In a stark call to action at Mandiant’s mWise conference, Jen Easterly, the head of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), condemned technology vendors for a pervasive issue of delivering faulty and insecure software. Her remarks underscored a growing concern within the cybersecurity landscape, where the quality of software is crucial in the battle against cybercrime.
Easterly’s critique targets the very roots of the software supply chain, highlighting that the real culprits behind the rising tide of cybercrimes are not just the hackers, but also the companies that produce underperforming software. The persistent issues, she argues, stem from what she describes as “product defects” rather than mere “software vulnerabilities.” This shift in terminology is significant, emphasizing that these problems are not just technical glitches but core failures that can have severe implications for security.
In a world increasingly reliant on software for critical infrastructure, Easterly’s comparisons are eye-opening. She likened the current state of software security to boarding a flight or buying a car with no safety guarantees. This analogy serves to illustrate the irrationality of accepting poor software quality in environments where lives and national security are at stake.
The backdrop of her assertions is alarming. Despite the presence of a multi-billion-dollar cybersecurity industry, Easterly highlighted that the ongoing issues amount to a “multi-trillion-dollar software quality problem.” This statistic not only points to economic losses but also raises questions about accountability within software development. Despite substantial investments, many organizations struggle with frequent, urgent software updates, which can often lead to increased risk rather than mitigation.
Easterly’s tenure at CISA has been marked by a consistent push for improved software quality. She acknowledges that while achieving perfect code is unrealistic, the current defect rates are unacceptable. Her frustration is palpable, especially in light of the many companies that signed CISA’s “Secure by Design” pledge aimed at enhancing software security practices. Nearly 200 companies, including major names like AWS, Microsoft, and Google, have committed to this initiative. Yet, Easterly points out that compliance remains voluntary, suggesting that mere pledges are insufficient for actual progress.
To catalyze a change in culture, Easterly advocates for the use of procurement power by technology buyers. She urges companies to inquire if software vendors have taken the Secure by Design pledge seriously. CISA has even published guidelines for assessing the security priorities of software manufacturers during the purchasing process, thus empowering buyers to make informed decisions.
This call for accountability is particularly timely. With increasing frequency, high-profile cyberattacks have highlighted the vulnerabilities in software systems. The consequences of these attacks are not limited to data breaches; they can lead to extensive financial damages, reputational harm, and even physical threats, particularly in sectors like healthcare and critical infrastructure.
Navigating this challenging environment calls for a collaborative effort between consumers and tech vendors. As Easterly notes, there is a pressing need for transparent dialogues between software developers and their clients regarding security measures. This transparency can lead to better accountability, ensuring vendors are held responsible for the products they release.
Moreover, the implications of Easterly’s advocacy extend beyond mere improvements in documentation or patching software. They signal a crucial shift in expectations, where software integrity could become as pivotal to business success as overall product performance. Companies that invest in secure software development and robust post-deployment support may find themselves gaining a competitive edge, attracting more clients in an increasingly security-conscious market.
As we navigate the complexities of the digital age, the conversation sparked by Easterly is one that every stakeholder in the tech industry should engage with. A strong focus on accountability and quality in software development is essential for fostering a safer cybersecurity environment. By advocating for high standards in software design and demanding greater transparency from vendors, we can take significant steps towards reducing vulnerabilities and bolstering defenses against cyber threats.
In conclusion, Jen Easterly’s statements call for a reassessment of the software development landscape, urging tech firms to prioritize quality and security to ensure the protection of critical systems. As the demand for digital solutions grows, so does the need for accountability in software quality.
CISA’s leadership presents a pivotal opportunity to reshape industry norms that can potentially halt the alarming rate of cybercrime fueled by sub-standard software.