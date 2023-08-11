LAS VEGAS — The Biden administration has a strategy for pressuring tech companies to step up their cybersecurity game and make more security features free and automatic: encourage their customers to demand those improvements.

“If we can generate enough customer demand, we can start to change [vendors’] practices,” Jack Cable, a senior technical adviser at the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), told The Messenger during an interview at the Black Hat cyber conference.

CISA has embarked on a campaign to prod tech vendors to make their products “secure by default” (meaning that they’re well-designed, with minimal bugs) and “secure by default” (meaning that vital security features don’t cost extra and don’t have to be turned on). The effort reflects the Biden administration’s conviction that protecting America from hackers requires shifting the security burden onto the vendors whose products are so often compromised.

But many major tech firms, including Amazon and Google, have resisted some of CISA’s recommendations. Microsoft only recently adopted one of CISA’s main suggestions after a Chinese cyberattack exposed shortcomings in its systems.

Cable said that CISA is being careful in how it promotes its recommendations. “We're not going to publicly shame companies for not taking the right steps. We don't view that as our role,” he said. “We want to paint what good [security] looks like, and we want to help give customers what they need to evaluate products based on that.”

The success of this campaign will help determine the future of U.S. cybersecurity, as tech vendors either make it easier to operate safely online or continue charging extra for basic features and forcing users to jump through hoops to turn them on.

To encourage customers to prod their vendors for better security, CISA is producing guidance documents that lay out the questions that customers should be asking. One such document is aimed at K-12 schools, which have faced serious cyberattacks due to security lapses at education technology vendors.

“It's about getting the word out... when we're talking to small businesses or state and local governments, making sure that they understand that it's within their power to put pressure on their vendors to ask them to do better,” Cable said.

Of course, if CISA wants customers to make purchasing decisions based on security, the agency will need to push vendors to disclose that information more transparently. As part of that effort, CISA is developing a new guidance document that will help vendors figure out how to publicly demonstrate their security posture.

Matt Anderson Photography/Getty Images

Cable said CISA has seen “great engagement” in its private meetings with vendors about improving their security, but it’s unclear how many companies have committed to making changes.

On the education technology front, Cable said “we've done some work to secure commitments from K-12 vendors and have some announcements pending on that.”

CISA is also working with the FCC and the National Institute of Standards and Technology to inform their work on a government-backed cybersecurity label for internet of things devices, with the goal of incorporating CISA’s security recommendations into the criteria necessary to be certified to use the label.

In addition to encouraging customers to demand better cybersecurity, CISA is also making its case directly to vendors. Cable emphasized that these meetings are aimed at the executives who make decisions, not the technologists who in many cases have spent years pushing for these changes from the inside. In fact, he said, one of CISA’s goals is to give those technologists government backing when they make their case to their supervisors that it’s time for changes.

Many of those changes, Cable noted, only require a willingness to implement them, not the invention of complicated new technologies. “For a lot of what we talk about... solutions have been around for a while,” he said. “This isn't, at its core, a technical problem. It's a business problem.”

CISA wants to understand “the business aspects that might be getting in the way” and “see how we can influence that to be on the better side of security,” Cable said.

For example, some companies want to eliminate old and insecure features but face pressure from customers to keep them. Cable said CISA wants to “steer the national conversation” toward “accepting that we’re not going to be able to use every feature we've always had” and “making sure that security wins in those discussions.”

CISA has seen “an incredible amount of interest” from companies that want to meet its recommendations, Cable said. Now the agency has to stay on guard against “empty promises.”

“We want to see companies actually show their work and say, ‘Okay, these are the specific, publicly demonstrable ways in which we're doing that.’”