CISA’s Easterly points to government’s ‘purchasing power’ as a tool to force secure software development
The U.S. government is the largest purchaser of goods and services in the world. And Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, believes that “purchasing power” can be used as a tool to shift the tech industry toward developing safer and more transparent software.
Discussing CISA’s recently issued guidance to software vendors on developing code that is “secure by design and secure by default,” Easterly said Monday in a conversation at the Aspen Institute in D.C. that “government can have a big role” in incentivizing and driving private companies to employ those principles just by doing business with the ones that do.
“And that will help, I think, drive a good portion of the market to start creating products that come with less and less vulnerabilities,” Easterly said, pointing to President Biden’s cybersecurity executive order 14028 from 2021, which similarly calls on the government to lead the market shift with its purchasing power.
That EO, she said, “talks a lot about how you can use the government’s purchasing power to drive vendors to create safer products and to ensure that you have standards built-in.”
“We’re going through the Federal Acquisition Regulation process, which is very Byzantine and very bureaucratic, but hopefully we’ll get there,” Easterly said of creating rules that could require federal agencies to buy from vendors that have software that’s secure-by-design and -default.
CISA, in partnership with the White House, is currently in the process of accepting comments on an Office of Management and Budget rule that will require software firms to provide self-attestation forms stating that they have complied “with Federal Government-specified secure software development practices” as laid out in the National Institute of Standards and Technology’s Secure Software Development Framework.
As FedScoop first reported last week, the final version of the form that will be used for that process has not yet been approved, with the deadline for CISA’s comment period coming June 26. A senior official told FedScoop that OMB would “work fast” to approve the final version of the form once the industry comment period closes.
It’s not an easy transformation to shift the software industry toward being more transparent about risks, Easterly explained, as “we are dealing with decades of misaligned incentives.”
“It’s really been decades and decades of companies putting speed to market and features over safety and security,” she said. “And so what we want to do is essentially, be able to send market signals, because that’s what’s been missing: A clear signal so that consumers know what to ask for. And that’s the conversation that we’re starting. Consumers need to know.”
Along those lines, CISA is calling on vendors to be radically transparent and to “actually put out information about how secure their products are,” Easterly said.
“So all these things that consumers typically sort of think are kind of magic … and then they sign their agreement to accept liability, which essentially is what you do when you turn on a device — we’re really trying to make sure” consumers are educated about what they’re using, the CISA director said.