U.S. and partners issue cyber guidance on tech safety in consumer products

WASHINGTON, D.C. – On April 13, the Cybersecurity and Infrastructure Security Agency (CISA), along with the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the cybersecurity authorities of international partners, released “Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default.”

The United States joined Australia, Canada, the United Kingdom, Germany, the Netherlands, and New Zealand in publishing the guidance that urges software manufacturers to take the steps necessary to ship products that are secure-by-design and-default. To reach a future where technology and associated products are safe for customers, the responsible agencies are urging the manufacturers to update their design and development programs to only permit secure-by-design and -default products to be shipped to customers. The CISA said this unique guidance is meant to catalyze progress towards more investments and cultural shifts towards a safe and secure future. The guidance contains several core principals to guide software manufacturers:

• Take ownership of the security outcomes of their technology products, shifting the burden of security from the customers.
• Embrace radical transparency and accountability.
• Build the right organizational structure by providing executive level commitment for software manufacturers to prioritize security as a critical element of product development.  

“Ensuring that software manufacturers integrate security into the earliest phases of design for their products is critical to building a secure and resilient technology ecosystem,” said CISA Director Jen Easterly. “These secure by design and secure by default principles aim to help catalyze industry-wide change across the globe to better protect all technology users. As software now powers the critical systems and services we collectively rely upon every day, consumers must demand that manufacturers prioritize product safety above all else.”

“Cybersecurity cannot be an afterthought,” said Abigail Bradshaw CSC, head of the Australian Cyber Security Centre. “Consumers deserve products that are secure from the outset. Strong and ongoing engagement between government, industry and the public is vital to putting cyber security at the centre of the technology design process.”  

The CISA said that many private sector partners have already made contributions towards the advancement of security-by-design and security-by-default. They are welcoming feedback on the guide from partners to be received at SecureByDesign@cisa.dhs.gov.

The guide can be accessed by interested parties here.