



Each year, cybersecurity vendors continue to add products and services that help companies protect their data, increasing IT security budgets, but attacks continue to grow.

If the software industry doesn’t change how its products are developed and if victims of attacks don’t report incidents, the problem will only get worse, security industry leaders said at last week’s Consumer Electronics Show (CES).

It’s easy to blame threat groups, but software builders who don’t prioritize security and build new technology on past insecure systems are contributing to a growing cybersecurity problem, says Cybersecurity and Infrastructure. Jen Easterly, director of the Security Agency (CISA) explained. Sessions on how to build a new era of cybersecurity.

“Software is developed with all kinds of vulnerabilities and flaws, and cybersecurity is the prerogative of IT professionals and CISOs, who do not have the leverage to ensure that cybersecurity is encouraged in the enterprise. We acknowledge the potential,” said Easterly. “What we have to do to make a change is not necessarily spend money to get out of it, but understand how products with built-in security features are designed to be secure. It is to do.”

Indeed, companies have tried to avoid security vulnerabilities such as software and ransomware payments. Spending on information security and risk management products and services is projected to reach more than $188.3 billion by 2023, he said, up 11.3%, Gartner reports. Security services, which include consulting, hardware support, implementation, and outsourcing services, are the largest category of security spending, expected to hit $76.5 billion this year, said the IT research firm.

Meanwhile, the level of trust in system security has never been lower.

“We used to say ‘trust and verify.’ Now we say ‘zero trust,'” said vice president of research at the Consumer Technology Association in a keynote address at CES last week. said Steve Koenig,

insecure software

Backwards compatibility and outdated software that require constant patching to address technical debt are the tech industry’s Achilles heel, CrowdStrike CEO George Kurtz said at CISA’s CES session with Easterly. said.

“When you think about all the backwards compatibility that tech companies are still working on, there are really insecure protocols, [vendors] There are a lot of old things out there, so please support them,” Kurtz said.

Meanwhile, technology providers are putting the burden of security on the least understanding of security: consumers and IT professionals who must integrate third-party security software into their vulnerable software.

In the same way that consumers don’t buy cars without safety belts, crumple zones, and airbags, companies wonder why the software they invest in has so many vulnerabilities built in that they patch it every time. Do we need to?” week,” said Eastern Lee.

“Technology can’t just be left alone,” Easterly said. “We need to make sure that incentives are aligned, so they aren’t too skewed towards innovation and features, or too focused on consumer safety.”

Kurtz agrees, companies aspiring to be innovators (many of whom have launched products at CES) are at the top of the technology maturity curve, but at the bottom of the security maturity curve. said to be in These large gaps between technology and security maturity are where the risk of exploitation increases, he said.

Cybercrime costs are expected to reach $8 trillion this year and $10.5 trillion by 2025. Easterly said this level of growth will not slow down unless governments and industry take a more collaborative approach.

I can’t accept that 10 years from now things will be the same or worse. Jen Easterly CISA Director

“I can’t accept that 10 years from now things will be the same or worse than they are now,” she said.

CISA requires technology companies to create technologies that are secure by design and by default. She said she is asking management to embrace good governance and corporate cyber responsibilities as corporate citizens.

“This is a fundamental shift in the paradigm of how government and industry work together, and a lasting collaboration,” Eastly said at the session. “It’s not the temporary, one-way, non-transparent, non-responsive relationship we have between government and industry. [We need an approach] It places more emphasis on shared responsibility for cyber safety. “

accident report

Another problem that should be fixed is the reluctance of companies to report security incidents. CISA’s Easterly says public incident reporting is important to prevent similar attacks, just as reporting a burglary that breaks into one house can keep an entire neighborhood safe. .

Last year, Congress passed the Critical Infrastructure Cyber ​​Incident Reporting Act (CIRCIA). The law requires a critical infrastructure company to report major cyber incidents and ransom payments to his CISA within 72 hours.

“Threat actors are taking advantage of the fact that the lack of reporting allows them to track other targets using the same infrastructure and the same techniques,” said Easterly. “[CIRCIA] It is about collective cyber defense. “

She added that the automatic “blaming and insulting” of companies targeted in security breaches discourages reporting of incidents.The massive SolarWinds attack is a recent example.

“Everyone blamed SolarWinds for the initial intrusion, but they didn’t look at security default vulnerabilities or vulnerabilities in Active Directory or Azure,” said Easterly. “We need to unite to ensure that companies have an incentive to report this information and realize that they are making the ecosystem safer. It’s not about self-preservation, it’s about the safety of Americans.” must be.”

