The Empire Steps Up
Secure By Design, Secure By Default, Pt.
2
The Secure By Design Framework is not just an initiative by Uncle Sam. Seven nations have signed on to an agreement that lays out the plan to enforce a new set of principals that manufacturers and distributors of computer products would be compelled to adhere. In fact, the authors' of the document discussed herein acknowledge their work builds upon the security framework already proposed by the European Union. The EU released a similar document, "Cyber Resilience Act," dated September 15, 2022. The fundamental difference is that the EU is proposing legislation. The EU is proposing "cybersecurity rules to ensure more secure hardware and software products." Rules imply enforcement. And it is the lack of any enforcement mechanisms included in the Secure-By-Design initiative that renders the initiative one more example of preaching The Sermon of CyberSecurity to the CyberChoir.
The market share of IT represented by these seven nations will be the market imperative to force these vendors to build better products, or so the logic goes. The Agreement these seven nations agreed to was published in a paper released by CISA, April 13, 2023, entitled, "Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by Design and -Default." The entire 15 page paper can be had here. [pdf will open.]
The seven nations' signatories are represented by their respective agencies and are listed below:
• Australian Cyber Security Centre (ACSC) Australian Cyber
Security Centre (ACSC)
• Canadian Centre for Cyber Security (CCCS)
• United Kingdom’s National Cyber Security Centre (NCSC-UK)
•
Germany’s Federal Office for Information Security (BSI)
•
Netherlands’ National Cyber Security Centre (NCSC-NL)
• Computer
Emergency Response Team New Zealand (CERT NZ) and New Zealand’s
National Cyber Security Centre (NCSC-NZ).
The document refers to these seven agencies as "the authoring agencies."
The paper goes on to list what are its suggestions for placing security at the forefront of all facets of the IT manufacturing process. Its weakness is that it places the burden of enforcement on the wholesale customers of IT manufacturers.
The authoring agencies recommend organizations hold their supplying technology manufacturers accountable for the security outcomes of their products. As part of this, the authoring agencies recommend that organizational executives prioritize the importance of purchasing Secure-by-Design and Secure-by-Default products.
The document admits the "authoring agencies acknowledge that taking ownership of the security outcomes for customers and ensuring this level of customer security may increase development costs." Indeed, the agencies recognize, "Secure-by-Design development requires the investment of significant resources by software manufacturers at each layer of the product design and development process that cannot be “bolted on” later."
The agencies demonstrate to me a certain naiveté about the business practices of the major computer manufacturers. These are for the most part publicly traded businesses. The publicly traded business entities answer first to their stock holders. Stock holders demand ever greater returns on their investments, represented by profits gained by the entities in which the stockholder had invested. Increased costs that are not offset by increases in volume sales or the price of the products sold equate to a lower profits. Making less money is not the goal of any investor, and thus also not the goal any publicly traded company. It is wishful thinking, indeed, when the agencies declare:
Manufacturers of products that are “Secure-by-Default” do not charge extra for implementing additional security configurations. Instead, they include them in the base product like seatbelts are included in all new cars. Security is not a luxury option but is closer to the standard every customer should expect without negotiating or paying more.
Sorry, but your math, here, just ain't a mathin'. Nor is the recounting of the history of how current automobile safety features came to be; and what was the impact of those innovations on the overall automobile retail market. The cost of seatbelts; air bags; ABS braking systems, just to name of a few of these safety innovations, have all contributed over the last 40 years to driving up the cost of automobiles. Without the legislation that demanded these safety features be installed as mandatory parts to be included in the base price of the automobile, it is unlikely the rapid adoption of safety features that have come about so rapidly.
The agencies omit one salient historical fact about the changes to the automotive industry that forced to market the safety features we expect in our vehicles now; would not purchase a vehicle without such safety features, and gladly shell out more money for these features when buying a new automobile is this: What prompted the movement for the effective safety features of modern automobiles grew out of Ralph Nader's assault on the Chevrolet Corvair that gripped the nation after the 1965 publication of his book, Unsafe at Any Speed: The Designed-In Dangers of the American Automobile. CISA director Easley often makes offhand references to this seminal work that really did launch the Consumer Protection Industry.
It is rightly acknowledged by all parties that the public outcry generated by the publication of Ralph Nader's book published a year earlier, had created the groundswell of public support that culminated in the creation of the National Highway Traffic Safety Administration in 1970. Yet, that agency grew out of legislation passed by Congress in 1966 that mandated seat belts in automobiles for the first time. It was from these hearings that the United States Department of Transportation was formed in 1970.
The fundamental difference between the wrecks and smashups on the Interstate Highway and all the disasters that occur on the Information Super Highway is that all citizens can see the real bodies piled up on a real road. Actual people do lose actual loved ones in actual automobile accidents. There is nothing theoretical about a fuel tank exploding in flames as the result of a simple rear end collision. That ain't no Virtual Reality.
Secure-By-Default software will certainly increase development costs. Development times for new software will be extended because far greater testing for vulnerabilities will be required. Delaying the release of new software releases may actually have the opposite desired effect here. Even if a replacement product is only marginally more secure than the prior version, any level of increased security is more security. Securing our computers and networks is a very complex endeavor that will require consensus on all stake holders so affected by the changes. One group of such stakeholders is endusers of computer products, otherwise known as the Customer. And to The Customer this is all wasted cycles.
There is no great public outcry demanding increased security in our computer products. Although the computer has become an essential tool of our modern existence, the computer still seems more like a toy than a necessary tool to too many users. Any meaningful impetus to reign in IT vendors will require a Congressional response in the form of legislation that comes with some enforcement teeth. Both Houses of Congress are meanwhile too busy playing with their fiddles to smell the smoke all around them. And the public doesn't seem to care if they change their tune, or not.
So, what is Congress doing to improve the lives of their constituents as these citizens are increasingly forced to rely on computer technology for just about everything done in a citizen's public life, and increasingly into their private lives, too? Well...
Click Through Again, Brothers and Sisters.
¯\_(ツ)_/¯
Gerald Reiff