Summary: This content discusses the approach of the Cybersecurity and Infrastructure Security Agency (CISA) in addressing fundamental errors made by technology vendors that impact customers.
Threat Actor: N/A
Victim: N/A
Key Point :
- CISA believes that they can make a greater impact by discerning and generalizing the mistakes made by technology vendors, rather than calling them out individually.
- CISA emphasizes the importance of partnerships with technology companies to secure the ecosystem and protect national security.
- CISA is not a regulator or law enforcement agency, but a partnership agency that relies on collaboration with its partners.
SAN FRANCISCO — The Cybersecurity and Infrastructure Security Agency isn’t inclined to call out technology vendors when their fundamental errors impact customers — officials contend they can make a greater impact by discerning and generalizing those mistakes for a broader audience.
“We have to use multiple levers to be able to secure an ecosystem that for years, for decades has been broken,” CISA Director Jen Easterly said Tuesday in a media briefing at the RSA Conference.
“It requires things like calling out companies when companies clearly do things that can damage national security, but it also requires real partnerships with these companies,” Easterly said. “We’re not a regulator, we’re not a law enforcement agency, we are a partnership agency whose success is very much predicated on working by, with and through partners.”
The Cyber Safety Review Board’s report last month about a China-affiliated threat group’s intrusion and compromise of Microsoft Exchange accounts in May 2023 is a clear and recent example of the federal government calling out a specific vendor for its security failings.
Yet, the stinging conclusions and criticism CSRB levied against Microsoft is the exception, not the norm.
The Department of Homeland Security and CISA stood up the 15-member board with a mix of government officials and cybersecurity experts in February 2022. Four private sector executives joined the board earlier this month to replace departing members.
Last month’s CSRB report was the first on a specific vendor — the two previous reports focused on the Log4j vulnerability and the Lapsus$ ransomware group.
The most recent CSRB report exemplifies how a vendor’s business decisions led to insecure and harmful outcomes for its customers, said Eric Goldstein, executive assistant director for cybersecurity at CISA.
“It’s also the case that a given insecure decision by a vendor is likely generalizable across a class of vendors,” Goldstein said.
For CISA, this comes in the form of the agency’s secure by design alert series, which distills specific vulnerabilities and malicious activities into a more widely applicable message and call to action for vendors.
These alerts allow CISA to highlight where businesses can make decisions differently for the good of security at large, Goldstein said.
“We are working to generate a secure-by-demand signal where customers will know what to ask for,” Goldstein said. “That’s actually a more effective way of driving scalable change than just pointing out a single vendor that might be emblematic of a problem.”
CISA leaders aren’t keen to publicly judge or criticize technology vendors by name, in part because many companies are saddled with legacy technology and investment decisions that prioritized speed to market and features, not security.
No CISO wants to be responsible for a major breach or intrusion on the federal civilian executive branch — they all want to create secure products but they’re dealing with decades of business decisions that paid less attention to security, Easterly said.
Source: https://www.cybersecuritydive.com/news/cisa-doesnt-criticize-vendors/715668
“An interesting youtube video that may be related to the article above”
Views: 0