U.S. launches secure software push with new guidelines
A big group of international agencies gives a how-to on secure-by-design, secure-by-default
Software manufacturers should put an end to default passwords, write in safer programming languages and establish vulnerability disclosure programs for reporting flaws, a collection of U.S. and international government agencies said in new guidelines today.
The “principles and approaches” document, which isn’t mandatory but lays out the agencies’ views on securing software, is the first major step by the Biden administration as part of its push to make software products secure as part of the design process, and to make their default settings secure as well.
It’s part of a potentially contentious multiyear effort that aims to shift the way software makers secure their products. It was a key feature of the administration’s national cybersecurity strategy, which was released last month and emphasized shifting the burden of security from consumers — who have to manage frequent software updates — to the companies that make often insecure products.
“Ensuring that software manufacturers integrate security into the earliest phases of design for their products is critical to building a secure and resilient technology ecosystem,” Cybersecurity and Infrastructure Security Agency Director Jen Easterly said in a statement. “These secure by design and secure by default principles aim to help catalyze industry-wide change across the globe to better protect all technology users. As software now powers the critical systems and services we collectively rely upon every day, consumers must demand that manufacturers prioritize product safety above all else.”
On the U.S. side, the CISA, National Security Agency and FBI collaborated on the guidance. Security agencies in Australia, Canada, United Kingdom and New Zealand — all the members of the Five Eyes intelligence alliance — and Germany and the Netherlands also collaborated on it.
According to the principles document, the end goal is: “To create a future where technology and associated products are safer for customers, the authoring agencies urge manufacturers to revamp their design and development programs to permit only Secure-by-Design and -Default products to be shipped to customers.”
- “Products that are Secure-by-Design are those where the security of the customers is a core business goal, not just a technical feature. Secure-by-Design products start with that goal before development starts.”
- “Secure-by-Default products are those that are secure to use ‘out of the box’ with little to no configuration changes necessary and security features available without additional cost.”
The guidelines include broad components, like making sure high-level executives embrace secure-by-design and secure-by-default principles. But they also include specific steps, like using memory-safe languages, conducting rigorous code reviews and considering ease of use for consumers.
The target audience for the guidelines is not just technology providers, but also customers so they know the right questions to ask when purchasing software, Eric Goldstein, CISA’s executive assistant director, told me. But the authors also want the entire technology landscape — nonprofits, universities, standards-developing bodies and more — to see it as well, Bob Lord, a senior technical adviser at CISA, told me.
This is only the beginning of the discussion, Goldstein and Lord said. While the agencies shared the guidelines in advance with a small number of tech firms, the idea is to have some “listening sessions” with industry to take feedback, then revise the document. Those could come as soon as later this month at the massive RSA cybersecurity conference in San Francisco.
Future steps also could include training sessions, workshops and other ways to connect pieces of the larger tech world for collaboration on these subjects.
- “That would be one of the major marks of success in my book,” Lord said.
The administration has also raised the prospect of legislation on secure-by-design and secure-by-default, but officials have said it could be years away.
CISA is touting the release of the guidance as a significant milestone in the history of the agency and software security. “This is the first time that either CISA, or any of the other cyberdefense agencies around the world, have put out this kind of guidance,” Goldstein said. It’s something to use as a “springboard to further both amplify and deepen our guidance in this area, to make it much clearer what reasonable expectations are for safe and secure products,” he said.
Easterly and Goldstein have held up Google as an example of instituting secure-by-design and secure-by-default practices. “I’m excited about” the guidance, Royal Hansen, vice president of privacy safety and security engineering at Google, told me.
For smaller companies, “in some ways, it will be hard” to implement the guidance, he said. But the high bar it sets is “part of what I admire about it,” because of the consensus it required among nations, he said. “There’s more detail to work out and what it means for different groups because I don’t think you can look at it and say, ‘It’s exactly the same for every actor in the ecosystem.’”
The Atlantic Council’s Cyber Statecraft Initiative has praised the Biden administration’s desire to address economic incentives for insecurity. Right now, the costs of cyberattacks fall on users more than they do tech providers, according to many policymakers.
