Global cybersecurity agency CISA advances Secure by Design initiative, aiming to globally influence software security standards within the industry
The tech industry is making a significant shift towards prioritizing default security and accountability in product development, as emphasized in the revised guidance from the Cybersecurity and Infrastructure Security Agency (CISA). This approach, known as Secure-by-Design principles, aims to build products with strong security features from the outset[1].
Key industry actions aligned with CISA’s guidance include embedding security into every stage of product development by integrating automated security checks in Continuous Integration/Continuous Deployment (CI/CD) pipelines, using memory-safe programming languages to avoid common vulnerabilities, implementing Infrastructure as Code (IaC) security, requiring signed and verified software artifacts for transparency, and instituting clear security accountability and ownership[1].
CISA’s 2024–2026 Cybersecurity Strategic Plan further reinforces industry efforts to prioritize secure-by-default and secure-by-design principles as foundational to improving resilience and responding to evolving cyber threats[2]. This includes cultivating a cybersecurity-aware workforce and embedding accountability at the executive and product levels rather than shifting the burden onto end users or under-resourced teams[1][2].
The focus on default security was highlighted by a malicious attack against Microsoft, resulting in the theft of thousands of State Department and other government emails by suspected state-backed hackers linked to China[6]. In response, Microsoft entered a partnership with CISA to end its policy of charging customers for security logs, following federal officials' tip-off about the hack[7].
CISA, along with 17 U.S. and international partner agencies, have revised their guidance after months of feedback[8]. The Biden administration's national cybersecurity strategy also emphasizes holding software and technology firms accountable for incorporating secure-by-design concepts into their development process[9].
In the coming weeks, CISA plans to issue a request for information regarding Secure-by-Design engineering[10]. The agency's new phase of its Secure-by-Design effort is aimed at fostering long-term systemic resilience and accountability across digital ecosystems[11].
CISA Director Jen Easterly has stated that the cybersecurity industry has been developed around misaligned incentives, with the focus on speed to market, driving down costs, and adding cool features instead of emphasizing security[12]. Easterly described the current technology platform as "shaky" and unacceptable[13].
Easterly also claimed that the burden for security falls on small businesses and individuals who can least afford it[14]. The tech industry's focus on default security is a step towards addressing this issue, ensuring that security is built into products from the start, rather than relying on users or IT teams to activate security features later.
Software artifacts, such as pieces of data or test results, are encouraged to demonstrate product security development in a secure environment[1]. This transparency and accountability are crucial for building trust in the digital ecosystem and ensuring that products are secure by default.
References: [1] CISA Guidance on Secure-by-Design [2] CISA's 2024–2026 Cybersecurity Strategic Plan [3] CISA's Guidance on Cyber-Informed Engineering [4] CISA's Guidance on Zero Trust Microsegmentation [5] CISA's Guidance on Operational Technology Asset Management [6] Microsoft Suffers Major Hack, Thousands of State Department Emails Stolen [7] Microsoft to End Policy of Charging Customers for Security Logs [8] CISA Revises Cybersecurity Guidance After Months of Feedback [9] Biden Administration's National Cybersecurity Strategy [10] CISA to Issue Request for Information on Secure-by-Design Engineering [11] CISA Launches New Phase of Secure-by-Design Effort [12] CISA Director: Cybersecurity Industry Developed Around Misaligned Incentives [13] Cybersecurity Expert: Current Tech Platform is "Shaky" and Unacceptable [14] Cybersecurity Burden Falls on Small Businesses and Individuals
- The tech industry's shift towards default security, as encouraged by CISA's Secure-by-Design principles and reinforced in their 2024–2026 Cybersecurity Strategic Plan, highlights the importance of privacy and cybersecurity, especially in the context of accountability and transparency in product development.
- To foster long-term systemic resilience and accountability across digital ecosystems, key industry actions are being taken, such as integrating automated security checks in Continuous Integration/Continuous Deployment pipelines, using memory-safe programming languages, implementing Infrastructure as Code (IaC) security, requiring signed and verified software artifacts, and instituting clear security accountability at the executive and product levels.
