CISA Director Calls Out Industry Using Consumers as Cyber 'Crash Test Dummies'

Technology companies need to take more responsibility for the safety and security of their products to better protect consumers from cyber threats, Cybersecurity and Infrastructure Security Agency Director Jen Easterly said during a speech at Carnegie Mellon University on Monday. 

The remarks came after Easterly and Eric Goldstein, CISA’s executive assistant director for cybersecurity, wrote a Feb. 1 article for Foreign Affairs that warned that “the incentives for developing and selling technology have eclipsed customer safety in importance.”

In her speech, Easterly said that the lack of built-in safety features in today’s products and devices is helping to facilitate crippling cyber and ransomware attacks—which have been affecting consumers and school districts, pipelines and hospitals alike in recent years—calling these intrusions “a symptom, rather than a cause, of the vulnerability that we face as a nation.”

“The cause, simply put, is unsafe technology products,” she added. “And because the damage caused by these unsafe products is distributed and spread over time, the impact is much more difficult to measure.”

Instead of putting the cybersecurity burden fully on consumers, Easterly called for a “fundamental shift” in thinking that pushes technology and software manufacturers to emphasize safety and security during the production and design of their products, rather than forcing users to fend for themselves or have to spend additional money to safeguard their data.

Easterly compared the technology sector to the automobile industry before now-standard safety features were added to vehicles, saying that the belief during the 20th century that car accidents were largely the result of bad driving “is very similar to the way we often blame a company today that has a security breach because they didn't patch a known vulnerability.”

“In place of building effective security from the start, technology manufacturers are using us—the users—as their crash test dummies, and we're feeling the effects of those crashes every day with real world consequences,” she said. 

To promote the development of products that prioritize customer safety, Easterly called for the implementation of “a new model”—one that allows for consumers to “place implicit trust in the safety and integrity of the technology products that we use every hour of every day.”

As part of the agency’s effort to push the tech sector to be more proactive when it comes to cybersecurity, Easterly said that CISA is “working to lay out a set of core principles for technology manufacturers to build product safety into their processes to design and implement and configure and ship and maintain their products.”

These planned principles include ensuring that tech companies “take ownership of the security outcomes” of their customers, are working to embrace “radical transparency to disclose and ultimately help us better understand the scope of consumer safety challenges” and are focusing on building safe products that can be “updated to be both secure by design and secure by default.”

Easterly said that security by design also includes having companies transition to memory safe languages, implement transparent vulnerability disclosure policies and maintain secure coding practices. 

“In short, strong security has to be a standard feature of virtually every technology product, and especially those that support the critical infrastructure that Americans rely on,” she added. “Daily technology must be purposefully designed and developed and built and tested to significantly reduce the number of exploitable flaws before they're introduced into the market for broad use.”

Beyond pushing the tech industry to prioritize cybersecurity when developing new products and devices, Easterly said that—under the new model that she outlined—the federal government also has an important role to play “in both incentivizing these outcomes and operationalizing these principles.” But she added that, while regulation is “one tool” that federal officials can employ, “it is not a panacea.”

But Easterly did say that one powerful way for the government to drive better security outcomes “is through our purchasing power.” She said that the White House is moving toward this goal “through the implementation of the initiatives called for in the president's 2021 cybersecurity executive order, such as developing federal acquisition regulations around cybersecurity.”

“The Biden administration has already taken important steps toward this goal in establishing software security requirements for federal contractors, and undertaking an effort to adopt security labels for connected consumer devices, like baby monitors and webcams,” she added.