U.S. Officials Say Tech Companies Must Build Secure Products


This article was licensed through Dow Jones Direct. The article was originally published on Dow Jones Institutional News.

The White House has a strong message for software makers and service providers: cybersecurity is your problem, too.

Tech providers, not just buyers, must take responsibility for ensuring their products are protected from cyberattacks, senior U.S. cyber officials said at an event 27th October.

National Cyber Director Chris Inglis said he favors applying "the lightest possible touch" to define what essential security elements are and that users must shoulder some of the burden to ensure they are using software or services safely. But ultimately, he said, accountability for security must be shared.

"Everyone agrees, I think, that the first and last line of defense can't be the user at the end of that supply chain. We have to push some responsibility along that supply chain," he said, speaking at an event hosted by the Center for Strategic and International Studies, a policy think tank.

Past cybersecurity shocks such as the vulnerability in the open-source software Log4j disclosed in December show simply reacting to events isn't ideal, Mr. Inglis said. "If we respond that way, excellently, time after time, we just lose more slowly."

Instead, Mr. Inglis said, technology must be secure by design, so that even if situations such as the Log4j vulnerability do occur, they can be caught and contained at the earliest possible moment. The flaw's discovery set off a scramble among security teams just before Christmas to identify and patch applications that contained the code amid stark warnings from cyber officials that the problem was extremely serious.

The White House, since the start of the Biden administration, has pushed federal agencies to improve many aspects of their security. This includes creating so-called software bills of materials, which list the components used in applications and can shorten response times when vulnerabilities arise. The government is now turning its attention to cyber standards within parts of the private sector.

Cyber safety labels, modeled on the federal Energy Star program that certifies buildings and equipment as energy efficient, will force companies that make internet-connected consumer and business products to meet minimum security standards, Anne Neuberger, the White House's deputy national security adviser for cyber and emerging technology, said.

Ultimately, the effort will improve cyber risk and resilience in financial services, energy, aviation and other critical infrastructure sectors, she said, speaking on the same panel as Mr. Inglis.

Ms. Neuberger likened the potential impact of the program to when restaurants began displaying the grades they received from health departments in their windows.

"That gave consumers a very rapid way to decide: Which restaurant am I going to? It certainly wasn't the one with the 'C' rating. We're trying to do the same for your smart TV," she said.

Ms. Neuberger said tech providers must make fundamentally secure products, starting at the earliest design phases, at no extra cost to buyers. Responsibility for securing products can't be the user's alone, she said.

She pointed to cloud computing as an area where responsibility for security should be better shared among providers and customers.

Traditionally, major cloud operators have tended to operate shared responsibility models where they are responsible for ensuring that their technology is secure, but users are responsible for the data they put into the cloud and how safeguards are configured. That relationship should be reassessed, she said.

"If you're a provider of tech, you're responsible for providing a baseline of security in that tech," she said.


James Rundle

The Wall Street Journal