House Hearing Tackles CISA’s Secure-by-Design Initiative to Improve Cybersecurity

Matt Bracken, reporting in Cyberscoop, writes that a December 5th House of Representatives hearing featured private-sector tech leaders who discussed the secure-by-design initiative adopted by the Cybersecurity and Infrastructure Security Agency (CISA).

Secure-by-design was praised as a positive step towards better cybersecurity, but the witnesses, private-sector tech leaders, identified critical challenges, including inadequate incentives for broader industry adoption and gaps in developer training.

Secure-by-design is a voluntary program aimed at enhancing cybersecurity by embedding security principles directly into software development. Launched nearly two years ago, it now includes over 250 company participants.

However, the initiative primarily focuses on IT systems, leaving operational technology manufacturers less engaged. Its ambitious goals, i.e., eliminating memory safety vulnerabilities that account for 70% of critical infrastructure risk, are proving difficult, even for major companies.

According to testimony at the hearing, poorly trained developers and reliance on offshore and third-party software remain significant barriers to progress. Experts called for incentivizing secure development practices and addressing workforce training gaps.

Memory safety vulnerabilities were cited as a critical issue requiring solutions like adopting memory-safe languages. Additionally, small municipalities face difficulties implementing secure-by-design practices due to a lack of resources.

Witnesses also expressed concerns about the potential risks of machine-generated code, emphasizing the importance of human oversight in secure software development.

Information technicians must keep abreast of evolving secure-by-design principles to mitigate liability risks, and operational technology device manufacturers will likely face increasing pressure to integrate secure-by-design into their products.

Lawyers should monitor legislative developments that could provide financial incentives and new compliance mandates. Businesses should track regulatory changes as CISA’s priorities evolve.