The director of the US’ cyber security authority, CISA, has criticised the tech industry for normalising unacceptable security practices, including Microsoft’s Patch Tuesday.
Patch Tuesday is a monthly round of security updates on which IT system administrators rely to keep their organisation’s IT estate safe from vulnerability exploits.
The fact that the industry has accepted this as normal is “evidence of our willingness to operate dangerously”, Jen Easterly argued.
Easterly acknowledged that while it’s impossible to prevent all security vulnerabilities, the tech industry should be demanding higher standards for the products it produces and uses.
During a speech made at Carnegie Mellon University (CMU) this week, the CISA director went on to cite some of the major cyber attacks in recent years, such as school districts shutting down, a gas pipeline shutting down, and patients being diverted from hospitals affected by ransomware attacks.
“And that’s just the tip of the iceberg, as many - if not most - attacks go unreported,” she said.
“As a result, it’s enormously difficult to understand the collective toll these attacks are taking on our nation or to fully measure their impact in a tangible way.”
The industry has reached the point at which it accepts that technology is “dangerous by default”, and that it wouldn't be accepted with the likes of car airbags, for example.
The normalisation of deviance theory by sociologist Diane Vaughan posits that when swathes of people grow accustomed to deviant behaviours, those behaviours no longer seem deviant to many over time.
RELATED RESOURCE
Trend Micro security predictions for 2023
Prioritise cyber security strategies on capabilities rather than costs
Easterly cited the theory, drawing parallels between it and the state of the tech industry currently.
It has been accepted as normal that Patch Tuesday only comes once a month and usually fixes around 100, often more, vulnerabilities with each package.
It also seems normal that software is still written in memory-unsafe languages like C and C++, a practice the US government has hoped to stamp out through public information campaigns over the past year.
The idea of encouraging the use of secure software development practices feeds into one of the three core principles CISA is currently trying to enact across the industry.
- Placing greater emphasis on manufacturers of technology products to assume responsibility for security issues
- Technology manufacturers to “embrace radical transparency” to disclose customer safety challenges
- Focus on building products with both the ideas of security by design and security by default at the core of production
At the federal level, the Biden administration has already mandated that all civilian executive branch (FCEB) agencies must patch a list of the most common vulnerabilities by a given deadline to limit the potential for a major cyber attack on the government.
However, there is still work that needs to be done at both the government and education levels in order to raise cross-industry standards, Easterly said.
Better incentives need to be introduced so manufacturers are rewarded for producing secure products. In the tech industry, no such rewards exist.
The idea of incentivising proper security practices is not a new one, but little movement has been made among leading countries to reward manufacturers for providing secure software.
Easterly said the government needs to improve its approach to legislating positive change, such as preventing companies from disclaiming liability by contract, for example, and mandating a more transparent production process.
Private companies should shoulder some burden of security too. For example, making multi-factor authentication (MFA) a default setting in user accounts across all technologies and platforms is one way the industry could prevent a sizeable number of breaches.
Apple’s iCloud service has a 95% uptake of MFA among users compared to Twitter’s 3%, a contrast Easterly said was due to Apple enabling MFA by default.
At the education level, the CISA director praised CMU specifically for introducing its CS 112 programming class which teaches students how to code in Python - a memory-safe programming language.
Areas for improvement that were highlighted included embedding security throughout all IT-related classes and courses, and supporting the open source and research communities to adopt memory-safe programming.
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
PyPI attack: Targeting of repository 'shows no sign of stopping'News Greater collaboration and understanding of attackers’ tactics is key to mitigating open source security threats
-
Move away from memory-unsafe languages like C and C++, NSA urgesNews The US agency advises organisations to begin using languages like Rust, Java, and Swift
-
15-year-old vulnerability found in Python moduleNews Hundreds of thousands of repositories have been found to be exposed to the vulnerability
-
Why are ransomware gangs pivoting to Rust?In-depth The developer-favourite language is fast becoming a delight for ransomware criminals
-
Ransomware is being rewritten in Go for joint attacks on Windows, Linux usersNews The Google-created programming language has become increasingly popular in the malware community for its speed and effectiveness in targeting more users with the same code base
-
Hackers turning to 'exotic' languages for next-gen malware, report warnsNews Coding languages such as Go, Rust, Nim and DLang are allowing malware authors to avoid signature detection and add layers of obfuscation
