The Cybersecurity and Infrastructure Security Agency’s (CISA) Secure by Design Pledge is, basically, a promise from companies to try to make “measurable” progress on certain cybersecurity goals. The promise asks them to do so within a year, and to blog or otherwise publicly disclose what they’ve achieved. Or, if things go poorly, they can at least explain to CISA how they tried and what difficulties they hit.
The seven goals in the pledge center on designing products so they’re easier to use securely and harder for hackers to compromise. The goals would also make it easier for people to learn about vulnerabilities affecting those products. The pledge is currently intended for makers of enterprise software.
“Ultimately, what we want to do is work to prevent exploitable defects in these products — well-known, well-understood, easily identified defects — and also provide customers more visibility over intrusions,” said Lauren Zabierek, senior adviser of CISA’s Cybersecurity Division. “We think that, collectively, these seven actions will have that impact.”
Theoretically, companies that adopt better security measures early will save money by preventing costly problems and damage control down the road. For one, catching and fixing vulnerabilities before products are released spares companies from later having to pull developers off projects to create patches, Zabierek noted. Investing in security from the start has ultimately saved money for companies in other industries, but data isn’t available about how this plays out in the software sector, Zabierek said. CISA has been trying to learn more both about the costs of designing software securely and the costs of failing to do so, something it sought in a December Request for Information.
The Secure by Design goals ask companies to embrace three key principles: taking responsibility for their customers’ security outcomes; striving for “radical” transparency and accountability; and structuring their businesses to have the kinds of tooling and incentives needed to promote effective cybersecurity.
Given the voluntary nature of the pledge, CISA cannot compel companies to carry through on promises. An in-the-works initiative would also create regular meetings for signers where they could share ideas, Zabierek said. CISA also hopes the public will create pressure for companies to keep to their voluntary promise here, Zabierek said.
CISA chose its seven security goals based on threats it has been observing.
Some goals aim to make it more difficult for hackers to illicitly access accounts. For example, the pledge calls for reducing use of default passwords in products. This comes after Iran-linked actors compromised Internet-connected equipment at several U.S. water facilities last year by using devices’ default passwords. Companies would also work to increase customers’ use of multifactor authentication with their products.
Pledge signers additionally promise to increase security patching among customers. For example, they might help customers adopt patches, enable automatic patching or take other measures. Companies also agree to publish a vulnerability disclosure policy, helping good-faith researchers to discover and alert the companies about security flaws in products.
Companies themselves would also do more to alert the community to flaws in their products, especially flaws with high impact that are actively being exploited. Participating companies also promise to make it easier for customers to detect and understand cyber incidents impacting products by better enabling evidence gathering. One way to do that is to offer audit logs. The importance of such offerings came into focus this year after China’s hack on federal officials’ Microsoft Outlook email accounts. A federal agency that paid extra to access logs detected the breach, while some customers who did not were left wondering whether they were victims — something that may be especially worrying because Microsoft itself was not the first to catch the intrusion. Microsoft later changed its approach and promised to make more logging features freely available to customers.
Finally, the pledge asks companies to reduce the presence of at least one class of vulnerabilities throughout products. According to CISA, “the vast majority of exploited vulnerabilities today are due to classes of vulnerabilities that can often be prevented at scale.”
Given that some goals are more difficult to complete than others — eliminating memory unsafe languages, for example, is harder than eliminating cross-site scripting — CISA doesn’t have a deadline in mind for when companies should complete all goals, Zabierek said. Doing so could take years, but, at least, the pledge kicks off that journey.
