Skip to main content

Deck.blue brings a TweetDeck experience to Bluesky users

With over 3 million users and plans to open up more broadly in the months ahead, Bluesky is still establishing itself as an alternative to Twitter/X. However, that hasn’t stopped the developer community from embracing the project and building tools to meet the needs of those fleeing the now Elon Musk-owned social network, formerly known […] © 2024 TechCrunch. All rights reserved. For personal use only. from TechCrunch https://ift.tt/TBbEAPF

CISA’s security-by-design initiative is at risk: Here’s a path forward

The Biden administration’s 2023 National Cybersecurity Strategy identified structural shortcomings in the state of cybersecurity, calling out the failure of market forces to adequately distribute responsibility for the security of data and digital systems. Most prominently, the strategy seeks to “rebalance responsibility [for security] to those best positioned.”

Shortly after the strategy’s launch in March of this year, the Cybersecurity and Infrastructure Security Agency (CISA) kicked off an effort to “shift the balance of cybersecurity risk” by pushing firms to adopt security-by-design (SbD) practices, improving the safety and security of their products at the design phase and throughout their life cycle.

CISA director Jen Easterly’s announcement of these efforts appears to put CISA at the forefront of this rebalancing, addressing technology vendors’ incentives to underinvest in security through changes in how those firms design and deploy the products they sell. As the first substantive proposal from President Biden’s administration to effectuate this rebalancing since the launch of the strategy, the success or failure of the SbD initiative could be a bellwether for one of the strategy’s two fundamental ideas.

Success with SbD is at risk, however, both from the political challenges of implementing SbD practices and the threat of unrealistic expectations. This piece addresses both and highlights a path forward.

Political and structural headwinds

The politics of SbD implementation — which implicitly require a capacity to compel change in vendor practices, as well as the insight to design them — are treacherous ground for CISA, as the fast-growing agency is not a regulator. In time, it might become one, but current and past leadership insist that such responsibilities would be at odds with agency culture and its operational responsibilities.

The agency’s ability to support, build capacity, train, coordinate, and plan together with state, local, tribal and territorial entities, and industry stakeholders is rooted in its disposition as a trusted partner and neutral convener.

This means CISA should be only one of several federal agencies working to implement SbD, with cooperation from regulators like the Federal Trade Commission (FTC), a sharp and pointy complement to CISA’s open-handed approach. Otherwise, the SbD initiative could place CISA in a bind, trying to fix entrenched market incentive problems but without the ability to compel companies to act differently. CISA efforts to create accountability might undermine its attempts to generate goodwill.

Developing and defining a set of SbD practices that vendors can attest to, and that the U.S. government and other parties can verify or enforce, is a tremendous undertaking in and of itself. CISA must build SbD practices alongside an architecture for enforcement that sets clear roles for entities like the FTC, the Department of Defense, the Securities and Exchange Commission, and the General Services Administration.

The White House has responsibility here, too, and specifically the Office of the National Cyber Director, to guide this multi-agency effort within a strategy to manage the industry politics of shifting the incentives in this market — precisely what the office was designed, staffed, and organized to do. CISA’s focus must remain on enumerating and updating the essential SbD practices.

Just one piece of the puzzle

As we have argued before, “no strategy can address all sources of risk at once, but . . . silver bullets often trade rhetorical clarity for crippling internal compromises.” The SbD program could achieve deep, meaningful changes in how some of the largest technology vendors build services and products. Those changes would have material benefits for the security of every technology user.

However, cajoling all firms toward a comprehensive and uniform set of best practices is a fundamentally incompletable task.

Malicious actors perpetually seek new means of exploit; different sectors and system classes face different and unique challenges; and new technologies are prone to modes of failure, both new and unforeseen. Adopting certain new processes, rigorously enforcing them, and fixing existing incentives would still be a much-needed improvement over the current status quo.

However, adopting memory-safe languages or pushing large actors toward better risk management would not necessarily have prevented many significant vulnerabilities in recent memory, such as Log4Shell. To succeed, CISA will also need to understand how large technology companies build products and services — current industry practice is far from complete or perfect, but it is the baseline from which SbD hopes to drive change. Understanding that baseline is critical.

