CISA boss: Secure code is the 'only way to make ransomware a shocking anomaly'

RSAC There's a way to vastly reduce the scale and scope of ransomware attacks plaguing critical infrastructure, according to CISA director Jen Easterly: Make software secure by design.

"It is the only way we can make ransomware and cyberattacks a shocking anomaly," Easterly said during an RSA Conference keynote panel this week in San Francisco. "And that is to make sure the technology is much more secure."

The CISA boss has been beating this drum throughout her tenure at America's lead government cybersecurity agency, after she took over from the inaugural CISA chief Chris Krebs – who joined Easterly on stage during the aptly titled session, World on Fire, which was moderated by Washington Post super-journo Joseph Menn.

As the two CISA bods noted, it does seem as though the digital world is on fire these days, with the "scourge of ransomware we've been dealing with," Easterly said.

A week ago, UnitedHealth CEO Andrew Witty confirmed to US senators that his corporation paid $22 million to the extortionists responsible for the Change Healthcare IT breach in February. 

And this week, timed to coincide with the RSA Conference one suspects, the Feds charged and sanctioned suspected LockBit kingpin Dmitry Yuryevich Khoroshev, whose ransomware affiliates targeted more than 100 hospitals and healthcare companies, it's alleged.

In addition to ransomware criminals extorting organizations to the tune of billions, there are also government-backed groups like China's Volt Typhoon. This particular crew, Easterly said - echoing her January testimony before Congress - is "burrowing into our critical infrastructure, not for espionage, not for intellectual property, but specifically for disruptive and destructive attacks in the event of a major conflict in the Taiwan Straits."

How do we make up for decades and decades of no technology minimum standards for cybersecurity?

Plus, there's the ongoing problem of Chinese and Russian cyberspies breaking into Microsoft's cloud, including email accounts belonging to US government officials.

"How do we make up for decades and decades of no technology minimum standards for cybersecurity? Well, it has to be a recognition across the entire ecosystem, that we need to do this together for the collective defense of the nation," Easterly said.

The federal government can use its technology procurement power to encourage providers to sell more secure software, she added. "And frankly, it's a lever that anybody who buys technology should use. Demand that what we get from technology manufacturers is as safe and secure as possible."

On Wednesday at the conference, some 60-plus tech companies will sign a pledge to develop more secure technology, according to Easterly. The signatories are expected to include Microsoft, Google, AWS, IBM, Palo Alto Networks, and Cisco.

"There's an awakening … this is really going to start driving customers away, because they don't have confidence in our products," Krebs said, speaking from the point of view of a vendor.

In addition to CISA's voluntary efforts, such as the secure software pledge, there are four more levers that can be used to make technology products more secure, Krebs added. 

• The truth about KEV: CISA's vuln deadlines good influence on private-sector patching
• Three years on from Biden infosec EO, and we're still trying to check all the boxes
• CISA says 'no more' to decades-old directory traversal bugs
• Cops finally unmask 'LockBit kingpin' after two-month tease

One is litigation, he said, noting the SEC lawsuit against SolarWinds and its CISO Tim Brown over the 2020 digital intrusion.

"You also have regulatory action," Krebs said, adding there are challenges with this stemming from trying to get watchdogs created and empowered before the modern internet came about to scrutinize today's cybersecurity practices. This is why we see things like the EPA establishing an Water Sector Cybersecurity Task Force to push for "immediate" fixes in critical infrastructure. Regulators will struggle to take yesteryear rules and apply them in this digital age without some form of change or evolution.

"And then ultimately, that last piece is legislative action," Krebs said. "That's where, I think, the spigot's smaller."

There's the upcoming cyber attack reporting rules for critical infrastructure operators, required under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). 

"But beyond that, I just don't see a lot of additional authorities in part because there aren't a lot of legislative days in this session," Krebs said, referring to the US election year, and adding that European Union regulations like the AI Act and Cyber Resilience Act may have a "cascading effect" on improving tech security in America. ®