CISA’s Jack Cable on secure-by-design pledge progress — and next steps
Back in May, dozens of software companies promised the Biden administration and their customers that they would adopt seven key digital security practices within a year. Today, as that secure-by-design pledge hits the halfway mark, the Cybersecurity and Infrastructure Security Agency (CISA) believes its first-of-its-kind project is achieving results.
“We are already seeing significant impacts across the internet ecosystem as a result of this pledge,” Jack Cable, a senior technical adviser at CISA who helps lead the effort, told Recorded Future News in an exclusive interview. “I think it has exceeded expectations.”
The pledge, and CISA’s broader secure-by-design initiative, are key parts of the White House’s push to hold tech companies accountable for the cascading harms of poorly designed products and vulnerable software. Its seven goals cover expanding multi-factor authentication, reducing default passwords, eliminating broad categories of vulnerabilities, increasing customer adoption of security patches, publishing a vulnerability disclosure policy, publishing detailed vulnerability reports and equipping customers with the data needed to analyze intrusions.
So far, 248 companies — from household names to quietly influential firms — have signed the pledge (each company’s one-year deadline starts when they sign), and Cable says many of them are clearly taking it seriously. He cited Microsoft’s expansion of multi-factor authentication, Google’s improvements to secure code development and Fortinet’s new requirement that customers receive automatic security updates.
READ MORE: These major software firms took CISA’s secure-by-design pledge. Here’s how they’re implementing it
But accountability remains an open question for the voluntary pledge. Cable said CISA plans to partner with a civil-society organization that can “offer an independent view as to the progress that is being made or lack thereof.” The agency is also working on a website that will link to companies’ progress reports — and implicitly call out companies that aren’t making headway.
CISA is already considering how to expand the pledge in its second year, Cable said. Officials plan to require participating companies to eliminate some of the software security “bad practices” detailed in a new government publication.
The pledge’s six-month mark provides a milestone for assessing progress, but Cable emphasized that CISA views the pledge through a long-term lens.
“We know that companies aren’t going to transform everything they do overnight,” he said. “But where we have seen value with the pledge is, it's enabling companies to make incremental security improvements at a greater speed than they've been able to do before.”
In the interview late last month, Cable discussed CISA’s workshops with participating companies, how the agency is tracking progress internally and why officials won’t delist delinquent signatories.
The conversation below has been edited for length and clarity.
Recorded Future News: How many of the pledge’s signatories have demonstrated that they’ve met all the goals at this point?
Jack Cable: The companies are committing to, within a year of signing the pledge, demonstrating to the public how they've made measurable progress in line with the seven pledged goals. So there's the 68 companies who signed on May 8, and then for the remaining [companies], it's based on a year from when they sign the pledge.
We are beginning to see a number of companies put out reports.
We've been regularly convening the companies who signed the pledge. We have a monthly technical exchange series that we hold. It's [conducted under] Chatham House [anonymity rules]. We have usually two or so companies come and present each week around the progress that they've made, and [we] have usually around 150 or so people come to those, and we've heard that they find that to be quite valuable. So we are convening companies to make sure that they can learn from each other.
We are also seeing what public reports companies put out. And for some of the items where there is more rigorously available data, we are also working on internally keeping track to see where progress is being made or where we might be able to help companies do better.
RFN: Have you heard from companies that the monthly technical exchange sessions are actually helping them make progress?
JC: Certainly. We have been fortunate to have a number of positive presentations where companies aren't just saying the standard talking points, but actually getting into the substance. We call it a technical exchange because the goal is really for the subject-matter experts at these companies to be able to be candid and learn from each other.
The first [meeting] was in July. We've held three. The next one is coming up soon. [Editor’s note: It occurred on Oct. 23.]
Each of these, we center around a specific goal of the pledge. So for instance, we have focused around CVEs and the vulnerability disclosure process, and that's one area where we are seeing positive evolutions in terms of norms.
One emerging area is around the standard of having CVEs not just for products that actually require customers to go and patch, but looking into software-as-a-service or cloud products. And that's something where we are seeing companies going above and beyond what's in the pledge. The pledge sets a bar around committing to disclose CVEs for vulnerabilities that require action by customers to patch or that have seen exploitation in the wild, but we've seen a number of companies — including Microsoft, for instance — who've committed to going beyond that and filing CVEs for all vulnerabilities in their cloud products.
RFN: What broad lessons have you learned from managing the pledge?
