Easterly: Cybersecurity is a software quality issue

LAS VEGAS — Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, told attendees of the Black Hat security conference Thursday that making major improvements in computer security will require a radical shift in how companies approach building software.

Amid a proliferation of security breaches, Easterly placed the blame squarely on the tech industry. “We don’t have a cybersecurity problem. We have a software quality problem,” she said.

“We have a multi-billion dollar cybersecurity industry because for decades, technology vendors were allowed to create software that was broken, insecure and imperfect,” Easterly said in his speech.

To address this issue, Easterly and CISA launched a “secure by design” pledge, in which signatories commit to a set of principles aimed at improving the security of product development and deployment. Easterly said that 200 companies have now signed the pledge since it was launched in March.

Easterly said it was high time software vendors stopped treating vulnerabilities as “an inevitable act of nature,” while other industries would view similar flaws as alarming as “product defects.”

To force companies to devote more resources to the security of their products, the Biden administration is considering how to push through software liability reform, which would theoretically allow people affected by software flaws to sue the makers of those products. As it stands, narrow liability carve-outs ensure that when tech companies make mistakes, they generally can’t be sued.

That dynamic is currently playing out between Delta and cybersecurity vendor CrowdStrike, whose recent flawed software update has crippled the airline’s operations, as well as many other services. Delta has threatened to sue, but the company has noted that its liability to the airline is capped at a few million dollars.

Easterly argued that Congress must step in to reform this dynamic. “Congress can also have a transformative impact by establishing a software liability regime with an articulated standard of care and protections for vendors who innovate responsibly, prioritizing secure development processes,” Easterly said.

Harry Coker, the country’s national cybersecurity director, who also spoke at Black Hat on Thursday, said individuals and organisations need to become more resilient in order to “resist” cyberattacks, particularly if an incident affects critical infrastructure.

Coker also expressed support for a bipartisan Senate regulatory harmonization bill that would create a committee to streamline cybersecurity mandates for the industry. Harmonization has been a major policy initiative of the administration.

“This bill will give our office, the National Cybersecurity Director, an opportunity to bring regulators together to apply logic, good teamwork and collaboration to a vexatious and difficult problem that the public sector, the private sector and our trade associations all want to solve,” Coker said.

Coker also noted that the Treasury Department is working on federal insurance against catastrophic cyber events, as outlined in the National Cybersecurity Strategy.

The Biden administration has said it will explore the possibility of creating a safety net, but such a mechanism is far from being put in place.

The article Easterly: Cybersecurity is a software quality issue appeared first on CyberScoop.