Cybersecurity agencies publish new guidance on safe software design: Here’s why it matters
Head of Industry and Partnerships, Centre for Cybersecurity, World Economic Forum
Senior Writer, Forum Agenda
This article is republished from the World Economic Forum under a Creative Commons license.
- Cyberattacks can impact critical systems, like hospitals cancelling surgeries.
- Software manufacturers are now urged to build in cyber safety to their products at the design stage.
- New principles for software that is “secure-by-design and -default” have been published by the CISA, FBI and NSA in the US and cybersecurity agencies in six partner countries.
Software should have cybersecurity protection built-in before it goes on sale.
This is the core message of new guidance from cybersecurity authorities in the United States, Australia, Canada, the United Kingdom, Germany, the Netherlands and New Zealand.
For the first time, these countries have produced joint guidance urging software manufacturers to ensure as a priority that the products they ship are designed to be secure and have cybersecurity built in as standard. The guidance is outlined in the following report: Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default.
Which cybersecurity authorities are behind this guidance?
There are three federal government agencies in the US and eight international partners behind the joint software cybersecurity guidance.
The US agencies are the Cybersecurity and Infrastructure Security Agency (CISA) – America’s cyber defense agency; the Federal Bureau of Investigation (FBI) – the national security and law enforcement agency for the US; and the National Security Agency (NSA) – a national intelligence agency focused on protecting national communications systems.
Their international partners include Canada’s Centre for Cyber Security (CCCS); Germany’s Federal Office for Information Security (BSI); New Zealand’s Computer Emergency Response Team (CERT NZ); and the UK’s National Cyber Security Centre (NCSC-UK).
Why is secure-by-design guidance needed?
Cyberattacks have led to hospitals cancelling surgeries globally. This is just one example of how technology breaches can impact critical systems that affect all of us, the cybersecurity authorities say.
Insecure technology products can “pose risks to individual users and our national security,” explained NSA Cybersecurity Director Rob Joyce. He added: “If manufacturers consistently prioritize security during design and development, we can reduce the number of malicious cyber intrusions we see.”
In its Global Cybersecurity Outlook 2023, the World Economic Forum finds that 93% of cyber leaders and 86% of business leaders think a “far-reaching, catastrophic cyber event” is moderately or very likely in the next two years because of global geopolitical instability.
“The threat landscape has become increasingly volatile,” the Forum says. “Professionalized cybercriminal groups have continued to grow and create a higher volume of new attack types.”
In its State of the Connected World 2023 report, the Forum identified that growing reliance on connected devices and related technologies has made organizations, governments and individual users increasingly susceptible to cyber threats. The ability of connected devices and related technologies to protect individuals from cyberattacks is, therefore, a leading concern.
The Centre for Cybersecurity’s community – part of the Incentivizing Secure and Responsible Innovation initiative – established that if entrepreneurs and innovators were encouraged and incentivized to prioritize security features in their product development from the very beginning, a much safer cyberspace would be incrementally possible.
What are software manufacturers being asked to do?
The Shifting the Balance in Cybersecurity Risk report’s guidance for software secure-by-design includes specific technical recommendations, such as using programming languages that eliminate vulnerabilities.
There are also a number of core principles for software manufacturers. These include that software is already configured with the most important security controls when it comes out of the box, so it is not left for the customer to fix.
Software manufacturers are also asked to “embrace radical transparency and accountability”. This might include sharing information, for example, about customer take-up of default cybersecurity controls.
Companies must also build the right organizational structure and leadership to ensure security is prioritized as a critical part of software development.
The principles published by CISA, and endorsed by several national cybersecurity agencies globally, provide software manufacturers with the much-needed incentive to boost product security and can play a key role in strengthening cybersecurity and resilience across the ecosystem.
License and Republishing
The views expressed in this article are those of the author alone and not the World Economic Forum.