiative aims to prioritize safety and reduce harm caused by vulnerabilities..png?width=1920&height=1080&name=CISA%E2%80%99s%20Secure%20by%20Design%20Alerts%20(3).png)
The Cybersecurity and Infrastructure Security Agency (CISA) has recently made more steps in their work to achieve their secure by design goals. In April 2023, Jen Easterly (the director of CISA) and other cybersecurity officials shared that software companies needed to prioritize safety of their products over getting them out quickly in order to protect all technology users.
At the end of November, CISA announced a ‘Secure by Design Alert Series’. Eric Goldstein, the executive assistant director for cybersecurity as well as Bob Lord, the Senior Technical Advisor explained the need for the Series saying that CISA’s recent work releasing warnings about software vulnerabilities and ongoing attacks aren’t enough to reduce the nation’s risk. Instead, they say that CISA needs to fix the root causes, like software development practices, and customers not applying the correct settings even when they have the right software.
The Secure by Design (SbD) Alerts will call out “vulnerability or intrusion campaigns that could have been reasonably avoided if the software manufacturer had aligned to secure by design principles.” Goldstein and Lord stress that the point of the series “isn’t to cast blame on specific vendors”, but rather “to shine a light on real harm occurring due to these ‘anti-security’ decisions.” A lot of mainstream cybersecurity advice around intrusions are aimed at the consumer, but CISA hopes to “invert” this conversation to make sure that software vendors and other technology manufacturers are also reducing harm.
The series comes on the heels of a particularly impactful rash of cyberattacks. CISA has identified the “CyberAv3ngers”, an Iran-affiliated group of threat actors as responsible for the breach that affected the water authority in Aliquippa, Pennsylvania. The North Texas Municipal Water District also weathered an attack from the Daixin Team group that disrupted phone lines. The ransomware attack on Ardent Health Services prevented ambulances from running the correct routes, leading to delays for some patients. It’s clear that Goldstein and Lord were correct in saying that “...insecure technology products are not an issue of academic concern: they are directly harming critical infrastructure, small businesses, local communities, and American families.”
CISA’s Secure by Design Alert series already has its first publication out, with some advice for software manufacturers in order to prevent vulnerabilities in their programs from being exploited: “Take Ownership of Customer Security Outcomes” and “Embrace Radical Transparency and Accountability”.
The Secure by Design (SbD) Alert Series represents a critical shift in focus, putting the onus on software vendors and manufacturers to prioritize safety over rapid deployment. As cyberattacks continue, the program may be instrumental in reducing the damage they cause by causing these companies to take accountability for their vulnerabilities.