Each year, cybersecurity vendors add ever more products and services to help companies secure their data and IT security budgets increase, yet attacks continue to rise.
If the software industry doesn’t change the way it develops products, and victims of attack don’t report incidents, the problem will only get worse, according to security industry leaders at the Consumer Electronics Show (CES) late last week.
Though threat groups are easy to blame, software builders that do not prioritize security or develop new tech upon insecure systems of the past contribute to the mounting cybersecurity issues, explained Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA), during a session on how to build a new era of cybersecurity.
“We’ve accepted that software is developed with all kinds of vulnerabilities and flaws, and cybersecurity is the purview of IT people and CISOs who may not have the influence to ensure cybersecurity is incentivized in companies,” Easterly said. “What we need to do to make a change is not necessarily spend our way out of it but figure out how our products will be designed to be safe, with security features built-in.”
Companies have, indeed, tried to spend their way out of security vulnerabilities — be it on software or ransomware payments. Spending on information security and risk management products and services is forecast to grow 11.3% to reach more than $188.3 billion in 2023, Gartner reported. Security services, which includes consulting, hardware support, implementation and outsourced services, is the largest category of security spending, expected to reach $76.5 billion this year, the IT research firm said.
Meanwhile, the level of trust in system security is lower than ever.
“We used to say, ‘Trust and verify.’ Now we say, ‘Zero trust,'” said Steve Koenig, vice president of research at the Consumer Technology Association, during his keynote at CES last week.
Backward compatibility and outdated software that requires continual patching to deal with technical debt are the Achilles heels of the tech industry, said CrowdStrike CEO George Kurtz during the CES session with CISA’s Easterly.
“If we think about all of the backward compatibility that tech companies still deal with — there are really insecure protocols but [vendors] support them because there is so much old stuff out there,” Kurtz said. “Until we get rid of that long tail we will never get to a more secure environment.”
Meanwhile, technology providers put the burden of security on consumers, who understand it the least, and on IT pros who must integrate third-party security software into vulnerable software.
In the same way that consumers wouldn’t buy a car that’s built without safety belts, crumple zones and air bags, companies need to ask why the software they invest in is built with “so many vulnerabilities in it that it has to be patched every week,” Easterly said.
“We can’t just let technology off the hook,” Easterly said. “We need to ensure the incentives are aligned so we aren’t overbalanced toward innovation and features, and not focused on consumer safety.”
Kurtz concurred, saying companies that aspire to be innovators — many of them presenting their products at CES — push the leading edge of technology maturity curve but are at the lower end of the security maturity curve. Those wide gaps between tech and security maturity are where the risk of exploitation increases, he said.
Cybercrime damages are projected to be $8 trillion this year and $10.5 trillion in 2025 — a level of increase that Easterly said won’t slow down unless government and industry take a more collaborative approach.
Jen EasterlyDirector, CISA
“We cannot accept that in 10 years from now, it’s going to be the same or worse than where we are now,” she said.
CISA is pushing tech companies to create tech that’s secure by design and by default. It has called on the c-suite to embrace corporate cyber responsibility as a matter of good governance and corporate citizenship, she said.
“It’s about fundamentally shifting the paradigm of how government and industry work together, to persistent collaboration,” Easterly said during the session. “Not this episodic, unidirectional, nontransparent, nonresponsive relationship we have between government and industry. [We need an approach] that’s much more focused on shared responsibility for cyber safety.”
Another problem to fix is corporate reluctance to report security incidents. Public incident reporting is critical in preventing similar attacks, just as reporting a burglar in one home can keep an entire neighborhood safe, CISA’s Easterly said.
Last year, Congress passed the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), which requires critical infrastructure companies to report significant cyber incidents and ransom payments to CISA within 72 hours.
“Threat actors take advantage of the fact that the lack of reporting allows them to use the same infrastructure and the same techniques to go after other targets,” Easterly said. “[CIRCIA] is about collective cyber defense.”
She added that the automatic “blaming and shaming” of the companies targeted in security breaches has discouraged incident reporting. The massive SolarWinds attack is a recent example.
“Everyone blamed SolarWinds for the initial intrusion, but we didn’t look at the weak security defaults, or the weakness in Active Directory or Azure,” Easterly said. “We really need to come together to make sure companies have an incentive to report this information, so they realize they are adding to the safety of the ecosystem. It has to be about the safety of Americans, not self-preservation.”