Special Features

Spotlight on RSA

CISA boss: Secure code is the 'only way to make ransomware a shocking anomaly'

And it would seriously inconvenience the Chinese and Russians, too

RSAC There's a way to vastly reduce the scale and scope of ransomware attacks plaguing critical infrastructure, according to CISA director Jen Easterly: Make software secure by design.

"It is the only way we can make ransomware and cyberattacks a shocking anomaly," Easterly said during an RSA Conference keynote panel this week in San Francisco. "And that is to make sure the technology is much more secure."

US cybersecurity chief: Software makers shouldn't lawyer their way out of security responsibilities


The CISA boss has been beating this drum throughout her tenure at America's lead government cybersecurity agency, after she took over from the inaugural CISA chief Chris Krebs – who joined Easterly on stage during the aptly titled session, World on Fire, which was moderated by Washington Post super-journo Joseph Menn.

As the two CISA bods noted, it does seem as though the digital world is on fire these days, with the "scourge of ransomware we've been dealing with," Easterly said.

A week ago, UnitedHealth CEO Andrew Witty confirmed to US senators that his corporation paid $22 million to the extortionists responsible for the Change Healthcare IT breach in February. 

And this week, timed to coincide with the RSA Conference one suspects, the Feds charged and sanctioned suspected LockBit kingpin Dmitry Yuryevich Khoroshev, whose ransomware affiliates targeted more than 100 hospitals and healthcare companies, it's alleged.

In addition to ransomware criminals extorting organizations to the tune of billions, there are also government-backed groups like China's Volt Typhoon. This particular crew, Easterly said - echoing her January testimony before Congress - is "burrowing into our critical infrastructure, not for espionage, not for intellectual property, but specifically for disruptive and destructive attacks in the event of a major conflict in the Taiwan Straits."

How do we make up for decades and decades of no technology minimum standards for cybersecurity?

Plus, there's the ongoing problem of Chinese and Russian cyberspies breaking into Microsoft's cloud, including email accounts belonging to US government officials.

"How do we make up for decades and decades of no technology minimum standards for cybersecurity? Well, it has to be a recognition across the entire ecosystem, that we need to do this together for the collective defense of the nation," Easterly said.

The federal government can use its technology procurement power to encourage providers to sell more secure software, she added. "And frankly, it's a lever that anybody who buys technology should use. Demand that what we get from technology manufacturers is as safe and secure as possible."

On Wednesday at the conference, some 60-plus tech companies will sign a pledge to develop more secure technology, according to Easterly. The signatories are expected to include Microsoft, Google, AWS, IBM, Palo Alto Networks, and Cisco.

"There's an awakening … this is really going to start driving customers away, because they don't have confidence in our products," Krebs said, speaking from the point of view of a vendor.

In addition to CISA's voluntary efforts, such as the secure software pledge, there are four more levers that can be used to make technology products more secure, Krebs added. 

One is litigation, he said, noting the SEC lawsuit against SolarWinds and its CISO Tim Brown over the 2020 digital intrusion.

"You also have regulatory action," Krebs said, adding there are challenges with this stemming from trying to get watchdogs created and empowered before the modern internet came about to scrutinize today's cybersecurity practices. This is why we see things like the EPA establishing an Water Sector Cybersecurity Task Force to push for "immediate" fixes in critical infrastructure. Regulators will struggle to take yesteryear rules and apply them in this digital age without some form of change or evolution.

"And then ultimately, that last piece is legislative action," Krebs said. "That's where, I think, the spigot's smaller."

There's the upcoming cyber attack reporting rules for critical infrastructure operators, required under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). 

"But beyond that, I just don't see a lot of additional authorities in part because there aren't a lot of legislative days in this session," Krebs said, referring to the US election year, and adding that European Union regulations like the AI Act and Cyber Resilience Act may have a "cascading effect" on improving tech security in America. ®

Send us news

Microsoft answered Congress' questions on security. Now the White House needs to act

Business as usual needs a real change

What is RansomHub? Looks like a Knight ransomware reboot

Malware code potentially sold off, tweaked, back at it infecting victims

Let's kick off our summer with a pwn-me-by-Wi-Fi bug in Microsoft Windows

Redmond splats dozens of bugs as does Adobe while Arm drivers and PHP under active attack

White House report dishes deets on all 11 major government breaches from 2023

The MOVEit breach and ransomware weren’t kind to the Feds last year

Arm security defense shattered by speculative execution 95% of the time

'TikTag' security folks find anti-exploit mechanism rather fragile

AWS is pushing ahead with MFA for privileged accounts. What that means for you ...

The clock is ticking – why not try a passkey?

Blackbaud has to cough up a few million dollars more over 2020 ransomware attack

Four years on and it's still paying for what California attorney general calls 'unacceptable' practice

Ransomware crew may have exploited Windows make-me-admin bug as a zero-day

Symantec suggests Black Basta crew beat Microsoft to the patch

Microsoft paid Tenable a bug bounty for an Azure flaw it says doesn't need a fix, just better documentation

Let customers interfere with other tenants? That's our cloud working by design, Redmond seems to say

Microsoft bigwig says the Feds catching Chinese spies in Exchange Online is the cloud working as intended

'It's not our job to find the culprits – That's what we're paying you for' lawmaker scolds Brad Smith

Defiant Microsoft pushes ahead with controversial Recall – tho as an opt-in

Windows maker acknowledges 'clear signal' from everyone, then mostly ignores it

Can platform-wide AI ever fit into enterprise security?

You know what they say about headlines that end in a question mark