CISA, NSA, NCSC, the rest of the Five Eyes nations, Germany and Holland look to spark an ‘international conversation’ in unprecedented collaboration to improve proactive security-centric development.
By Joe Fay
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), U.K. National Cyber Security Centre (NCSC) and a raft of other national security agencies have issued a “guide” to help software and technology vendors build products that are “secure by design”.
The NCSC said the aim of the document - Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and Default – was to encourage developers to embed secure-by-design and by-default principles into their workflows and products to help keep customers safe.
Treating security as an “additional technical feature” or something users had to configure themselves, left consumers “open to malicious cyber intrusions and safety risks” the U.K. agency continued.
The guide itself notes that “historically technology manufactures have relied on fixing vulnerabilities found after the customers have deployed the products, requiring the customers to apply those patches at their own expense.” This is because “features and speed to market” are more of a driver, even if this ultimately increases the potential attack surface.
A security by design and by default approach meant that “Over time, engineering teams will be able to establish a new steady-state rhythm where security is truly designed-in and takes less effort to maintain.”
This would ensure products are built in a way that “reasonably protects against malicious cyber actors successfully gaining access to devices, data and connected infrastructure.” And it would mean that products are secure out of the box “without additional charge” and that complexity of security configuration should not be a customer problem.
On a practical level, recommendations include using memory safe programming languages, as well as secure software components, software bills of materials (SBOMs) and vulnerability disclosure programs.
Amongst the security principles listed in the document is to “embrace radical transparency and accountability.”
As well as the CISA and the NCSC, the U.S. National Security Agency (NSA and the Federal Bureau of Investigation (FBI) are backing the guide, alongside security agencies from the rest of the Five Eyes intelligence nations of Canada, Australia and New Zealand, as well as the security agencies of Germany and the Netherlands. This is one of the biggest multi-national cybersecurity collaborations of recent years and comes just week’s after the White House released its new National Cybersecurity Strategy calling for more collaboration with allies on cyber matters.
More broadly, the collective agencies note that the guide “is intended to progress an international conversation about key priorities, investments, and decisions necessary to achieve a future where technology is safe, secure, and resilient by design and default.
It’s hard to escape the conclusion that some suppliers – and countries - are highly unlikely to follow the recommendations of the group.
Earlier this year, mid-market tabloids were entranced by a report from a Washington consultancy that raised the possibility that Chinese made IoT and home devices could be spying on Western customers.
More practically, the documents’ advice around transparency and accountability might pose a problem for manufacturers without resilient after-sales service. Even more so, those whose home governments award themselves blanket access to user data.