US cybersecurity authority: security vulnerabilities are product defects
At a security conference, CISA head Jen Easterly complains that technology providers take too little responsibility for their products.
Jen Easterly, the head of the US Cybersecurity Agency, spoke plainly at Mandiant's mWise conference: "The truth is, technology vendors are the ones who build weaknesses" into their products that "open the door to crooks", reports the British news site The Register.
Even calling security flaws "software vulnerabilities" is too lenient and "actually blurs responsibility. We should call them 'product flaws'", The Register quotes the head of the Cybersecurity & Infrastructure Security Agency (CISA) as saying. Easterly also complains that users are always asked to install updates to their software quickly. "Why don't we ask: Why does the software need so many urgent patches? The truth is: we need to demand more from technology vendors!"
Ultimately, risky software underlies America's critical infrastructure. Eastery's conclusion: "We don't have a cybersecurity problem, we have a software quality problem – We don't need more security products, we need more secure products!"
Empty promises for more security
The head of CISA has been promoting security by design for some time and, together with other international security authorities – including the German BSI – launched a Secure by Design initiative in April 2023. In addition to information and tips, it includes a request for a pledge that company bosses can make voluntarily. Over 200 people have already done so, including Microsoft, Google, Amazon, GitHub and GitLab, but not Apple.
These pledges are not binding, and if you read through some of them, you realize that most manufacturers are primarily praising themselves and their commitment to security.
(who)
