CISA executive assistant director for cyber Eric Goldstein says the initial set of principles jointly released with international partners on secure-by-design and security-by-default are intended to be a starting point and there will be opportunities for stakeholders to weigh in on next steps.
The principles were developed in response to CISA Director Jen Easterly’s remarks at Carnegie Mellon where she pushed technology manufacturers to implement secure-by-design practices in order to shift the responsibility for security away from consumers.
“We received a really clear ask from the community to get more specific and begin an international conversation about what secure-by design and -default really look like,” Goldstein said in an interview with Inside Cybersecurity.
Goldstein said, “We wanted to begin that conversation by publishing an initial set not just from the United States but our partners in Canada, the UK, Australia, New Zealand, Germany, and Netherlands about what our governments think is a starting point for technology that is secure-by-design and secure-by-default to begin that international conversation.”
Goldstein said, “And so although we did get feedback from practitioners in developing fields as we thought through these principles, and that’s been an ongoing dialogue over the past year, our goal is that this document is a first chapter in this conversation.”
However, stakeholders pushed back in conversations with Inside Cybersecurity on industry weigh-in on the principles ahead of their release last week.
“I heard from a lot of members of the Cybersecurity Coalition and IT industry that they thought the project had a lot of potential. And I think putting out this guidance without a public comment period or discussing this with leaders in the IT sector is laying some of that potential aside and is unfortunate,” said Ari Schwartz, coordinator of the Cybersecurity Coalition.
Schwartz said, “There’s questions as to why they chose some pieces of NIST SSDF [Secure Software Development Framework] above others and there’s not clear reasoning behind that.” There’s a lot in the document that “industry can get behind,” Schwartz, said, while emphasizing that there needs to be “a lot of discussion about it, especially because all of this needs to be done voluntarily.”
One source called the principles publication “problematic in how it is presented” and said “It is not clear to me what are companies supposed to do with this and what governments are hoping will be done with this stuff. Is it guidance? Is it requirements? Is it going to lead to legislation? I think there are fair questions to ask about that kind of stuff.”
Goldstein told Inside Cybersecurity, “We are going to be doing a series of listening sessions including several at the RSA conference [next week] with the goal of publishing a new version of this document, or subordinate documents that focus on specific areas that incorporate that feedback from the community. And we’ve been really excited by the feedback that we’ve gotten so far.”
Goldstein said CISA has received support from Google, former UK National Cyber Security Centre chief Ciaran Martin and “security leaders at companies like Microsoft” who call the publication “a really critical step forward.”
“Now,” Goldstein said, “let’s begin the work of refining it, building it out and putting it into action. All that to say stakeholder feedback is critical to this work. This document enables us to get that feedback by a public and transparent way [to] enable this conversation and we are really looking forward to that dialogue in the weeks and months to come.”
Rebalancing who is responsible for security is a key part of the national cyber strategy. However, Goldstein said CISA isn’t interested in moving toward regulation with the release of the principles.
Goldstein said, “At CISA, we believe that if we get more specific on what secure-by-design and secure-by-default means that’s going to allow technology providers, who of course want to provide safe products to their customers to adopt the right practices to maximize safety of their products. And it is going to enable customers to ask the right questions of their providers to ensure they understand the security risks or controls in the products they are purchasing.”
The goal is to develop guidance that “can enable market driven solutions that improve the baseline of developing product safety in the absence of broader changes in the current regime,” Goldstein said.
More tailored guidance will be released, Goldstein said. The initial document was released to “begin this conversation, to say this is a starting point for the conversation,” Goldstein said. “We know it is always easier to start with text on a page. Let’s get reactions, let’s talk about it, have the rigorous debate and refine it from there.”
Goldstein said, “Our goal is both to publish new versions of this guidance that gets increasingly specific, increasingly actionable as well as to consider separate guidance documents that go deeper in some of the topics [explained] in this product.” He pointed to memory safety as one area where CISA realizes more guidance and “more ideas may be needed.”
The document relies heavily on the NIST SSDF, which is well received by stakeholders but also raises questions from sources on why CISA decided to highlight certain elements over others such as a Software Bill of Materials.
Goldstein said, “NIST SSDF is the canonical set of practices to achieve a reasonably secure software product. We want to make sure at CISA we are driving adoption of the SSDF, we are driving alignment with the SSDF and we would certainly never do anything that would conflict with the SSDF.”
Goldstein said, “Our goal with this document is to be very clear with the principles and outcomes we seek and then in alignment with the SSDF, the practices we think could make the some of the greatest impact towards achieving those outcomes.”
Stakeholders told Inside Cybersecurity that the principles are ambitious, while also expressing concerns on implementation.
Chris Wysopal, co-founder and CTO of Veracode, commented, “CISA and its government and international partners are laying the foundation, giving manufacturers guidance to take the necessary step to ship products that are secure-by-design and -default.”
Wysopal added, “Secure by design should be measurable to ensure the activities performed produce the desired result and can be optimized. And there must be transparency, meaning vendors must be able to describe their secure development process and security mechanisms used to regulators and customers.” -- Sara Friedman (sfriedman@iwpnews.com)