CISA director calls on tech companies to build security into products
A top cybersecurity official said in a speech Monday it's long past time for technology companies to build cybersecurity into their product design.
What they're saying: "The risk introduced to all of us by unsafe technology is frankly much more dangerous and pervasive than the spy balloon, yet we've somehow allowed ourselves to accept it," Cybersecurity and Infrastructure Security Agency Director Jen Easterly said in remarks at Carnegie Mellon University.
- "We’ve normalized the fact that technology products are released to market with dozens, hundreds or thousands of defects, when such poor construction would be unacceptable in any other critical field," she added.
Why it matters: The remarks tee up a highly anticipated national cybersecurity strategy expected from the White House that will push tech companies to create more secure products.
The big picture: Typically, the security of an organization is pinned to the performance of a company's security teams or employees themselves.
- However, the strategy is expected to turn that view on its head and target the common vulnerabilities found in tech vendors' products.
Between the lines: Tech companies regularly release security patches for their products. Microsoft, for example, publishes such fixes on the first Tuesday of every month in an event known as "Patch Tuesday."
- But not all security flaws are noticed in time, and malicious hackers often use these flaws to breach organizations.
- The Biden administration is looking to crack down on the existence of these security flaws to begin with, rather than continuing the trend of blaming victim organizations for failing to stay secure.
Yes, but: Putting security first will require systemic changes at major technology companies in how they produce and create new products, including possibly changing what coding languages developers use to create software.
The intrigue: Easterly also encouraged organizations to adopt more stringent requirements that their tech vendors must meet to land a contract.
Sign up for Axios’ cybersecurity newsletter Codebook here.