There is danger when rhetoric around shifting responsibility in cyberspace suggests that cybersecurity problems and challenges exist only because technology vendors cut corners or that all cybersecurity risk can be avoided by following a simple set of straightforward practices. The increasingly interconnected, dependent nature of software systems, as well as the variety of organizations and systems they connect to, creates risks all its own.

SbD is an important piece of managing this — the status quo of responsibility deferred to the user is broken — but describing SbD as a panacea risks creating backlash when insecurity inevitably persists.

It is clear CISA recognizes that success in SbD could be one of the most impactful policy interventions in cybersecurity in the last decade. It is also clear that the program, even in its most successful incarnation, will leave some problems unsolved. Specificity about the scope and goals of the program will help prevent its inevitable critics from distorting the debate into all-or-nothing terms.

Risk and opportunity

SbD — the first policy manifestation of the National Cybersecurity Strategy’s effort to shift responsibility — will not come about by sheer goodwill alone. CISA is not a regulator, and it must define a path for federal agencies that are regulators so that the implementation of SbD leverages the broader standards setting, enforcement, and regulatory powers of the federal government.

Shying away from direct government enforcement of these security practices risks consigning the effort to history, alongside many other “voluntary” and “industry-led” programs.

The growing and talented team at CISA have 18 months until January 2025, which will bring either the paralyzing tumult of transition or the still-chaotic maturation of a first-term administration into a second. The largest vendors that would participate in this program are not going anywhere and can afford to wait.

In this sense, CISA and the wider U.S. government’s cyber policy apparatus is on the clock. CISA must focus on the essential elements of SbD and organize, build, and engage with a clear deadline in mind. The clock is ticking.



from TechCrunch https://ift.tt/Bt3HYgE

Comments

Popular posts from this blog

New month, new crypto market moves?

To get a roundup of TechCrunch’s biggest and most important crypto stories delivered to your inbox every Thursday at 12 p.m. PT, subscribe here . Welcome back to Chain Reaction. Seems like just yesterday we were ringing in the New Year, but we’ve coasted into February and all seems to be somewhat relaxed (for once) in the crypto world. Last month was filled with crypto companies laying off staff , developments around the existing and new Chapter 11 bankruptcies in the space, partnerships and conversations about potential recovery in 2023. Even with a range of bad news flooding the industry, some cryptocurrencies had a bull run in January, amid the market turmoil. Bitcoin rallied 40% on the month, while ether rose about 32% during the same period. Solana also saw serious recovery, from about $10 in the beginning of the year, near its lowest level since February 2021, up 146% to about $24.3 by the end of January, CoinMarketCap data showed. These market movements could pot

Metaverse app BUD raises another $37M, plans to launch NFTs

BUD , a nascent app taking a shot at creating a metaverse for Gen Z to play and interact with each other, has raised another round of funding in three months. The Singapore-based startup told TechCrunch that it has closed $36.8 million in a Series B round led by Sequoia Capital India, not long after it secured a Series A extension in February . The new infusion brings BUD’s total financing to over $60 million. As with BUD’s previous rounds, this round of raise attracted a handful of prominent China-focused investors — ClearVue Partners, NetEase and Northern Light Venture Capital. Its existing investors GGV Capital, Qiming Venture Partners and Source Code Capital also participated in the round. Founded by two former Snap engineers Risa Feng and Shawn Lin in 2019, BUD lets users create bulbous 3D characters, cutesy virtual assets and richly colored experiences through drag-and-drop and without any coding background. The company declined to reveal its active user size but said its use

Can Arbitrum’s recently formed DAO recover from its messy week?

The TechCrunch Podcast Network has been nominated for two Webbys in the Best Technology Podcast category. You can help TechCrunch win by voting for Chain Reaction , which digs into the wild world of crypto, or Found , which brings you the stories behind the startups by sitting down with the founders themselves. Please take a few moments to vote here . Voting closes April 20. (NB I host Chain Reaction, so vote for my show!) Welcome back to Chain Reaction. This week was pretty bearable as a crypto reporter covering this space. There was less crazy news transpiring, compared to previous weeks (where we saw a number of U.S. government crackdowns on major crypto companies like Binance and Coinbase ). Still, it’s never a dull week in the crypto world. In late March, Arbitrum, an Ethereum scaling solution, transitioned into a decentralized autonomous organization (DAO), after airdropping community members its new token, ARB. DAOs are meant to operate with no central authority and token h