San Francisco – More than 60 private companies, including technology giants such as Google, Microsoft, Cisco, IBM, and Amazon Web Services, have publicly committed to placing greater emphasis on cybersecurity in their technology design processes.
The pledge was formally announced Wednesday at a signing event at the RSA Conference hosted by the Cybersecurity and Infrastructure Security Agency. Over the past decade, as foreign countries, ransomware attackers, and cybercriminals have preyed on governments and businesses primarily by exploiting products with insecure software, hardware, and security features, CISA In response, the company has launched a large-scale campaign to encourage the development of more resilient products. These are either not enabled by default or sold as premium features.
“Everyone in this room not only feels, but is acutely aware of the great urgency, and it is important, to develop new or retrofit old technology and software with security at the center of consideration. ” said CISA Director Jen Easterly.
In addition to major technology companies, dozens of prominent software, hardware, and cybersecurity companies have also signed on to this commitment, including Palo Alto Networks, Lenovo, BlackBerry, Hewlett-Packard, GitHub, Ivanti, and CrowdStrike. .
Signers are taking a series of steps to reduce vulnerabilities in their products, including building default multi-factor authentication and other forms of phishing-resistant authentication protection, and reducing the use of default or hard-coded passwords. We are committed to taking these steps over the next year. The pledge also calls on software providers to make a dedicated effort to reduce the prevalence of commonly exploited types of vulnerabilities and increase the number of customers who quickly install security patches. .
The companies also will be more transparent about the disclosure of security vulnerabilities through official channels, publish vulnerability disclosure policies to assist third-party security researchers investigating their systems, and ensure that customers do not experience breaches or intrusions. We are also working on strengthening the logging function to better detect when a message is received.
Increasing logging capacity is of particular importance to the federal government. Last year, a breach of Microsoft by a group of China-linked threat actors known as Storm 0558 stole emails from senior officials at the State and Commerce departments ahead of a high-level meeting between the White House and China.
The scope of this breach was obscured by the lack of built-in logging functionality in Microsoft's standard commercial products, with enhanced logging available only to premium customers. The breach was the subject of intense review last month by the Cyber Security Review Board, which concluded that the incident was preventable and was caused by the company's failure to prioritize security properly.
But the problem extends far beyond any single company or provider. Former NSA Cybersecurity Director Rob Joyce mentioned the breach in an RSA presentation on Wednesday, saying that as more companies move their data to cloud environments, many providers have introduced policies to wipe security logs. It is becoming increasingly difficult to monitor for signs of malicious activity, he said. After 90 days, 60 days, or even 15 days.
“Frankly, we've lost some of the visibility into our environment, so now we have to trust the cloud,” Joyce said. “You may not have access to all the logs your provider has.”
Because the pledge is voluntary, there is some skepticism about how far some companies will go to implement its principles, but CISA officials say they will He said he is committed to measuring the progress of the signatories.
Other officials said achieving broad consensus on the issue is an important and necessary step toward building a more durable culture of security within the U.S. technology industry. Lauren Zabierek, CISA's senior cybersecurity policy advisor, said CISA sees this effort as the beginning, not the end, of a collaborative process between government and industry to develop seat belts and other safety features for automobiles. He likened it to earlier efforts by safety advocacy groups. standard.
“Before we could build a safer car, we had to believe in the idea of a safer car,” Zabierek said. “And that's what we want from technology.”
