The Cybersecurity and Infrastructure Security Agency, the FBI, the National Security Agency and cybersecurity authorities of other international allies on Thursday published joint guidance urging software manufacturers to bake secure-by-design and-default principles into their products.
The cybersecurity guidance is the first of its kind, and is intended to speed up cultural shifts within the technology industry that are needed to achieve a safe and secure future online.
Key principles of the new guidance include: taking ownership of security outcomes of products, embracing “radical transparency” and ensuring that companies have c-suite support to prioritize product security.
Publication of the secure-by-design principles follows the publication in March of a new national cybersecurity strategy by the Biden administration, which sought to shift the responsibility for maintaining the security of computer systems further towards larger software makers.
In particular, the new guidance states that a secure configuration should be “the default baseline, in which products automatically enable the most important security controls needed to protect enterprises from malicious cyber actors.” The three U.S. agencies have published the document jointly with cybersecurity authorities from Australia, Canada, United Kingdom, Germany, Netherlands, and New Zealand.
That new strategy calls for critical infrastructure owners and operators to meet minimum security standards and will potentially expose software companies to liability for flaws in their products.
In a statement announcing the guidance, CISA Director Jen Easterly said: “Ensuring that software manufacturers integrate security into the earliest phases of design for their products is critical to building a secure and resilient technology ecosystem.”
She added: “These secure by design and secure by default principles aim to help catalyze industry-wide change across the globe to better protect all technology users. As software now powers the critical systems and services we collectively rely upon every day, consumers must demand that manufacturers prioritize product safety above all else.”
It asks technology creators to build organizational structures that provide executive level commitment for software manufacturers to prioritize security as a key element of product development.
“Insecure technology products can pose risks to individual users and our national security,” said NSA Cybersecurity Director Rob Joyce in a statement. “If manufacturers consistently prioritize security during design and development, we can reduce the number of malicious cyber intrusions we see. The international coalition partnering on this report speaks to the importance of this issue.”