With nation-state threats in mind, nearly 70 software firms agree to Secure by Design pledge

SAN FRANCISCO — The nation’s top cybersecurity agency said 68 of the world’s leading software manufacturers have signed on to a voluntary pledge to design products that have security built in from the beginning. 

The Cybersecurity and Infrastructure Security Agency (CISA) announced the first round of commitments at the RSA Conference on Wednesday, with Director Jen Easterly warning that it was necessary because of widespread hacking campaigns by nation-states like China. 

In a speech at the conference, Easterly said the government and private sector had a duty to the American public to better secure the tools that underpin society, warning that hacking campaigns like China’s Volt Typhoon are a threat that goes beyond simply data theft.

“These threats are about disruption and destruction of the critical infrastructure and services that Americans rely upon every hour of every day. And we know that adversaries like Volt Typhoon are getting into our critical infrastructure in ways where the friction is just not there. They are able to get into our critical infrastructure because of flaws and defects in our technology,” Easterly said.

“But we have the power to change this. We can together achieve long term security through fundamentally more secure software.”

The pledge says that within one year, all of the companies involved will: 

• Increase the use of multi-factor authentication across products.
• Reduce the use of default passwords in products.
• Reduce the prevalence of entire classes of vulnerabilities.
• Make efforts to increase the installation of patches by customers.
• Publish a vulnerability disclosure policy.
• Be more transparent and timely about common vulnerabilities and exposures (CVEs).
• Increase the ability of customers to “gather evidence of cybersecurity intrusions affecting the manufacturer’s products.

The signees include Microsoft, Google, Amazon Web Services, Cisco, GitHub, IBM, HP, Okta, Ivanti, Netgear and more. 

Easterly said the voluntary pledge was one of her biggest priorities because she believed it is the “only way to catalyze more secure critical infrastructure” and the only way to “make ransomware a shocking anomaly.” 

The technology that people rely on has to be “built, tested, designed, deployed and delivered to be secure by design,” she said. 

“By signing this pledge, you all commit to realizing this as well,” she added. “Security must be prioritized over all else, over cool features and speed to market.”

She called on more software manufacturers to take the pledge and make sure their products are “secure right out of the box.”

Software manufacturers have discretion about how they plan to address each point, according to CISA, but the progress needs to be demonstrated in public. 

The Secure by Design initiative was launched in 2023 as part of the National Cybersecurity Strategy, which highlighted the need for manufacturers to bear more of the burden of cybersecurity as opposed to customers who have to purchase additional security tools.

CISA Senior Technical Advisor Jack Cable, who spoke at the event, added that the seven tasks outlined in the pledge represented “some of the most pervasive cybersecurity threats we at CISA see today.”

“Every software manufacturer should recognize that they have a responsibility to protect their customers, contributing to our national and economic security,” he told the crowd. 

We're live at #RSAC for the Secure By Design Pledge launch event. Learn more at https://t.co/l7DFUak9bt. #SecureByDesign https://t.co/tJQXFaS7d1

— Cybersecurity and Infrastructure Security Agency (@CISAgov) May 8, 2024

Read More: Live updates from the 2024 RSA Conference