“They’re on a righteous mission,” Trey Herr, director of the Atlantic Council initiative, told me. If today’s guidelines are the beginning of the discussion on secure-by-design and secure-by-default, Herr said, “this is a really strong start, and an important one.”
Still, at least two elements of the document are likely to cause some consternation within industry, he said.
- “It really takes aim at security features as a profit center,” which for some companies has led to a lot of financial growth, Herr said. “I do think that’s going to rub people the wrong way and quick, but that’s good. That’s a good fight.”
- The calls for companies to “internalize the costs of longer and more complex development timelines,” as Herr put it, also could ruffle some feathers.
Herr said that additional steps that would be good include further conversations with companies about what they’re doing, and are capable of doing. He also said he’d like to see a more explicit statement of how U.S. agencies are going to specifically work together to address these topics as an enforcement problem. “It’s not actionable yet,” he said.
State Department upping efforts to counter Russian disinformation campaigns
The State Department is increasing efforts to push back against propagating Russian disinformation campaigns as it seeks to help allies abroad shutter sites that share potentially false info, Michael R. Gordon and Dustin Volz report for the Wall Street Journal.
Earlier this week, a senior U.S. envoy outlined proposals with Balkan governments to help them identify and call out Russian and Chinese disinformation sites in hopes of shutting them down, the report says.
“The Balkans have long been an information battleground,” Gordon and Volz write. “Moscow has sought to exploit the traditional affinity between Serbian communities and the Russians as well as lingering divisions over the breakup of Yugoslavia and North Atlantic Treaty Organization interventions to protect Kosovo and quell the ethnic strife in Bosnia.”
U.S. proposes new abortion data privacy protections
The Biden administration proposed a sweeping set of rules aimed at protecting reproductive health-care data in an effort to protect those seeking legal abortions from prosecutors of states with strict abortion laws, Tonya Riley reports for CyberScoop.
“The actions include a newly proposed Health and Human Services rule to strengthen existing privacy protections under the Health Insurance Portability and Accountability Act by prohibiting doctors and health care providers from disclosing information related to reproductive health care for the purposes of investigating, prosecuting or suing an individual for a legal abortion,” Riley writes.
Currently, HIPAA does not have protections in place for patients’ health data when it is requested by law enforcement, and the proposals would codify guidance provided by the administration last year that prevents law enforcers from obtaining sensitive health data.
The Biden administration’s announcement comes in the wake of the Supreme Court’s overturning of Roe v. Wade. Experts fear that law enforcement officials from states that have adopted stricter abortion rules could try to prosecute residents that seek an abortion in another state using their electronic health data or other online data.
U.S. documents leaker worked on military base, according to friend
The member of a small Discord server, known by other members as “OG,” is responsible for the leaks of sensitive U.S. military documents that have revealed new details about America’s spying efforts and the war in Ukraine, among other things, our colleagues Shane Harris and Samuel Oxford report.
About half of the Discord group of approximately 25 active members included foreign citizens that saw the documents, a member of the group said. That move defied warnings on the papers saying that their info could not be shared with foreign nationals due to their high sensitivity. The server included people from Europe, Asia and South America, Shane and Samuel report.
- “He’s a smart person. He knew what he was doing when he posted these documents, of course. These weren’t accidental leaks of any kind,” a member of the group told our colleagues.
“For years, U.S. counterintelligence officials have eyed gaming platforms as a magnet for spies,” Shane and Samuel write. “Russian intelligence operatives have been suspected of befriending gamers who they believe work for intelligence agencies and encouraging them to divulge classified information, a senior U.S. official said, speaking on the condition of anonymity to discuss sensitive information.”
More on the Discord leaks: Our colleague Drew Harwell writes that the leak marks a new shift in the way information is spread in closed-off social media spaces that are not heavily monitored to the likes of mainstream social platform feeds.
- Your Cybersecurity 202 host speaks with CISA Director Jen Easterly at the Axonius Federal Systems Adapt 2023 forum at 11 a.m.
- The Carnegie Endowment for International Peace holds an event discussing digital public infrastructure at 11:45 a.m.
- Stanford University’s Center on Philanthropy and Civil Society convenes a panel discussing the adoption of surveillance technologies in the United States at 6 p.m.
Thanks for reading. See you next week.