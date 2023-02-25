



Earlier this month, Jen Easterly and Eric Goldstein of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) indicated a significant shift in the federal government’s approach to cybersecurity risk and responsibility.

Easterly and Goldstein, in their Foreign Affairs article Stop Passing the Buck on Cybersecurity, urged IT and software organizations to accept greater responsibility for cyberattacks, stating that consumers and businesses A car or other product purchased from a good provider cannot harm you. The same should apply to technology products. This expectation requires a fundamental shift in responsibility. Technology providers and software developers should be held accountable for their customers’ security consequences, rather than treating each product as if it contained implied caveats.

This is the strongest position the U.S. government has ever taken, made even more remarkable by seemingly laissez-faire technology. Sacrificing security for innovation. From a policy maker and leadership perspective, it is no longer acceptable to ship software on the assumption that the end user is responsible for inspecting or ensuring the quality of the goods they receive. We wholeheartedly agree with this approach.

Assessing Cybersecurity Risks, Responsibilities and Liability

As I mentioned in a previous blog post, there is already a movement to hold organizations more accountable for the consequences of cybersecurity attacks. In the wake of high-profile attacks such as NotPetya and SUNBURST, governments around the world have responded with new regulatory guidance and best practices aimed at improving cybersecurity resilience.

We’ve also seen the growing power that laws like GDPR can have against organizations involved in attacks that compromise end-user data. And in such cases, indemnification clauses, such as those commonly found in EULAs, do little to absolve an organization of liability.

The Easterlys and Goldsteins perspective of providing secure cybersecurity recommendations and policies to the U.S. government is another important example of the evolving responsibilities of organizations that produce software.

What is Cybersecurity Responsibility?

Eastly and Goldstein appealed for the need for change without specifically stating what changes should be made, but based on the examples they used, some expectations can be extrapolated. increase. They represent analogies to other industries and help align expectations with policy and softly reveal future policy.

Our first glimpse of these expectations can be seen in this quote. Such security hazards are already in the cyber realm, and now is the time to address them. “

These examples are unlikely to be called randomly. And, at least for car manufacturing, the Atlantic Council’s recent paper on open source as infrastructure also uses (among other things) the car analogy.

With nearly daily headlines highlighting the aforementioned attacks, ongoing vulnerabilities, and attacks compromising user data, it’s clear today that we are at stake. We can assume that Easterly and Goldstein believe this as well, based on the sentiment that such security hazards are already in the cyber realm and now is the time to address them.

Building secure products by default and by design

A crisis was needed to spur change, but the industry itself did not change until government action and regulation were put in place. All three of his industries exemplified in this strategy – automotive, aviation and medical devices – are heavily regulated in the US and elsewhere.

These regulations are not to be taken lightly, however, and in most cases are either derived from or intended to ensure maximum end-user safety. These regulations also demonstrate an association of liability that it is unacceptable to expect end-users or consumers to be responsible for the safety of the products these industries produce.

Eastly and Goldstein used two sets of terms to define the core foundations driving new recommendations and regulations. They said software products should be secure by default and secure by design.

They also argue that it is the responsibility of the US government to define these standards. A technology product that is secure by default and secure by design. ”

This article does not reveal what these standards will look like, but again, analogies to the automotive industry can be used to better understand the expectations. Products that are secure by default, they say, come with strong security features similar to seatbelts and airbags at the time of purchase, at no additional cost.

What about the Software Bill of Materials (SBOM)?

SBOM is perhaps the most significant and dramatic change mandated since the US Cybersecurity Executive Order.

Executive orders are doubling down on organizations calling for the inclusion of software bills of materials to better protect and track quality in the software supply chain. Almost every company involved with the US government has made it a priority to check that box and ship a product with a list of all the components used.

However, what this article and previous quotes point out is that it is no longer acceptable to turn that box on. It could very well be used to construct a liability case in a case.

And this is also what we talked about. In my article on the changing landscape of software supply chain attacks, I made an analogy to the automotive manufacturing industry. Specifically, it is unacceptable to assume that placing a parts list in the glove box of every vehicle will help identify and address safety and security issues.

In contrast, through government recommendations and regulations, the automotive industry and most other manufacturing industries are working to provide intelligent recall-like capabilities. These systems are designed to protect the end user and do not hold the end user responsible for knowing the quality of any part of the product purchased. So providing an SBOM is a continuing requirement, but no longer the only requirement.

