In a live-streamed talk on Monday at Carnegie Mellon University, U.S. Cybersecurity and Infrastructure Agency (CISA) director Jen Easterly expressed her disappointment in Big Tech’s product safety. Easterly — often invited to “fireside chats” by various organizations and a fervent supporter of the U.S. “Shields Up” national security program — said the daily “cyber intrusions” we face from adversaries like China and Russia are far more severe than events like Chinese surveillance balloons favored by mainstream media. Big Tech firms like Twitter and Microsoft only add to the problem by creating products that are “dangerous-by-design,” she added. “And while a focus on adversary nations — like China and Russia — and on cybercriminals is important, I would submit to you that these cyber-intrusions are a symptom, rather than a cause, of the vulnerability we face as a nation. The cause, simply put, is unsafe technology products,” Easterly told CMU students and staff, as written in the official transcript of her speech on CISA’s website.
The ‘Accident Boundary,’ Unsafe Technology Products
Easterly talked about the notion of an “accident boundary” — a term popularized by software engineer Richard Cook — in that the current state of the tech industry and the design of technology products now is right at the edge of this safety allowance. “What if no reasonable amount of money or employee training could fix that, and an accident was inevitable because of the design of the product? It’s as if we’ve normalized the deviant behavior of operating at the bleeding edge of the accident boundary,” Easterly said. No amount of employee awareness training or expensive security tools can replace badly designed tech products, she added. Unsafe technology products are the singular cause of cyber-intrusions, Easterly added, going on to say that this contributes to catastrophic cyber-physical threats. She mentioned several examples, among them the U.S. colonial pipeline attack, life-endangering ransomware attacks on hospitals, families defrauded of savings, and more. Patch Tuesday, the unofficial name for when Microsoft, Oracle, Cisco, and others in Big Tech roll out monthly updates simultaneously, “is further evidence of our willingness to operate dangerously at the accident boundary,” she added. “We’ve normalized the fact that technology products are released to market with dozens, hundreds, or thousands of defects when such poor construction would be unacceptable in any other critical field,” she said. Furthermore, Easterly added that few organizations are able to incentivize security-first products due to low resources, influence, or accountability. Instead, cost, features, and speed-to-market are prioritized, she said.
The Secret of Secure Programming Is ‘Memory Safety’
Easterly unveiled that “memory safety” flaws — bugs related to how computer memory is accessed — account for about two-thirds of software vulnerabilities. “Certain programming languages — most notably, C and C++ — lack the mechanisms to prevent coders from introducing these vulnerabilities into their software,” she added. Switching to “memory safe” programming languages such as Java, Python, Go and Rust could eliminate vulnerabilities from the outset. For instance, Google announced that their Android 13 OS is the first Android release to embrace memory-safe coding in Rust. So far, zero bugs have been discovered in this new iteration. Furthermore, Mozilla is integrating this language into its Firefox browser. Even some ransomware gangs, like BlackCat, used Rust for its high performance, according to Palo Alto Networks’ Jan. 2022 findings. Easterly said a good example of “security defaults” comes from Apple, which says that 95 percent of iCloud users enable multi-factor authentication (MFA) — a step up from two-factor authentication. On the other hand, less than 3 percent of Twitter users and only a quarter of Microsoft’s enterprise customers use MFA, she added.
Adversarial Threats from China and Russia
Easterly also mentioned regular cyber intrusions, not only putting an emphasis on China’s “massive and sophisticated hacking program,” but also on Russia, later in her speech. “Our country is subject to cyber intrusions every day from the Chinese government, but these intrusions rarely make it into national news,” the director said. She added that this leads to the theft of intellectual property and personal data, as well as puts the entire nation’s security at risk by “establishing a foothold for disrupting or destroying the cyber and physical infrastructure that Americans rely upon every hour of every day — for our power, our water, our transportation, our communication, our healthcare,” and more, she said. “China’s massive and sophisticated hacking program is larger than that of every other nation — combined.” Moreover, the risk increases because “most intrusions and cyber threats are never reported to the government or shared with potentially targeted organizations,” she said. This allows adversaries to reuse attack techniques, and even the same infrastructure, to compromise organizations again and again, she added.
What CISA Is Doing to Overhaul U.S. Cybersecurity
To help overhaul the current state of Big Tech product safety issues, Easterly set out several criteria that manufacturers should maintain. Principally, this means designing with safety in mind, but also:
The burden of safety must not fall on customers. Instead, tech manufacturers must take over this responsibility for them. Tech manufacturers must be transparent to help consumers understand safety challenges and take accountability for what they bring to market. Tech leaders must publish a roadmap that entails how products will be both developed and updated with “secure by design,” and “secure-by-default” methods.
On a positive note, Easterly noted that the U.S. is already making progress in regard to these criteria. Some examples include adopting security labels for consumer devices as well as presidential initiatives surrounding cybersecurity which aim to secure critical infrastructure sectors. Easterly added more good news, this time from CISA itself. The organization is “advancing the use of Software Bill of Materials, or “SBOMs,” the idea that software should come with an inventory of open-source components and other code dependencies.” This should help organizations better dig up security flaws and boost software development, she said. “Imagine a world where none of the things we talked about today come to pass, where the burden of security continues to be placed on consumers, where technology manufacturers continue to create unsafe products or upsell security as a costly add-on feature, where universities continue to teach unsafe coding practices, where the services we rely on every day remain vulnerable. This is a world that our adversaries are watching carefully and hoping never changes,” Easterly added.