CISA Director: Tech industry should infuse security at product design stage
Dive Brief:
- Cybersecurity and Infrastructure Security Agency Director Jen Easterly called on the technology industry to incorporate more security into their products at the design stage, while speaking at the Billington Cybersecurity Summit in Washington D.C. Wednesday.
- The call comes at a time of heightened concerns about attacks against critical infrastructure and essential services in recent years. Federal agencies have made a recent push to encourage developers and critical infrastructure providers to incorporate more resilience at the design stage, making them better able to withstand malicious attacks.
- Easterly said CISA plans to issue a request for information regarding new incident reporting requirements under the Cyber Incident Reporting for Critical Infrastructure Act of 2022, which requires prompt notification of major cyberattacks. Easterly also announced plans for a national listening tour, which would involve 11 separate sessions to generate feedback from local communities.
Dive Insight:
Easterly acknowledged the nation is in a very intense threat environment with a number of recent challenges, including the Log4j vulnerability and other security concerns. However, by working together against sophisticated adversaries, Easterly argued the U.S. can make it very expensive and uncomfortable for threat actors to launch major attacks against the nation.
“Attackers have budgets too,” Easterly said. “We have to work together to make sure we are increasing the marginal cost of their investment.”
Easterly, followed by National Cyber Director Chris Inglis, kicked off the first post-pandemic reunion at the summit, where key cybersecurity leaders from the federal government gathered with private industry security leaders and other key stakeholders.
CISA’s director praised Biden administration efforts to make cybersecurity a national priority. Those efforts were fueled in large part by catastrophic events like the SolarWinds supply chain attack, attributed to a Russia-backed threat actor, as well as by a series of major ransomware attacks against critical infrastructure providers, including Colonial Pipeline and meat supplier JBS USA
Easterly also said the aim is to develop a real partnership with private industry, encourage greater interaction between various government agencies and facilitate more collaboration with foreign allies.
A stakeholder call was scheduled for this afternoon with cybersecurity counterparts at the National Cyber Security Centre in the U.K., said Easterly. The U.K. has dealt with recent ransomware attacks against the National Health Service and a large water supplier.
Gloss