by Dr. Sarbari Gupta

For many years, cybersecurity initiatives focused on protecting the IT systems of organizations and the data they held. User security was an afterthought, if considered at all. In my December 2020 TEDx talk “Building a Cyber World That Protects the User as a High Value Asset,” I urged the cybersecurity community to recognize the user as a high-value asset who requires multi-layered protection. I proposed a shift from protecting networks to a user-centric zero trust architecture mindset.

Recently, I was pleased to learn that the Cybersecurity and Infrastructure Security Agency, better known as CISA, is taking steps toward righting the imbalance I saw. That is, putting the onus for security on technology manufacturers and focusing on user security. In April 2023, CISA began promoting a new model for businesses, Secure by Design. It also started offering manufacturers of enterprise software products and services the opportunity to sign a voluntary pledge that demonstrates their commitment to advanced cybersecurity out-of-the-box.

WHAT IS SECURE BY DESIGN?

Secure by Design seeks to make technology manufacturers responsible for security rather than relying on end users. The paradigm elevates customer security to the level of an essential business requirement rather than a mere product feature.

Much like SecDevOps, application of Secure by Design principles occurs during product development rather than later in the lifecycle. Thus, a concerted effort is made to identify security weaknesses and correct them during the earliest phases of product design. Further, incorporating user-directed cyber features such as MFA, SSO, passkey capability, and log creation, among others, is considered a business requirement and included as part of the base product.

WHAT IS THE SECURE BY DESIGN PLEDGE?

So, how can one identify which enterprise software manufacturers offer products that conform to Secure by Design principles? CISA offers manufacturers in this sector the opportunity to voluntarily sign a Secure by Design Pledge and have their company name listed on the CISA website as a pledge signer.

The pledge comprises seven objectives that manufacturers intend to work toward, along with criteria for conforming to each goal and measuring achievement. Manufacturers possess the flexibility to adopt alternate approaches to meet core criteria. They also have the option to apply the pledge to all or some of their products. If only select products fall under the pledge, the manufacturer is expected to publish a plan for bringing its other products into conformance with pledge ideals.

The timeline for achieving the seven goals is within one year of signing the pledge. Simply stated, the manufacturer must demonstrate measurable actions to:

1. Increase the use of MFA.
2. Reduce default password use.
3. Reduce the prevalence of one or more vulnerability classes.
4. Increase customer installation of security patches.
5. Create and publish a vulnerability disclosure policy.
6. Provide transparency in vulnerability reporting.
7. Increase customers’ ability to gather evidence of cybersecurity intrusions affecting its products.

By way of illustrating a recommended approach and a way of capturing progress in its attainment, CISA offers the following for increasing the use of MFA:

• Enabling MFA by default for users and administrators.
• Installing “seat belt chimes” to encourage users to enable MFA.
• Having the baseline product support standards-based SSO, giving users the capability to configure MFA with their own identity provider.

Potential ways to capture measurable progress include publishing:

• Aggregate statistics segregating MFA adoption by user and type of MFA.
• A blog post detailing progress attained to date and identifying the barriers to MFA adoption that still exist.

CISA reports that at pledge launch, nearly 70 software manufacturers had already signed on. As of this writing, 220 companies had signed the Secure by Design pledge. Interested firms can “Take the Pledge” by clicking the “Join Us” icon at https://www.cisa.gov/securebydesign/pledge.

WHAT’S NOTABLE

This initiative is a major step toward achieving the user-centric zero trust architecture I espouse. Addressing security weaknesses at the manufacturer level during development is more effective than as add-ons later in the product lifecycle or at the user level. Incorporating phishing-resistant MFA, FIDO2 passkeys, and more as part of the base product makes it more likely that they’ll be enabled and used.

Let’s hope that manufacturers see the value of voluntarily pledging to be secure by design. Let’s push for expansion of this program beyond enterprise software manufacturers and consider mandatory compliance. Remember, Verizon reports that 74% of cyber incidents begin with a human action, such as reusing passwords and clicking on phishing links. To improve cybersecurity, the challenge remains at the user level and the protections must be stronger there.