Tech manufacturers are leaving the door open for Chinese hacking, Easterly warns

The head of the Cybersecurity and Infrastructure Security Agency warned Monday of potentially dire consequences if technology manufacturers fail to bolster the security of their products, in a blistering speech about the dangers posed in cyberspace by China.

Technology providers have “normalized the deviant behavior of operating at the bleeding edge of the accident boundary,” CISA Director Jen Easterly said in a speech at Carnegie Mellon University. The industry’s culture of rushing products to market is dangerous to consumers and to the country, she said.

“As we’ve integrated technology into nearly every facet of our lives, we’ve unwittingly come to accept as normal that such technology is dangerous-by-design,” Easterly said, touching on points she made in a recent op-ed.

Her comments also echo those made by several government officials in recent years. Easterly criticized manufacturers for bringing products to market with “dozens, hundreds, or thousands of defects” that “would be unacceptable in any other critical field.” 

Monday’s speech comes as the Biden administration prepares to unveil a National Cybersecurity Strategy, which will lay out initiatives for improving cybersecurity protections across the country, with a particular emphasis expected on critical infrastructure. Officials have also said the plan will tackle private sector collaboration with the government, and Slate has reported there will be provisions supporting more offensive cyber action from U.S. agencies.

A bigger threat than spy balloons

Easterly added that she wished the cyberattacks launched by China were given the same sort of response and attention as the recent incursion of a spy balloon in U.S. airspace.

“China’s massive and sophisticated hacking program is larger than that of every other major nation — combined. This is hacking on an enormous scale, but unlike the spy balloon, which was identified and dealt with, these threats more often than not go unidentified and undeterred,” she said. 

The U.S. faces cyber intrusions by the Chinese government “every day,” she warned, but these attacks are rarely covered by news outlets despite the harm they cause. The attacks not only involve the theft of intellectual property and personal information but also allow military hackers to establish a foothold in critical infrastructure that could enable the future disruption of physical infrastructure like power, water, transportation, communications, healthcare and more. 

The CISA director went on to explain that the “cyber intrusions are a symptom, rather than a cause, of the vulnerability we face as a nation.” 

“The cause, simply put, is unsafe technology products,” she said. “And because the damage caused by these unsafe products is distributed and spread over time, the impact is much more difficult to measure.”

Taking ownership

According to Easterly, the burden of cybersecurity has been placed on consumers, small organizations, IT teams, chief information security officers (CISOs) and others who can do little against seasoned cybercriminals and nation-states. 

She noted that the reason the U.S. now has a multibillion-dollar cybersecurity industry is because companies have not been incentivized to embed their products with cybersecurity features from the beginning of their design. 

She compared the situation to the automobile industry, noting that the introduction of safety features like seatbelts, airbags and antilock brakes were developed in response to consumer and government demand. 

Easterly explained that CISA is attempting to create a set of core principles for technology manufacturers that include taking ownership of customer security outcomes, embracing transparency, and building products with cybersecurity in mind from the beginning. 

Sellers of software need to “include in their basic pricing the types of features that secure a user’s identity, gather and log evidence of potential intrusions, and control access to sensitive information, rather than as an added, more expensive option,” she said. 

It was unclear how these rules would be enforced, but Easterly told the audience that regulation would be used alongside the purchasing power of the U.S. government. The Biden administration has put in place rules for federal contractors about the cybersecurity provisions of the products they use. 

Easterly called for legislation that would prevent technology manufacturers from removing all liability for vulnerabilities from contracts — the kind of user terms of service that most customers simply click past without reading. 

In a follow-up press briefing, Easterly said some of these provisions would be in the long-awaited National Cybersecurity Strategy.

The speech included several calls for developers to use more-secure coding languages, like Rust, Go, Python and Java, instead of languages like C and C++ that allow for several classes of vulnerabilities to be introduced. Easterly similarly urged universities like Carnegie Mellon, with its renowned computer science programs, to integrate those more-secure languages into the classroom.

She touted several companies and organizations that have actively sought to embed security within their products, including Google, DropBox, Mozilla, Apple and the nonprofit Internet Security Research Group. 

Nightmare scenarios

Easterly warned of a future where a world power has learned from Russia’s cyberwarfare missteps in Ukraine and has coupled physical attacks with cyberattacks that could cause gas pipeline explosions, mass pollution of water sources, the takeover of telecommunication services and the crippling of U.S. transportation systems. 

All of those nightmare scenarios would be “designed to incite chaos and panic across our country and deter our ability to marshal military might and citizen will,” she said. 

“Imagine a world where none of the things we talked about today come to pass, where the burden of security continues to be placed on consumers, where technology manufacturers continue to create unsafe products or upsell security as a costly add-on feature, where universities continue to teach unsafe coding practices, where the services we rely on every day remain vulnerable,” she told the audience.

“This is a world that our adversaries are watching carefully and hoping never changes.”

In the question-and-answer session following the speech, she specifically brought up the situation faced by Taiwan, which Chinese President Xi Jinping has said he wants unified with China by 2027.  

China may attempt to affect the “unity that’s been forged between Taiwan and the U.S. by creating things like panic and chaos.” 

She referenced the attack on Colonial Pipeline as an example of a cyberattack that could cause outrage and concern among Americans, shaking their resolve in helping Taiwan face a potential invasion. 

“I think that [the Chinese] will be less restrained because they're already costing in attacks against our critical infrastructure that will help them by affecting the will of the American people to support military maneuvers,” she said. 

“We need to bake in safety and security into all of our critical infrastructure and that technology base and we need to start that today.”