CISA Fortifying U.S. Cyber Resilience

In today’s fast-paced era, cybersecurity is a paramount asset for any country, playing a crucial role in safeguarding sensitive information, critical infrastructure, and National Security. The ever-evolving landscape of digital threats necessitates a robust cybersecurity framework to mitigate risks and ensure the resilience of a nation’s cyber defences.

According to the latest findings, there has been a notable surge in cyber assets, marking a significant increase of 133% within just one year. The data reveals a transition from an average of 165,000 cyber assets in 2022 to a staggering 393,419 in 2023. This sharp rise underscores the growing complexity and intensity of cyber threats that organisations, governments, and individuals must contend with.

The Cybersecurity and Infrastructure Security Agency (CISA) has published a Request for Information (RFI), calling on all interested parties to contribute insights to enhance secure design software practices. The move aligns with the ongoing international campaign to shift the balance of cybersecurity risk through principles and approaches outlined in the “Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software” whitepaper.

CISA and its 18 U.S. and international partner agencies are actively seeking information to fortify its Secure by Design campaign. The RFI addresses key areas, aiming to garner input on various subjects.

1. Incorporating Security Early in the Software Development Life Cycle (SDLC): CISA is keen to understand the changes required to enable software manufacturers, including smaller entities, to build and maintain inherently secure software. Additionally, the agency is exploring how companies quantify the dollar cost of defects in their SDLC.
2. Security in Higher Education: The RFI delves into the role of foundational security knowledge in computer science curricula. It raises questions about whether companies evaluate security skills, knowledge, and experience when hiring new graduates or if employees are reskilled post-hire.
3. Recurring Vulnerabilities: CISA is interested in identifying barriers to eliminating recurring vulnerabilities and how companies can be encouraged to invest in their eradication. The Common Vulnerabilities and Exposures (CVE) and Common Weakness Enumeration (CWE) programmes are also under scrutiny for their potential role in addressing these issues.
4. Operational Technology (OT): Exploring incentives that would lead customers to demand more security features in OT products, the RFI seeks insights into which OT products or companies have embraced Security by design engineering principles.
5. Economics of Secure by Design: CISA is keen to understand the costs associated with implementing secure by design and default principles and tactics. A comparative analysis will be made against the costs of responding to incidents and breaches.

Further, CISA Director Jen Easterly emphasised the importance of receiving a broad range of perspectives, stating, “While we have already received a wide range of feedback on our secure by design campaign, we need to incorporate the broadest possible range of perspectives.” The ultimate goal is to drive technology towards a safe and secure future by design, requiring collective action from technology manufacturers and apparent customer demand.

CISA’s Secure by Design initiative is a collaborative effort involving 18 U.S. and international agencies. The recent guidance strongly encourages every software manufacturer to develop products that alleviate the cybersecurity burden on customers. Additionally, CISA has launched a series of Secure by Design Alerts, highlighting real-world harms resulting from technology products lacking secure design features.

The RFI urges technology manufacturers and all interested stakeholders to review the Request for Information and provide written comments by February 2024. Instructions for submitting comments are available in the RFI. Feedback received will play a crucial role in shaping future iterations of the whitepaper and guiding collaborative efforts with the global community.

CISA’s initiative reflects a global commitment to fostering Security by designing software practices, addressing current challenges, and preparing for future cybersecurity threats. In the future, CISA’s initiative recognises the need for anticipatory measures to stay ahead of emerging threats. This involves investing in research and development to identify and mitigate potential vulnerabilities in future technologies. By fostering innovation in cybersecurity, CISA aims to ensure that the global community is well-equipped to address the challenges posed by rapidly evolving technologies.