Director of CISA, Jen Easterly emphasizes the need for companies to prioritize product safety over speed and advocates for software to be "secure by design." This is just one of many policy changes that demonstrate the government's commitment to cybersecurity improvement.
CISA was founded in November 2018 under the US Department of Homeland Security. The agency's main goals include improving federal cybersecurity and coordinating cybersecurity plans and policies across states.
In light of the recent rise in cybersecurity incidents, CISA has been more active. Their director, Jen Easterly, has gone on the offensive, warning that companies should stop passing the buck onto consumers, accusing them of prioritizing speed over security, saying “[a]s software now powers the critical systems and services we collectively rely upon every day, consumers must demand that manufacturers prioritize product safety above all else”. Going forward, she says, software should be “secure by design”.
To enact this, the White House released a National Cybersecurity Strategy implementation plan, proposing developing a framework for providing safe harbor for those who comply and litigation for those who do not. At a speech at Carnegie Mellon University, Director Easterly acknowledges “[c]ompanies that make software must have the freedom to innovate, but they must also be held liable when they fail to live up to the duty of care they owe consumers, businesses, or critical infrastructure providers. Responsibility must be placed on the stakeholders most capable of taking action to prevent bad outcomes, not on the end-users that often bear the consequences of insecure software nor on the open-source developer of a component that is integrated into a commercial product.”
To achieve this, at least in part, the Federal Government will develop broad guidelines and subsequently use its purchasing power to improve accountability among software developers (Section 3.3.1).
Easterly has also spoken on the need for more cybersecurity reporting, an idea codified into law under CIRCIA (Cyber Incident Reporting for Critical Infrastructure Act). This bill, which is co-enforced by CISA and the FBI, will require cyber incidents on critical infrastructure to be reported no later than 72 hours after they occur, and for ransomware payments to be reported within 24 hours after delivery. Next week, #federalfridays will dive deeper into Cyber Incident Reporting for Critical Infrastructure Act, a policy that has broad consequences on the duties of those experiencing a cybersecurity event.
The Federal Government is clear that cybersecurity improvement is a core priority of defending the United States. The implications of these policy changes will be wide-reaching and have both intended and unintended effects.
This post is part of DAR's "Federal Fridays" series. Be sure to follow DAR on LinkedIn for the latest updates!