The agency has promised to measure the success of efforts to steer major software providers toward the inclusion of logging and other basic security features in their products “by default,” but has said little about how it actually intends to do that.
Cybersecurity and Infrastructure Security Agency Director Jen Easterly has renewed a call for companies like Microsoft to stop marketing basic security features as add-ons to their core products.
“We have to have [multi factor authentication] by default. We can't charge extra for security logging and [single sign-on],” Easterly said. We need to ensure that we're coming together to really protect the technology ecosystem instead of putting the burden on those least able to defend themselves.”
In a conversation with Center for Strategic and International Studies’ Suzanne Spaulding Tuesday, the CISA director was discussing a need to realign market incentives for such companies in order to protect U.S. critical infrastructure from cyberattacks.
“If software and products are coming off the line rife with vulnerabilities, we will never solve this problem,” Easterly said, while acknowledging a dynamic Spaulding articulated where companies race through development at the expense of security, because the consequences don’t outweigh the benefit of being first to market their products.
The logging issue, specifically, emerged as a point of conflict between Microsoft and federal officials following the SolarWinds breach, when CISA ordered agencies to track the adversary within their networks but realized some might not have that ability, due to inadequate license levels for cloud-based Office 365 services.
In April 2021, following a tense exchange between Microsoft President Brad Smith and Rep. Jim Langevin, D-R.I., during a congressional hearing on the issue, Microsoft said it would give agencies the logging abilities at no cost for one year.
Last month, CISA released a document saying it would, “advance the cyberspace ecosystem to drive security-by-default.” The “strategic plan” did not elaborate on what that effort would look like, but the Biden administration has focused on using federal procurement as a lever for incentivizing changes across the public and private sectors.