Federal, International Agencies Release Principles to Enhance Security of Tech Products

A coalition of federal and international security agencies issued guidance on Thursday urging technology manufacturers to revamp the development of their products in a way that prioritizes customer safety and the development of built-in cybersecurity features. 

In a press release, the Cybersecurity and Infrastructure Security Agency said the guidance—which it billed as “the first of its kind”—was crafted “to catalyze progress toward further investments and cultural shifts necessary to achieve a safe and secure future.”

CISA jointly developed the principles alongside the FBI and the National Security Agency, as well as security agencies from the nations that make up the Five Eyes intelligence alliance—Australia, Canada, New Zealand and the United Kingdom—and Germany and the Netherlands. 

The authoring agencies urged technology and software manufacturers “to revamp their design and development programs to permit only secure-by-design and -default products to be shipped to customers.” The guide said that secure-by-design refers to products that “are built in a way that reasonably protects against malicious cyber actors successfully gaining access to devices, data and connected infrastructure,” while secure-by-default “means products are resilient against prevalent exploitation techniques out of the box without additional charge.”

“These secure-by-design and secure-by-default principles aim to help catalyze industry-wide change across the globe to better protect all technology users,” CISA Director Jen Easterly said in a statement. “As software now powers the critical systems and services we collectively rely upon every day, consumers must demand that manufacturers prioritize product safety above all else.” 

The guidance outlined a series of steps that software manufacturers can take as they work to implement secure-by-design and -default principles, such as using “a tailored threat model during development to prioritize the most critical and high-impact products” and embracing “radical transparency and accountability” when it comes to disclosing security flaws in their devices. 

The 15-page document also recommended that companies employ a top-down organizational approach when it comes to prioritizing software security, with executive leadership driving adherence to these principles through policies that include “awards for implementing outstanding software security practices or incentives for job ladders and promotion criteria.”

In addition to broader operational shifts, the guide outlined a series of specific tactics that manufacturers can employ to bake secure-by-design and -default principles into their products. These recommendations included, in part, that companies work to employ the use of memory safe programming languages, maintain vulnerability disclosure programs, eliminate default passwords and “ensure that code submitted into products goes through peer review by other developers to ensure higher quality.”

The guidance also recommended that tech manufacturers use the National Institute of Standards and Technology’s Secure Software Development Framework to enable them to “become more effective at finding and removing vulnerabilities in released software, mitigate the potential impact of the exploitation of vulnerabilities and address the root causes of vulnerabilities to prevent future recurrences.”

While the outlined principles are voluntary, the authoring agencies said they hope the guidance will “progress an international conversation about key priorities, investments and decisions necessary to achieve a future where technology is safe, secure and resilient by design and default.”

“If manufacturers consistently prioritize security during design and development, we can reduce the number of malicious cyber intrusions we see,” NSA Cybersecurity Director Rob Joyce said in a statement. “The international coalition partnering on this report speaks to the importance of this issue.”

The release of the principles follows a push by the Biden administration and federal officials in recent months to hold technology manufacturers, rather than consumers, responsible for the security of electronic products and devices. 

The national cybersecurity strategy—which was publicly released by the White House in March—called for tech companies to prioritize security in the development and design of their products and said that lawmakers should craft legislation that seeks “to shift liability onto those entities that fail to take reasonable precautions to secure their software.” 

In a speech at Carnegie Mellon University on Feb. 27, Easterly also called for tech manufacturers to undertake a “fundamental shift” in the way they approach security by implementing a new development model that allows consumers to “place implicit trust in the safety and integrity of the technology products that we use every hour of every day.”

“In place of building effective security from the start, technology manufacturers are using us—the users—as their crash test dummies, and we're feeling the effects of those crashes every day with real world consequences,” she added.