Global security agencies call for secure-by-design, secure-by-default focal points of product design, development processes
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the cybersecurity authorities of Australia, Canada, United Kingdom, Germany, Netherlands, and New Zealand (CERT NZ, NCSC-NZ) published Thursday joint guidance urging software manufacturers to take urgent steps necessary to ship products that are secure-by-design and secure-by-default. The move shifts the balance of cybersecurity risk by using principles and approaches for security-by-design and secure-by-default.
Apart from specific technical recommendations, the guidance outlines several core principles to guide software manufacturers in building software security into their design processes before developing, configuring, and shipping their products.
In the guidance, titled ‘Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default,’ the agencies outlined that “to create a future where technology and associated products are safe for customers, the authoring agencies urge manufacturers to revamp their design and development programs to permit only secure-by-design and -default products to be shipped to customers.”
The U.S. security agencies were joined by the Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), United Kingdom’s National Cyber Security Centre (NCSC-UK), Germany’s Federal Office for Information Security (BSI), Netherlands’ National Cyber Security Centre (NCSC-NL), Computer Emergency Response Team New Zealand (CERT NZ) and New Zealand’s National Cyber Security Centre (NCSC-NZ) in authoring the guidance.
Many private sector partners have made invaluable contributions toward advancing security-by-design and security-by-default. With this joint guide, the authoring agencies seek to progress an international conversation about key priorities, investments, and decisions necessary to achieve a future where technology is safe, secure, and resilient by design and default.
The guidance intends to catalyze progress toward further investments and cultural shifts necessary to achieve a safe and secure future. In addition to specific technical recommendations, this guidance outlines several core principles to guide software manufacturers in building software security into their design processes before developing, configuring, and shipping their products.
The publication includes taking ownership of the security outcomes of their technology products and shifting the burden of security from the customers. A secure configuration should be the default baseline, in which products automatically enable the most important security controls needed to protect enterprises from malicious cyber actors.
It also looks to embrace radical transparency and accountability—for example, by ensuring vulnerability advisories and associated common vulnerability and exposure (CVE) records are complete and accurate. Additionally, the action seeks to build the right organizational structure by providing executive-level commitment for software manufacturers to prioritize security as a critical element of product development.
The guidance said that to create a future where technology and associated products are safer for customers, the authoring agencies urge manufacturers to revamp their design and development programs to permit only secure-by-design and -default products to be shipped to customers.
“Products that are Secure-by-Design are those where the security of the customers is a core business goal, not just a technical feature. Secure-by-Design products start with that goal before development starts,” the document said. “Secure-by-Default products are those that are secure to use ‘out of the box’ with little to no configuration changes necessary and security features available without additional cost.”
Together, the guidance added that these two principles move much of the burden of staying secure to manufacturers and reduce the chances that customers will fall victim to security incidents resulting from misconfigurations, insufficiently fast patching, or many other common issues.
The guidance evaluates that it is now more than ever that technology manufacturers must make secure-by-design and secure-by-default the focal points of product design and development processes. Some vendors have made great strides in driving the industry forward in software assurance, while others lag.
The authoring agencies encourage every technology manufacturer to build their products in a way that prevents customers from having to constantly perform monitoring, routine updates, and damage control on their systems to mitigate cyber intrusions. “Manufacturers are encouraged to take ownership of improving the security outcomes of their customers. Historically, technology manufacturers have relied on fixing vulnerabilities found after the customers have deployed the products, requiring the customers to apply those patches at their own expense,” it added.
The document said that only “by incorporating secure-by-design practices will we break the vicious cycle of creating and applying fixes. To accomplish this high standard of software security, the authoring agencies encourage manufacturers to prioritize the integration of product security as a critical prerequisite to features and speed to market. Over time, engineering teams will be able to establish a new steady-state rhythm where security is truly designed-in and takes less effort to maintain.”
Reflecting this perspective, the European Union reinforces the importance of product security in the Cyber Resilience Act, emphasizing that manufacturers should implement security throughout a product‘s life cycle to prevent manufacturers from introducing vulnerable products into the market.
“Ensuring that software manufacturers integrate security into the earliest phases of design for their products is critical to building a secure and resilient technology ecosystem,” Jen Easterly, CISA director, said in a media statement. “These secure by design and secure by default principles aim to help catalyze industry-wide change across the globe to better protect all technology users. As software now powers the critical systems and services we collectively rely upon every day, consumers must demand that manufacturers prioritize product safety above all else.”
