In mid-April, the Cybersecurity & Infrastructure Security Agency (CISA) released Shifting the Balance of Cybersecurity Risk: Security-by-Design and Default Principles in collaboration with multiple other security agencies in the United States as well as ones in Australia, Canada, New Zealand, the United Kingdom, Germany, and the Netherlands. The new guide is intended to serve as a cybersecurity roadmap for manufacturers of technology and associated products. While the guidance itself is not groundbreaking, it does formalize security-by-design and default principles at an international level for the first time.
Minimal impact to the software manufacturing industry
The immediate impact in the software manufacturing industry is unlikely to be significant in the short term. The authoring agencies recognized that many private sector partners have already been advancing and following security-by-design and security-by-default principles for some time. The guide includes specific technical recommendations and principles to advise software manufacturers in terms of building software security into their design processes, but these recommendations are not new. The guide does function as a summary of the best practices that other industries have already been doing for a long time. For example, many major US-based utilities adopted North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP), a set of standards that regulates, monitors, enforces, and manages the security of the Bulk Electric System (BES) in North America and specifies a cybersecurity framework to identify and secure critical assets related to the electricity supply of North America’s BES. These utilities are routinely audited and rarely have an operational technology (OT) cyber event.
International agency involvement
As put forward in the National Cybersecurity Strategy, the administration’s goal is to secure a safe and secure digital ecosystem for all Americans. The increasingly global nature of software systems and internet-facing systems means that an approach that includes the public and private sector as well as other countries is critical. To respond effectively to the global threat of cyber attackers, cybersecurity agencies must work together to put guidelines in place to increase overall security. Security-by-design and -default principles align to national goals to shift liability onto those organizations that do not take reasonable precautions to secure their software.
Companies that make software must have the freedom to innovate, but they must also be held liable when they fail to live up to the duty of care they owe consumers, businesses, or critical infrastructure providers.
– National Cybersecurity Strategy
Given the national strategy and increasing risk from malicious hackers and nation state actors, it is not surprising CISA and other agencies released their guidance. Even less surprising — the implication that they are likely to begin holding companies accountable for not following guidance when there are obvious security issues. This accountability may take shape in the form of audits to evaluate whether best practices are being followed. Based on the findings of these audits, there may be reprimands and, in extreme cases, fines.
Is the guidance useful?
It is helpful that multiple agencies have come together to publish principles and approaches for security-by-design and -default, primarily because it consolidates best practices and guidance into a single location for organizations in the software manufacturing industry to reference. Unfortunately, the assistance is fairly limited in scope beyond that.
The primary benefit is to those suppliers and original equipment manufacturers (OEMs) who do not already have a security-by-design culture or have not already made investments in putting those best practices in place. For those organizations, the guidance can help them better understand what it means and how to identify and enumerate cyber threats to critical systems and build in protections against them in their future products. These companies will need to invest in solutions that help them adopt a security posture that aligns with CISA’s guidance, as well as bring in security experts to manage those solutions and enable them to adjust to a more secure approach to software development. This may (at least initially) impact the cost of products, and in some cases, slow the speed at which products and updates are brought to market.
What needs to come next?
Although the guidance is nothing new, it can help organizations that do not yet have security-by-design and -default practices in place to understand why it is a problem and how to resolve it. They will need to refer to the consolidated guidance and determine how best to follow it, which will almost certainly require hiring more cyber experts and investing in new tools. This may pose a challenge, as there is still a talent gap in the cybersecurity workforce, which may make it difficult for those organizations to hire skilled cybersecurity practitioners. Choosing cybersecurity tools and solutions that integrate well together and enable organizations to address the requirements in the new guide more effectively can help, particularly if, or when, this guidance becomes a requirement rather than a suggestion.