Senior U.S. cyber officials had a strong message for big tech Thursday, saying that tech providers, not just buyers, must take responsibility for ensuring their products are protected from cyberattacks.
National Cyber Director Chris Inglis … accountability for security must be shared.
… the first and last line of defense can’t be the user at the end of that supply chain. We have to push some responsibility along that supply chain…”
… technology must be secure by design, so that even if situations such as the Log4j vulnerability do occur, they can be caught and contained at the earliest possible moment.
Anne Neuberger, the White House’s deputy national security adviser for cyber and emerging technology, said “tech providers must make fundamentally secure products, starting at the earliest design phases, at no extra cost to buyers. Responsibility for securing products can’t be the user’s alone. If you’re a provider of tech, you’re responsible for providing a baseline of security in that tech,” she said.
Wrangling the software supply chain can be overwhelming, which makes this is a big problem with wide-reaching impact. Ideally the industry would take the lead, but self-regulations might fall short in this case. The Federal government has the ability to mandate that vendors have the ability to certify, identify and track all of software’s components being used in the development process.
With so much connectivity and interdependency, we’ve already seen the implications of a flaw in a fundamental source code and the disruptions they can cause. Just as we have lists for the ingredients in our food or tags detailing the textiles within our clothes, software makers must have visibility and awareness into the anatomy of their technology to quickly isolate vulnerabilities if/when they emerge. We will continue to see this as a challenge until some sort of standardization is the norm.