Cybersecurity

Relying on market forces won’t solve cybersecurity crises, CISA chief tells DEF CON 32 attendees

“Have you looked at the standard contract language for software? You bear the entire risk of this product, and that’s part of the issue,” CISA chief Jen Easterly said.
article cover

Sefa Ozel/Getty Images

3 min read

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.

Market forces clearly aren’t doing the job when it comes to cybersecurity, Cybersecurity and Infrastructure Security Agency (CISA) chief Jen Easterly told an audience of hackers on Friday.

Easterly addressed the crowd at DEF CON 32 in Las Vegas alongside the conference’s founder, Jeff “Dark Tangent” Moss. A recurring theme: The modern software market does not prioritize security enough.

“Market forces aren’t working,” Easterly said.

“The reason we have the cybersecurity industry is because technology vendors have been able to create flawed or defective [products] for decades, right?” Easterly added. “Because it’s been all about incentives, [which] have been speed to market and features, not security.”

Easterly has long insisted CISA does not want to become a regulator and is a “voluntary agency,” meaning it relies on collaborative agreements with tech companies rather than regulations and fines. At DEF CON, Easterly pointed to the success of some voluntary CISA initiatives, such as its (nonbinding) secure by design pledge, though she also called for more accountability from software developers and for customers to start demanding secure software.

“At the end of the day, unless we stop talking about the villains and the victims, and start demanding more of the vendors, I don’t think we’re going to get into a place where we’re going to be able to drive down risk as much as we really want to,” Easterly said.

“We should stop calling things vulnerabilities, because it really diffuses responsibility,” she added. “We should start calling them product defects.”

A recent Supreme Court decision throwing out the Chevron doctrine—under which courts were required to defer to federal agencies’ understanding of statutes in most situations—could dramatically affect or curtail virtually every federal cybersecurity regulation.

The court’s ruling could open the door for challenges to some of CISA’s proposals. CISA plans to implement mandatory cyber incident reporting for potentially hundreds of thousands of critical infrastructure entities under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), which Easterly has said is essential to establishing baseline visibility into the nation’s threat environment. Without Chevron, the proposed rule’s prospects remain unclear due to potential legal challenges.

“The vast majority of other industries, they do track defects and incidents that cause harm so you can specifically focus on reducing risk, the risk to driving on the highway, the risk to getting on an airplane,” Easterly told the audience. “I always worry that it’s going to be a major, devastating attack that actually [results in] some sort of legislation.”

Easterly told IT Brew after her talk at DEF CON that her team was undergoing a “full analysis” of how the Chevron ruling could impact its CIRCIA plans.

“We’re continuing to analyze the comments we received during the comment period for the notice of public rulemaking, and incorporate it into the final rule, but we don’t know yet how Chevron may affect it,” Easterly said.

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.

I
B