CISA’s Secure by Design Initiative at 1: A Report Card
COMMENTARY
In April, the Cybersecurity and Infrastructure Security Agency’s Secure by Design initiative celebrated its first birthday. CISA marked the moment with a blog post outlining its achievements over the last year.
One year ago, advocates of secure design welcomed the launch of the initiative, particularly as it followed so quickly behind the National Cybersecurity Strategy, which made secure design a critical tenet of the Biden Administration’s approach to dealing with insecure software.
CISA says the overall goal of the initiative is to “shift the responsibility of security from end users to technology manufacturers.” So, how well has it done?
This is its first-grade report card.
Raising Awareness
CISA’s focus on secure design and its concerted effort to keep it on the cyber agenda has significantly raised awareness of its importance. The agency has set out principles and guidance for the implementation of secure design for technology providers and software developers and provided regular updates through its blog and alerts, ensuring a steady drumbeat of news and information.
In addition, eye-catching global initiatives that have seen alignment on secure design principles with 16 other nations have extended beyond the US borders and helped focus media attention on the issue.
CISA’s influence, reach, and the resources it has put into raising the awareness of secure by design have made a big difference, and it is now much more a part of day-to-day conversations about software and product security. An undoubted success.
Grade: A
Practical Action
The big secure by design headline stemming from the National Cybersecurity Strategy was the announcement that liability for security would be introduced for software providers. In a February update, National Cyber Director Harry Coker reportedly said that his office is working with academics and legal experts to develop a liability regime.
Introducing liability will require legislation and political support — it cannot be done by CISA alone. However, truly shifting responsibility from end users to manufacturers so that when software comes to market it is designed securely will require manufacturers to be made liable. This is the game changer — without it, progress won’t be as fast as we need it to be.
While we wait for this legislation, however, other important strides have been made. Companies supplying software to the federal government are now required to attest they have used secure development practices. Building secure design into public procurement processes — and therefore making it mandatory — represents a big step forward.
Grade: B-
Attention to Detail
CISA’s secure by design guidance demonstrated a willingness not just to instruct people to do something, but to show them how to do it.
However, the guidance didn’t go far enough in explaining how to deploy a fundamental element of secure design: threat modeling.
Effective threat modeling is a prerequisite for designing secure software, and the best way to build secure software from the start. In response to CISA’S guidance, a group of world-leading threat modelers and the authors of “The Threat Modeling Manifesto” wrote a joint letter to CISA setting out the need for future guidance on security by design to encourage the adoption of threat modeling.
CISA did update its guidance to include more information on threat modeling, including threat model transparency. However, it must go further still and set out in more detail how threat modeling can be effectively implemented.
Grade: C
Future Vision
As it expands its efforts around secure design, CISA has set out three new areas for focus: encouraging customers to think about “secure by demand”; working to understand the economic forces impacting software security; and working with educational communities to incorporate security into computer science and coding programs.
These are all important areas and extremely welcome, if not as ambitious as what has come before. The lack of developer experience and understanding of security is a major issue, and the focus on education will be especially important. As well as upskilling the next generation of developers, more should also be done to support the education of those who are designing software today.
Grade: B+
Final Grade
The Biden administration’s acknowledgement of the importance of security by design in the National Cybersecurity Strategy, and subsequent implementation plan, was a huge moment that truly made the software development industry look up.
CISA’s Secure by Design followed swiftly, showing that the government was serious, and considerable progress has been made in a short period of time.
The legislation on liability that will truly change the game is likely still a way off, but significant interim steps have been taken to build security by design into federal procurement rules — a real statement of intent that is having practical consequences.
There is more to do, especially in giving people the tools that make it possible to truly implement secure design, but so far, the initiative has been a success.
Overall grade: B+