CISA called on technology development companies to “fundamentally shift” product design to one that puts cybersecurity at the core of product design. “As we’ve integrated technology into nearly every facet of our lives, we’ve unwittingly come to accept as normal that such technology is dangerous by design,” Jen Easterly, director of Cybersecurity and Infrastructure Security Agency (CISA) said.
The applications and technology tools that enable critical services today often carry heavy security risks. and are difficult to manage because critical infrastructure needs constant uptime, leaving little room for patching and fixing. Additionally, the migration of critical infrastructure to digital modes adds more layers of attack vectors than ever before.
A potential attack on US critical infrastructure could have devastating effects. Water pollution or a massive telecommunication outage is not science fiction. It can happen. Easterly pointed out an interesting fact that we all take for granted. Your average consumer is unofficially tasked with considering complex topics when buying a new digital device such as a phone or a computer. “The American people have accepted the fact that they’re constantly going to have to update their software,” she said. “The burden is placed on you as the user and that’s what we have to collectively stop.”
Easterly also mentioned along these lines that “we’ve normalized the fact that the cybersecurity burden is placed disproportionately on the shoulders of consumers and small organizations who are often least aware of the threat and least capable of protecting themselves.”
“We often blame a company today that has a security breach because they didn’t patch a known vulnerability. What about the manufacturer that produced the technology that required too many patches in the first place?” Easterly questioned.
Our digital age culture has created a “multi-billion dollar cybersecurity industry because technology companies do not have enough oversight to enforce the development of safe product lines.
Ultimately, the onus of security is not on the consumers, the corporations, or the manufacturers themselves- but on the governing body.
“Government can work to advance legislation to prevent technology manufacturers from disclaiming liability by contact, establishing higher standards of care for software and specific critical infrastructure entities and driving the development of the safe harbor framework to shield from liability companies that securely develop and maintain their software products and services,” Easterly said.