by Mike Nelson, Vice President of Digital Trust at DigiCert
Recently, the White House released its National Cybersecurity Strategy, demonstrating an increased focus at the highest levels of government on protecting our digital interactions, which, as we have seen with recent attacks on critical infrastructure, have tangible real-world impacts.
The most recent case reflecting the need to improve cybersecurity systems in Latin America is the massive breach and leak of information from several banking and healthcare institutions in the first week of December 2022 in Colombia, a country ranked 66th in the world. These entities had incidents that affected thousands of users, not only with the temporary suspension of services, but also with the alleged leaks of confidential and sensitive information of their customers
In Brazil, four out of ten companies headquartered in the country adopt protection measures against leaks of customers’ confidential and personal data, shows a survey prepared by the Regional Center for Studies for the Development of the Information Society (Cetic).
Company actions against the leak of confidential information have grown 42% in the last three years, since the beginning of the Covid-19 pandemic, shows the survey, which speaks of nearly three million hacker attacks in Brazil during the first half of 2022 – an increase of almost 10% compared to the first six months of 2021.
For these companies, learning from the White House can be very valuable. We are excited to see these issues considered and have long advocated the need to establish digital trust in many of the areas addressed by the White House Strategy. Here are some of my takeaways from the strategy and what product developers should keep in mind going forward.
Cybersecurity is a shared responsibility, but manufacturers hold the lion’s share
One of the key points of the National Strategy for Cybersecurity is that the responsibility for cybersecurity falls primarily on developers and manufacturers.
The White House fact sheet on the strategy announcement notes, “We must rebalance the responsibility for defending cyberspace by shifting the burden of cybersecurity from individuals, small businesses, and local governments to the organizations most capable and best positioned to reduce the risks to us all.”
I shared earlier that cyber is a shared responsibility and that consumers should have the right to take ownership of the security of the products they buy. However, individuals still have some responsibility and will need to use best practices like MFA, secure WIFI, and rotating passwords.
But developers and manufacturers should bear most of the responsibility for cybersecurity, as they are “more capable and better positioned” to implement digital trust, which has become more apparent as the industry has matured.
Would you buy a car that was not tested? What about a device?
This discussion about responsibility for safety reminds me of growing up in a time when seat belts were optional, but are now required by law for passenger safety. Now that all of our critical infrastructure has software, it is no longer an option to leave safety on the back burner in the manufacturing process. Manufacturers must ensure that security is built into all product and software development, or else they can be held liable for vulnerabilities.
Put another way, would you risk buying a car from a manufacturer that has not tested the product’s security and shares that information with you? Or how about a new drug that has not been designed and tested with safety in mind? If you are hesitant to buy other products that are not safe by design, why not apply that to IoT devices that may be in your home, car, office, or on your person?
Just as automakers and pharmaceutical companies are held accountable for their products, I believe developers and manufacturers involved in the design and production of smart critical infrastructure should be held accountable for the security of the devices, code, and any data those devices collect and store.
What this liability looks like in the United States is yet to be determined, but it is likely to include financial consequences. In addition, it is clear that manufacturers need to be prepared and ahead of the game. There is an urgency for companies to do more with digital trust for their software and take more responsibility for cybersecurity.
Increasing device security is a trend in regulatory bodies
We are seeing similar regulations that place responsibility on manufacturers in other markets as well. For example, the EU’s Cyber Resilience Act imposes more accountability on IoT device manufacturers, leading to massive fines and penalties for non-compliance. This act will give consumers more purchasing power and trust in their devices and more transparency about the security of what they are buying.
The White House also mentions IoT security labels: “By expanding IoT security labels, consumers will be able to compare the cybersecurity protections offered by different IoT products, thereby creating a market incentive for greater security across the IoT ecosystem.” There are efforts underway for IoT security labels in several countries, including Singapore, Finland, and the EU. Labeling that reveals safety details about devices would further empower consumers in the same way that nutrition labels on food products empower them to make informed purchases.
This shared movement among governments to pass regulations for software development and IoT makes sense and will hopefully create a trusted global supply chain where, as the National Cybersecurity Strategy states, “like-minded nations combat threats to our digital ecosystem through preparedness, response, and cost enforcement.”
A resilient cyber future requires more digital trust
The White House Strategy comes at a time when the case for digital trust, or providing confidence that our digital interactions are safe, has never been clearer. The Internet is evolving, and so is our threat landscape. As stated in the strategy, as we build a new generation of digital infrastructure, from next-generation telecommunications and IoT to distributed energy resources, and prepare for revolutionary changes in our technology landscape brought about by artificial intelligence and quantum computing, the need to address this investment gap has become more urgent.
Unfortunately, security has often been an afterthought for IoT devices. There has been a huge demand for manufacturers to bring their products to market, and this has led to devices and software notoriously riddled with vulnerabilities. In addition, threats are evolving and we will see even more tools for attackers in the future using AI, post-quantum computing, and other emerging technologies.
Therefore, security needs to be built into the way connected products are designed, built, tested, deployed and operated. This regulation that is shifting responsibility is a big step in holding developers and manufacturers accountable for not including security in the design of their products.
I applaud the government for taking a more proactive approach in what is needed to build a more cyber resilient future. I also caution developers that they need to start adapting their practices now so they are prepared for the regulations to come.