Is CISA's Secure by Design Pledge Toothless?

At 2024's RSA Conference this week, brand names like Microsoft, Amazon Web Service (AWS), International Business Machines (IBM), Fortinet, and more agreed to take steps toward meeting a set of seven objectives defined by the US's premier cyber authority.

The agreement is voluntary, not legally binding, anodyne, and can be flexibly applied to all or just one of a company's products or services. Still, signees say, it may help move the needle to incentivize good security practices and investments across industries.

"I think that this represents the zeitgeist," says Grant Geyer, CPO of Claroty, one of the signatories. "It's a recognition that as more of us agree that we're going to operate at a certain standard, that makes it more comfortable and open for others to do the same."

No Teeth, No Problem

CISA's Secure by Design pledge consists of areas of improvement split into seven primary categories: multi-factor authentication (MFA), default passwords, reducing entire classes of vulnerability, security patches, vulnerability disclosure policy, CVEs, and evidence of intrusions.

The pledge contains nothing revolutionary and has no teeth whatsoever. But for those involved, that's all beside the point.

"While they may not have direct authority, I think that there is indirect authority by starting to define what the expectation is," says Chris Henderson, senior director of threat operations at Huntress, another signee.

For example, he says, "In the private space there are companies effectively war profiteering off of the security tooling within their products. You see a lot of companies adding security features behind paywalls because it's viewed as an easy way to increase revenue. In reality, a lot of these features don't actually cost any extra money to deliver," Henderson adds.

He thinks the pledge could be a new approach toward pushing public-private partnerships without new regulations.

"I think the Secure By Design pledge is a really interesting approach through private and government partnership to try to drive not regulation, but change what the expectation is for 'reasonable.'" Henderson says. "If you're a product that offers multi-factor authentication (MFA) or single sign-on (SSO), but it's behind a paywall, and one of your clients gets breached because they weren't paying for that, well, now are you negligent?"

Like Henderson, Jonathan Trull, CISO of Qualys (also a signatory), envisions the pledge's effects as primarily economic in nature. "In the commercial sector you've got two (incentive) mechanisms. You've got compliance, where it's binding and SEC-enforceable for publicly traded companies," Trull explains. "And then you've got the more powerful (one), which is: Where will the dollars flow?"

His hope is that these basic security principles start to influence tech buyers, Trull adds.

"I'm hoping buyers stop and say: 'Hey, why didn't you sign up for this? Even if it's voluntary,'" he says.

Zooming Out Beyond Just Vulnerabilities

Regardless of how companies address it, for Claroty's Geyer, the pledge alone is important in how it reframes the conversation around some fundamental security issues.

For example, there's vulnerability management. Organizations know to patch individual bugs when they pop up but, as CISA notes in its report, "The vast majority of exploited vulnerabilities today are due to classes of vulnerabilities that can often be prevented at scale."

In a recent analysis of more than 20 million assets, Claroty's Team82 found that 22% and 23% of all industrial OT and connected medical devices (IoMT), respectively, possessed vulnerabilities with critically-ranked CVSS scores of 9.0 or higher. However, only 1.3% and 1.9% of industrial OT and IoMT devices were found to contain at least one known exploitable vulnerability and communicated directly with the Web instead of through a secure access solution.

"So if you take the traditional approach, you have to patch 23% of your assets," Geyer says. "Not only is that an enormous number, but what we found is that when you broaden out what a risk is —from just a vulnerability to things like default passwords, clear text, communications, the things that are covered in this pledge — you would only need to focus on 1.3% of your assets."

"If you did take the approach of catching all 23%, it turns out that you would miss 43% of the highest risks, like default credentials," Geyer adds. "So it's super important that CISA is taking a more expansive view of risk, rather than only focusing on vulnerabilities. That has been the traditional wisdom, and traditional wisdom is misguided, both in terms of effort and impact."