“Insecure technology products can pose risks to individual users and our national security,” according to Rob Joyce, NSA Cybersecurity director. “If manufacturers consistently prioritize security during design and development, we can reduce the number of malicious cyber intrusions we see. The international coalition partnering on this report speaks to the importance of this issue.”
“The FBI is committed to identifying ways to better protect our citizens from the agility and versatility of cyber crime, and today’s announcement is a direct example of this,” Bryan Vorndran, assistant director of the FBI’s Cyber Division, said. “Working with our federal and international partners on this cyber security guide provides us with the opportunity to pave the way forward to ensure safety and security in a digitally connected world.”
“Cyber security cannot be an afterthought,” Abigail Bradshaw, head of the Australian Cyber Security Centre, said. “Consumers deserve products that are secure from the outset. Strong and ongoing engagement between government, industry, and the public is vital to putting cyber security at the centre of the technology design process.”
“As our lives become increasingly digital, it is vital technology products are being designed and developed in a way that holds security as a core requirement,” Lindy Cameron, UK National Cyber Security Centre CEO, said. “Our new joint guide aims to drive the conversation around security standards and help turn the dial so that the burden of cyber risk is no longer carried largely by the consumer. We call on technology manufacturers to familiarise themselves with the advice in this guide and implement secure-by-design and by-default practices into their products to help ensure our society is secure and resilient online.”
“The Communications Security Establishment and its Canadian Centre for Cyber Security are proud to be a part of this important effort alongside our international partners,” Sami Khoury, head of Canadian Centre for Cyber Security, said. “We recommend that organizations adopt these secure-by-design and secure-by-default principles, creating safe products for all and ultimately shifting the balance of cyber security risk away from customers. This release is the first step towards creating a more secure technological future for everyone. We look forward to continued work with partners in industry and cybersecurity to implement the recommendations in this important guide.”
“Secure soft- and hardware are the foundation for a secure use of IT products in government, business, and society,” Gerhard Schabhüser, acting president of Federal Office for Information Security Germany, said. “In view of this, the BSI requests manufacturers to consider IT security right from the beginning and to enable users to securely utilise their products by secure configuration settings by default.”
“In a world rapidly digitalizing, citizens should be protected from digital threats,” according to Hans de Vries, director of National Cyber Security Centre Netherlands. “It is important that governments and industry take their responsibility for the security of end-users, with, for example, taking security-by-design and security-by-default as a starting point when developing software.”
“An essential read for organisations wanting to contribute to global cyber resilience,” Rob Pope, director of Computer Emergency Response Team New Zealand, said. “By creating products that are secure, both by design and by default, manufacturers can take much of the burden from end-users. We know many manufacturers are already doing this and hopefully, we can encourage others to take it up. These steps are the cyber equivalent of seatbelts, simple inbuilt default practices that keep people safe. This publication shows that the government of Aotearoa New Zealand is serious about keeping people secure online.”
“Customers should have confidence that technology products are designed with information security as a key factor from the outset, and that security remains a central consideration throughout the product’s lifecycle,” Lisa Fong, deputy director-general of National Cyber Security Centre New Zealand (NCSC-NZ), said. “We recognise the need for governments to work closely with industry and we hope this guidance prompts useful conversations, as well as helping organisations to understand the importance of robust security as a factor when making purchasing decisions.”
The guidance intends to progress an international conversation about key priorities, investments, and decisions necessary to achieve a future where technology is safe, secure, and resilient by design and default. “Toward that end, the authoring agencies seek feedback on this product from interested parties and intend to convene a series of listening sessions to further refine, specify, and advance our guidance to achieve our shared goals,” it added.
Last month, the U.S. Transportation Security Administration (TSA) issued a cybersecurity amendment on an emergency basis to the security programs of certain TSA-regulated airport and aircraft operators, following similar measures announced last October for passenger and freight railroad carriers. The agency calls for developing network segmentation policies and controls to ensure that operational technology (OT) systems can continue to safely operate if an information technology system has been compromised, and vice versa. The amendment is part of the Department of Homeland Security’s efforts to increase the cybersecurity resilience of U.S. critical infrastructure and follows extensive collaboration with aviation partners.
A complimentary guide to the who`s who in industrial cybersecurity tech & solutions
Free DownloadRelated