JC: One of the areas is recognizing [that] the scope of the pledge is enterprise software broadly, [but] that can be broken down into so many different types of software. We have more traditional on-premises products. We have software-as-a-service companies who've taken it. We have the largest cloud service providers in the world who've taken the pledge. [It’s] a very diverse range of companies, so of course, there's going to be a range of different approaches, and some of the items, for instance, might be easier if you're a software-as-a-service provider. For some of the items, it might involve a little more nuance, like some of what I was discussing with CVEs.
RFN: What feedback have you received on the pledge goals from participating companies? Have you heard that anything is too ambitious? Not ambitious enough?
JC: We knew that we could only succeed if this was something that both we ourselves thought was appropriately ambitious, but then also [something that] companies felt comfortable committing to. We landed in a good spot.
There's areas where we've evolved our thinking. So for instance, [with] the CVE goal, we continue to believe that by far the highest-priority area, in addition to filing CVEs, is to include the Common Weakness Enumeration — CWE — field when disclosing vulnerabilities, to really further enable understanding of the root cause of those vulnerabilities. But then we've been engaged through the CVE coordinating mechanisms to understand how we can work with the program to evolve in [certain] areas. For instance, [we] recognize there's some room to improve around best practices standards for software identification. We're continually engaging with companies to understand where the biggest areas for impact are.
RFN: Regarding your plan to have a civil-society organization report on progress, how much is that in order to have some distance between CISA and a potentially critical view of the pledge, and how much of it is, CISA doesn't have the resources to do these kinds of assessments, and a third-party organization might have more resources to do them?
JC: It's more the former.
We are working towards internally tracking data around various actions that can be measured, like around CVEs or vulnerability disclosure policies. But the reason we want an independent view is [that] we don't necessarily want CISA to be both the convener and the arbiter of what meets the bar towards the pledge. We've established the pledge in a way that all the criteria is out there. But then also, everything that companies are doing, per their commitment, should be publicly reported. So that's where we want a civil-society organization to step in and help offer an independent view.
RFN: Is CISA prepared, resource-wise, to assess at least the public evidence of these companies’ progress on the goals? Or will you basically just ask companies whether they've done these things?
JC: It's dependent on the goal. Some of them can be more measurable. For instance, the goal around CVEs, where we both want companies to be consistent in filing CVEs, but then we also want them to consistently include certain fields, like the CWE. That is something that we are working towards measuring and understanding how progress is being made over time.
There's other items where there isn't necessarily a single data source we can go to to get that complete view, whether that's [if] a company's reducing entire classes of vulnerabilities or [the] presence of default passwords. [For] those, we are really looking to the public documentation that companies have committed to.
RFN: Some of these companies might view signing the pledge as a marketing exercise and not really commit to it. Have you been thinking about how to hold signatories accountable if they fail to demonstrate meaningful progress on any of the goals? Would you remove a company from the list if they’re not really participating in the spirit of the pledge?
JC: We won't necessarily be taking companies off the pledge, because I do think it is important to be able to understand and see whether or not companies have followed through on their commitments.
While, of course, we hope that all companies who've signed the pledge will, within a year of signing it, report on their progress and have made actual measurable progress, of course, we know that [it] is possible that some will not. And in that case, we want it to be possible for both their customers and the public to understand and to be able to assess the progress that these companies are making.
We are working on establishing a web page that will link out to the progress reports from companies who've signed the pledge. And if a company [signs the] pledge and, a year later, hasn't put anything out, then that will be evident by the lack of updates that they've published.
RFN: Can you say more about how you’re going to track the pledge’s effectiveness internally?
JC: We are both collecting data for those elements that are publicly observable [like CVEs and vulnerability disclosure policies], and we are also actively soliciting companies who have taken the pledge to share their public blog posts [and] other reports with us.
At some point, we do intend to put out public reports ourselves around progress being made that will include both the data-driven elements for those goals I mentioned — for CVEs and vulnerability disclosure policies — as well as aggregating learnings from the public reports that companies have put out.
RFN: Are you seeing a level of progress right now, halfway through that initial year, that makes you confident that, at the one-year mark, we will see, at least with those initial 68 signatories, progress that reflects a serious approach to the pledge?
JC: There's been maybe 15 or so reports that are concrete and do show measurable progress. Each of those has demonstrated concrete, measurable progress, and I've been quite pleasantly surprised to see the level of depth that they go into, whether that's specific statistics of, ‘We see X percent of people adopting these automatic updates,’ or, ‘We see X percent of users having multi-factor authentication enabled on our platforms.’
For the companies who’ve put out reports to date, [we] have certainly been satisfied with the level of progress. I think it has exceeded expectations.
Eric Geller
is a freelance cybersecurity journalist covering all things digital security. He previously reported on cybersecurity for The Daily Dot, Politico, and The Messenger.