Tech giants such as Amazon Web Services, IBM, and Oracle are facing criticism for their slow implementation of secure-by-default features in their products, despite guidance from the US Cybersecurity and Infrastructure Security Agency (CISA) to incorporate such elements. In April, CISA urged tech companies to prioritize security by implementing multi-factor authentication (MFA) on administrator accounts and providing free access to activity logs. However, these companies have been dragging their feet in taking these necessary security measures. Mark Montgomery, the executive director of the Cyberspace Solarium Commission, expressed concern about the vulnerability this creates, stating that these companies should be held accountable for their inaction.
A spokesperson from CISA acknowledged the delay but expressed hope for change in the near future, particularly in areas that require less engineering investment. The agency plans to release updated guidance this summer to encourage implementation. However, industry experts believe that tech firms are reluctant to address security gaps in their products unless there is a clear business case for it.
In a separate development, Lt. Gen. Timothy Haugh, the US President’s nominee to lead both Cyber Command (CyberCom) and the National Security Agency (NSA), appeared before the Senate Intelligence Committee to discuss his plans if confirmed. Haugh expressed support for Section 702 of the Foreign Intelligence Surveillance Act, which allows intelligence agencies to conduct warrantless searches of foreign communications. He stressed the importance of this authority for the intelligence community. However, some officials questioned Haugh’s knowledge on the subject, as he relied on the opinions of current leadership rather than providing in-depth insights.
Haugh was also asked about concerns regarding backdoors that would allow CyberCom and the NSA to bypass encryption technology in devices and software. He reassured the committee that encryption is critical to national security and that he would not support any weakening of encryption for Americans. Haugh also expressed his commitment to supporting Ukraine in defending itself against Russian cyber warfare and improving security at the NSA to prevent leaks of classified information.
Meanwhile, the White House has published the implementation plan for the US National Cybersecurity Strategy, four months after its release. The plan outlines more than 65 high-impact initiatives to be carried out by federal agencies, aiming to mitigate cyber risks and incentivize long-term investment in cybersecurity. The majority of these initiatives will be implemented by fiscal year 2024, with some scheduled to be completed by the end of fiscal year 2023. To ensure a whole-of-government approach, a single responsible agency will oversee all initiatives, with various agencies taking on specific roles.
The cybersecurity community has generally welcomed the implementation plan. CrowdStrike’s VP, Counsel, Privacy and Cyber Policy, Drew Bagley, commended the roadmap provided, especially considering the multiple dependencies involved in the strategy. Bagley also praised the plan for its focus on Secure-by-Design/Secure-by-Default principles, critical infrastructure cybersecurity, and federal cybersecurity.
Palo Alto Networks’ EVP and General Counsel, Bruce Byrd, highlighted the benefits of implementing zero trust principles, automation, and machine learning, as well as building a skilled cyber workforce. He expressed eagerness to collaborate with the administration to secure critical digital infrastructure.
Ron Fabela, CTO of ICS/OT cybersecurity firm XONA Systems, analyzed the implications of the plan’s pillars, particularly in defending critical infrastructure. He highlighted the need for regulatory harmonization and public-private partnerships, as well as the challenge of setting cybersecurity requirements for privately owned critical sectors. Fabela emphasized the goal of collaboration and the importance of industry engagement in implementing the strategy.
Overall, the implementation of the US National Cybersecurity Strategy is seen as a crucial step in enhancing the nation’s cybersecurity posture and addressing the security gaps in products and systems. The slow response from tech giants is a concern, but with the publication of the plan and increased collaboration between government and industry, there is hope for progress in securing critical infrastructure and strengthening national cybersecurity.