CISA Director Calls Out Industry Using Consumers as Cyber 'Crash Test Dummies'

Jen Easterly, Director of the Homeland Security Cybersecurity and Infrastructure Security Agency, testifies during her confirmation hearing before the Senate Homeland Security and Governmental Affairs Committee on June 10, 2021 in Washington, DC.

Jen Easterly, Director of the Homeland Security Cybersecurity and Infrastructure Security Agency, testifies during her confirmation hearing before the Senate Homeland Security and Governmental Affairs Committee on June 10, 2021 in Washington, DC. Kevin Dietsch/Getty Images

Featured eBooks
The IT Modernization Mission
Read Now

Ransomware Threat

Read Now

What's Next For Government Cloud

Read Now

Federal Agencies Exploring Computing at the Edge

Read Now
Edward Graham By Edward Graham,
Staff Reporter, Nextgov

By Edward Graham

|

The head of the Cybersecurity and Infrastructure Security Agency said technology companies need to be more proactive when it comes to promoting safety and security.

Technology companies need to take more responsibility for the safety and security of their products to better protect consumers from cyber threats, Cybersecurity and Infrastructure Security Agency Director Jen Easterly said during a speech at Carnegie Mellon University on Monday. 

The remarks came after Easterly and Eric Goldstein, CISA’s executive assistant director for cybersecurity, wrote a Feb. 1 article for Foreign Affairs that warned that “the incentives for developing and selling technology have eclipsed customer safety in importance.”

In her speech, Easterly said that the lack of built-in safety features in today’s products and devices is helping to facilitate crippling cyber and ransomware attacks—which have been affecting consumers and school districts, pipelines and hospitals alike in recent years—calling these intrusions “a symptom, rather than a cause, of the vulnerability that we face as a nation.”

“The cause, simply put, is unsafe technology products,” she added. “And because the damage caused by these unsafe products is distributed and spread over time, the impact is much more difficult to measure.”

Instead of putting the cybersecurity burden fully on consumers, Easterly called for a “fundamental shift” in thinking that pushes technology and software manufacturers to emphasize safety and security during the production and design of their products, rather than forcing users to fend for themselves or have to spend additional money to safeguard their data.

Easterly compared the technology sector to the automobile industry before now-standard safety features were added to vehicles, saying that the belief during the 20th century that car accidents were largely the result of bad driving “is very similar to the way we often blame a company today that has a security breach because they didn't patch a known vulnerability.”

“In place of building effective security from the start, technology manufacturers are using us—the users—as their crash test dummies, and we're feeling the effects of those crashes every day with real world consequences,” she said. 

To promote the development of products that prioritize customer safety, Easterly called for the implementation of “a new model”—one that allows for consumers to “place implicit trust in the safety and integrity of the technology products that we use every hour of every day.”

As part of the agency’s effort to push the tech sector to be more proactive when it comes to cybersecurity, Easterly said that CISA is “working to lay out a set of core principles for technology manufacturers to build product safety into their processes to design and implement and configure and ship and maintain their products.”

These planned principles include ensuring that tech companies “take ownership of the security outcomes” of their customers, are working to embrace “radical transparency to disclose and ultimately help us better understand the scope of consumer safety challenges” and are focusing on building safe products that can be “updated to be both secure by design and secure by default.”

Easterly said that security by design also includes having companies transition to memory safe languages, implement transparent vulnerability disclosure policies and maintain secure coding practices. 

“In short, strong security has to be a standard feature of virtually every technology product, and especially those that support the critical infrastructure that Americans rely on,” she added. “Daily technology must be purposefully designed and developed and built and tested to significantly reduce the number of exploitable flaws before they're introduced into the market for broad use.”

Beyond pushing the tech industry to prioritize cybersecurity when developing new products and devices, Easterly said that—under the new model that she outlined—the federal government also has an important role to play “in both incentivizing these outcomes and operationalizing these principles.” But she added that, while regulation is “one tool” that federal officials can employ, “it is not a panacea.”

But Easterly did say that one powerful way for the government to drive better security outcomes “is through our purchasing power.” She said that the White House is moving toward this goal “through the implementation of the initiatives called for in the president's 2021 cybersecurity executive order, such as developing federal acquisition regulations around cybersecurity.”

“The Biden administration has already taken important steps toward this goal in establishing software security requirements for federal contractors, and undertaking an effort to adopt security labels for connected consumer devices, like baby monitors and webcams,” she added.

NEXT STORY: CISA Seeks Private Sector Support for Cybersecurity Risk Management

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.