By: Bob Ackerman
A few months ago, a Microsoft developer and engineer made a critical discovery. A hacker had placed malicious code in a widely used open-source data compression tool. The discovery avoided what could have been a catastrophic supply chain attack.
This attracted modest attention. But then another incident occurred last month – one that produced screaming headlines everywhere.
CrowdStrike, a cybersecurity vendor deployed by Microsoft systems, installed an update on July 18 that analysts say probably skipped quality testing. The cataclysmic result: The disablement of roughly 8.5 million computers in perhaps the largest cyber event ever. Impacted were the online operations of banks, hospitals, police forces, major airlines, and government agencies. This was an error, not a hack, but the consequences were every bit as bad because (in my personal opinion) CrowdStrike had not implemented the concept of secure-by-design, at least not completely.
Secure-by-design principles prioritize the security of customers as a core business requirement, rather than merely treating it as a technical feature. During the design phase of a product’s development lifecycle and attendant systems, companies should implement secure-by-design principles to significantly decrease the number of exploitable flaws before introducing them to the market. Scores of major companies, including Microsoft, Alphabet’s Google, Amazon, IBM, Cisco, and Palo Alto Networks have recently agreed to adopt secure-by-design.
It’s not that the United States is remiss in upgrading cybersecurity. Most organizations have improved their protection over the years. And America’s cyber defense agency – the Cybersecurity and Infrastructure Security Agency (CISA) – is charged with defending the country against chronically evolving cyber threats, especially physical infrastructure. CISA’s job, however, has become increasingly difficult as more unsafe technology is introduced to the market.
The upshot is that the US cybersecurity burden is placed disproportionately on the shoulders of consumers and organizations and away from the producers of the technology. Fundamentally, America needs a new model to address the gaps in cybersecurity. Since this scenario is unlikely to occur anytime soon, secure-by-design is the next best option. Zero trust is a contender, but it can be very complex to implement and typically results in excessive disruption.
There is no question that serious improvement is required, and not simply because of the recent episodes. Plenty of new security attacks and miscues are on the horizon, mostly because application development teams face an immense amount of pressure to code faster than ever. This frequently leads to the neglect of security measures. A recent study of 600 IT and IT security professionals by Ponemon Institute essentially revealed that organizations are still prioritizing speed to market over security.
Only 20% of survey respondents were confident in their ability to detect a vulnerability before an application is released. Moreover, the survey found that more than 60% struggle to remediate vulnerabilities effectively and 50% fail to test the security of their applications after they have been released.
While secure-by-design is obviously better than cybersecurity status quo today, it doesn’t check all the security boxes. Open-source software, for example, would likely remain a big problem because it’s a particularly big nut to crack when managing software supply chain security risks. Most source code used inside companies today is open source. Too often, risks cannot be addressed because the code comes from outside the organization.
Then there are some security issues that are easily correctible but unlikely to be fixed in the foreseeable future. A case in point is multifactor authentication (MFA), a strong security control that requires users to log in through several steps, such as a text message code. MFA was sidestepped by some employees in recent months at AT&T and UnitedHealth Group to the point at which they were both breached. This predicament exists because some employees complain it slows them down or because technicians were too busy to set it up in test environments.
Organizations need to know how to implement secure-by-design. Here are some tips:
+ Strongly Support the Concept: Some executives may resist change or underestimate the significance of early security integration. Accordingly, disregard the misconception among some that security can be added as an afterthought. Retrofitting securing measures onto existing systems is tedious and costly.
+ Training and Awareness: Creating a culture of security awareness is paramount. This begins with comprehensive training programs that equip teams with the skills to address potential vulnerabilities.
+ Foster Collaboration Among Cross-Functional Teams: The goal is to ensure that security considerations are integrated into every project phase.
+ Utilize Security Tools and Technologies: This streamlines implementation. Solutions such as code analysis tools and penetration testing are invaluable for identifying security threats.
Cybersecurity redundancy, multiple layers of security measures, and backup systems that ensure continuous protection and functionality even if one layer fails – is part and parcel of secure-by-design. This takes time and boosts expenses in the beginning. But it’s worth the sacrifice to avoid devastating lapses. Frank Cilluffo, Director of the McCrary Institute for Cyber and Critical Infrastructure Security at Auburn University, deftly underscored this in one sentence in a recent media interview. “It’s kind of amazing that ease and speed continue to trump security – which always costs too much until it’s not enough,” he said.