CISA director: US is 'not afraid' to shout about Big Tech's security failings

CISA director Jen Easterly says the US Cybersecurity Safety Review Board (CSRB) "is not afraid to say when something is amiss" in response to questions about the future of private sector collaboration following the board's scathing report on Microsoft.

Asked whether she believed companies would still cooperate with the CSRB if it wanted to probe a serious security mishap, in light of the criticism that faced Microsoft, Easterly said: "I would hope so."

Back in March, the CSRB published a lengthy report after it worked with Microsoft to understand how a break-in at Exchange Online that led to the compromise of senior US officials' email accounts at the hands of a Chinese state-sponsored group came to pass.

The 34-page report illustrated various security failings at Microsoft that allowed the attack to occur, including an inadequate security culture and failure to publicly 'fess up to the core issue at the heart of the exfiltration for months.

One of the main lines commentators took from it was that, ultimately, the major attack on Microsoft's hosted email services happened due to a "cascade of Microsoft's avoidable errors."

It was so damning that it raised the question of whether other companies at fault for such significant infosec blunders would offer the CSRB the same level of cooperation going forward as Microsoft.

The CSRB was established in 2022 following a Biden administration Executive Order in 2021 (EO14028) and serves multiple purposes. But, crucially in relation to this question, it has no legal authority to compel companies to work with it on reports like the one focused on Exchange Online.

Microsoft didn't have to cooperate as fully as it did, but did so voluntarily across a series of written and oral submissions, for which it received acknowledgment and gratitude from the CSRB, echoed by Easterly again this week.

"To Microsoft's credit, they were very transparent," she said in a conversation with Ciaran Martin, professor of practice in the management of public organizations at the University of Oxford, at the inaugural Oxford Cyber Forum last week.

"They sat there as partners, walked through the incident and what happened, and were extremely forward-leaning."

However, the CSRB doesn't yet have the congressional authority and subpoena power it has been pushing for, and the type of power the wider industry believes it should have. As such, future probes into whatever major gaffe may warrant this kind of attention would rely on the collaboration of the organization in question.

• America's enemies targeting US critical infrastructure should be 'wake-up call'
• 68 tech names sign CISA's secure-by-design pledge
• CISA boss: Secure code is the 'only way to make ransomware a shocking anomaly'
• Securing open source software: Whose job is it, anyway?

It's easy to see why companies may be reluctant to comply, given that the CSRB's report into Microsoft is still so often cited in all manner of security discussions today, months after the report was published.

Microsoft was described by Easterly as "the most important company out there" from a critical infrastructure perspective. While any robust report on such an organization will always be damaging to a degree, if one were to probe a company that was less crucial to modern society, perhaps the PR machine wouldn't be so kind to its long-term prospects.

Satya Nadella, Microsoft CEO, was also commended by Easterly for his reaction to the report and all the measures he implemented across the company that honored the CSRB's primary recommendations.

"I was really pleased with the CEO's reaction," she said. "He talked about security as a priority. If you have a choice between security and something else, do security. We are focusing on security over features, we are going to link security to compensation and hiring.

"I think, as jaw-dropping as the initial report was, I think that that reaction was surprising to many. And of course, the proof will be in the pudding but I think it really has catalyzed a major shift."

Secure by Design pledge plugged

While the CSRB continues to push for the congressional authority it wants, Easterly pointed to CISA's Secure by Design pledge, which was launched earlier this year for organizations to formally side with the whole secure-by-design ideal that's been espoused by the industry for years.

She said there are now more than 150 signups to the pledge, a big rise from the initial 68 when we last visited it, and if major vendors actually developed their products with SBD principles fully adhered to, the number of vulnerabilities that could cause major security events would plummet. It would essentially mean vendors wouldn't have to fear CSRB probes because their products would be secure from the outset, or at least as secure as they should be.

Pointing to Verizon's most recent Data Breach Investigations Report, Easterly said: "There's a line in there that basically said we are at the point where we cannot patch fast enough to prevent cyberattacks. So the only way to deal with this problem is to demand more from our vendors." ®