CISA head criticises tech vendors for insecure software, calls for greater accountability

Despite a multi-billion-dollar cybersecurity industry, Easterly lamented the persistent multi-trillion-dollar software quality problem that continues to fuel cybercrime.

CISA logo

Jen Easterly, head of the US Cybersecurity and Infrastructure Security Agency (CISA), has asserted that the real villains in cybercrime are software suppliers who deliver faulty and insecure code. At Mandiant’s mWise conference, she emphasised that technology vendors create problems in their products, ultimately making it easier for cybercriminals to attack their targets.

Easterly also argued that the term ‘software vulnerabilities’ minimises the issue, advocating for the more direct term ‘product defects’ instead. Rather than blaming victims for not patching software quickly enough, she urged the industry to question why software requires so many urgent updates in the first place, emphasising the need for greater accountability from tech vendors.

Despite a multi-billion-dollar cybersecurity industry, Easterly lamented the ongoing multi-trillion-dollar software quality issue that fuels cybercrime. She compared the software reliance on critical infrastructure to purchasing a car or boarding a plane without any safety guarantees.

Easterly has consistently pushed for better software quality since taking charge of CISA, stressing that secure code is essential to reducing ransomware and cyberattacks. While acknowledging that perfect code is difficult to achieve, she expressed frustration with the current defect rates and the lack of accountability among developers. At the recent RSA Conference, nearly 70 major companies, including AWS, Microsoft, and Google, signed CISA’s Secure by Design pledge to improve software security practices. This number has now increased to almost 200 vendors, but Easterly noted that adherence to the pledge is still voluntary.

To encourage change, she urged technology buyers to leverage their procurement power by inquiring if software suppliers have signed the pledge and are genuinely committed to building secure products. CISA has released guidance for organisations on assessing software manufacturers’ security priorities during purchasing.