United States federal agencies, in partnership with the law enforcement bodies of a number of allied nations, are making the first real press to establish security-by-design principles for manufacturers of software and internet-connected devices. While at this point these are only recommendations, it is the first time that the government has issued guidance of this nature.
Security-by-design guidance calls for “out of the box” controls, greatly improved transparency
The current approach to software security is to put most of the responsibility on the end user. The security-by-design guidance shows that governments are increasingly expecting manufacturers and developers to have their products reasonably locked down when they ship, and to be configured for updates that allow new vulnerabilities to be addressed.
What might this look like? At the very beginning of the design process, the guidance calls for developers to use the most secure programming languages possible. The agencies also want to see vastly improved transparency, via everything from shipping a software bill of materials to starting up vulnerability disclosure programs. Code would also be subject to more industry-standard testing before it ships, and periodic reviews afterward.
For end users, the sorts of problems that plague smart devices or budget software would ideally go away. That could mean a guaranteed ability for all products to patch and update during a reasonable period of manufacturer support, as is currently standard for phones, and mandatory password (or multi-factor) protection.
These are all things that consumers want, but hesitancy to implement them voluntarily is almost always tied to cost. Robust security means more development time and more extended support of the product, which means the price tag will almost certainly go up.
International push for better standards, but no regulations as of yet
The security-by-design guidance originates from CISA, the FBI and the NSA, and is supported by about half a dozen US allies around the world. It is unclear to what degree there will be voluntary adoption of these guidelines, but authorities see it as a “conversation starter” that could move to regulation at some point in the future.
Two of the co-signers of the guidance are Germany and the Netherlands, and the conversation about regulation is already underway in the EU with the proposed Cyber Resilience Act aimed at making smart devices more secure. The fortunes of this bill are still in doubt, however, as open source software organizations are coming together to oppose it on the basis of a “chilling effect” on development. The language of the bill exempts “non-commercial” software from regulation, but critics oppose vague language that could be used to sweep up nearly anything in the market that could be tied to a donation of some sort. The bill also seeks to impose these standards on Linux, but with no clear plan as of yet as to naming parties that are responsible for maintaining the open source language and answerable to security failures.