Jen Easterly, the director of the Cybersecurity and Infrastructure Security Agency (CISA), has criticized major technology companies for selling unsafe and flawed products and then blaming their customers for security breaches and cyberattacks. Easterly has called for new rules and legislation to hold these companies accountable for releasing products despite known vulnerabilities.
During a speech at Carnegie Mellon University, Easterly said that cyber intrusions are a symptom of the larger problem of unsafe technology products. She stated that the risk introduced by such products is much more dangerous and pervasive than hacking campaigns by foreign adversaries.
Easterly laid out a set of core principles that include ensuring manufacturers are transparent about problems and how to fix them, and that the burden for safety is never left solely to tech and software customers. She emphasized that products should be “secure by design and secure by default.”
CISA is already using its purchasing power to help drive change. The agency requires companies seeking government contracts to meet higher security requirements. Easterly also praised companies like Apple, Google, and Amazon Web Services for moving towards a more secure model, but criticized others, such as Twitter and Microsoft, for inadequate efforts in multifactor authentication.
Easterly called for a fundamental shift towards secure-by-design and secure-by-default products to help organizations and technology providers. Such a transition would mean less time fixing problems, more time focusing on innovation and growth, and making life harder for adversaries.
The push for regulation and legislation is not new, as both Easterly and former National Cyber Director Chris Inglis have previously warned during their confirmation hearings that government action may be required if private companies refused to do more. However, with the rise of massive hacking campaigns by China and other adversaries, Easterly believes that change across the industry needs to come faster.