Solve Cybersecurity Risks and Responsibilities Now

However, in most cases this is a difficult task. It seems that almost every week a new vulnerability related to open source software is discovered. But our research shows that this is only a fraction of the risks associated with open source. Specifically about 4%.

Last year, the 2022 Software Supply Chain Report showed data showing that 96% of downloaded components containing vulnerabilities had non-vulnerable versions available. Also, months after the Log4shell issue, and he’s over a year, he found that nearly 30% of Log4j vulnerabilities appeared in vulnerable versions of the framework.

This indicates that there are no issues with open source or shipping products that introduce vulnerabilities. This is a problem related to the consumption of low quality parts. And we believe these are the types of activities that the new law covers. Fortunately, tools, best practices, and processes are available to address this before recommendations and regulations change.

Understanding upcoming changes

Easterly and Goldsteins’ article has more information, including establishing secure operating practices for software organizations (spoiler: there are tools, best practices, and processes available for this too). I highly recommend reading it to draw your own conclusions and better understand the upcoming changes.

Organizations must prepare for the imperative to ensure that the products they produce are secure by default and secure by design. This is a duty of care to the end user.

Easterly and Goldstein aren’t shy about calling this out directly.

Based on this progress, US agencies must impose increasingly stringent secure-by-default and secure-by-design requirements in federal procurement processes. This will help drive market change towards building a safer cyberspace ecosystem.

Today, the nature of attacks and cybersecurity risks goes far beyond compromised end-user data, putting national infrastructure and even the lives of consumers at risk. That’s when the organization takes responsibility for that risk.

Sources 1/ https://Google.com/ 2/ https://securityboulevard.com/2023/02/innovation-at-the-expense-of-cybersecurity-no-more/ The mention sources can contact us to remove/changing this article

What Are The Main Benefits Of Comparing Car Insurance Quotes Online

LOS ANGELES, CA / ACCESSWIRE / June 24, 2020, / Compare-autoinsurance.Org has launched a new blog post that presents the main benefits of comparing multiple car insurance quotes. For more info and free online quotes, please visit https://compare-autoinsurance.Org/the-advantages-of-comparing-prices-with-car-insurance-quotes-online/ The modern society has numerous technological advantages. One important advantage is the speed at which information is sent and received. With the help of the internet, the shopping habits of many persons have drastically changed. The car insurance industry hasn't remained untouched by these changes. On the internet, drivers can compare insurance prices and find out which sellers have the best offers. View photos The advantages of comparing online car insurance quotes are the following: Online quotes can be obtained from anywhere and at any time. Unlike physical insurance agencies, websites don't have a specific schedule and they are available at any time. Drivers that have busy working schedules, can compare quotes from anywhere and at any time, even at midnight. Multiple choices. Almost all insurance providers, no matter if they are well-known brands or just local insurers, have an online presence. Online quotes will allow policyholders the chance to discover multiple insurance companies and check their prices. Drivers are no longer required to get quotes from just a few known insurance companies. Also, local and regional insurers can provide lower insurance rates for the same services. Accurate insurance estimates. Online quotes can only be accurate if the customers provide accurate and real info about their car models and driving history. Lying about past driving incidents can make the price estimates to be lower, but when dealing with an insurance company lying to them is useless. Usually, insurance companies will do research about a potential customer before granting him coverage. Online quotes can be sorted easily. Although drivers are recommended to not choose a policy just based on its price, drivers can easily sort quotes by insurance price. Using brokerage websites will allow drivers to get quotes from multiple insurers, thus making the comparison faster and easier. For additional info, money-saving tips, and free car insurance quotes, visit https://compare-autoinsurance.Org/ Compare-autoinsurance.Org is an online provider of life, home, health, and auto insurance quotes. This website is unique because it does not simply stick to one kind of insurance provider, but brings the clients the best deals from many different online insurance carriers. In this way, clients have access to offers from multiple carriers all in one place: this website. On this site, customers have access to quotes for insurance plans from various agencies, such as local or nationwide agencies, brand names insurance companies, etc. "Online quotes can easily help drivers obtain better car insurance deals. All they have to do is to complete an online form with accurate and real info, then compare prices", said Russell Rabichev, Marketing Director of Internet Marketing Company. CONTACT: Company Name: Internet Marketing CompanyPerson for contact Name: Gurgu CPhone Number: (818) 359-3898Email: [email protected]: https://compare-autoinsurance.Org/ SOURCE: Compare-autoinsurance.Org View source version on accesswire.Com:https://www.Accesswire.Com/595055/What-Are-The-Main-Benefits-Of-Comparing-Car-Insurance-Quotes-Online View photos