U.S., international security agencies publish new guidance for secure shipping by software manufacturers

In a collaborative effort, several United States security agencies joined with related authorities in Australia, Canada, the United Kingdom, Germany, the Netherlands, and New Zealand last week to launch guidance for technology providers meant to increase security by design and default.

In “Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default,” the agencies concluded that manufacturers need to overhaul their design and development programs to permit only secure-by-design and -default products for shipment to customers. It was a first-of-its-kind push, providing specific technical recommendations and core principles for software manufacturers to build software security into their design processes.

“Ensuring that software manufacturers integrate security into the earliest phases of design for their products is critical to building a secure and resilient technology ecosystem,” Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA), which helped author the report, said. “These secure by design and secure by default principles aim to help catalyze industry-wide change across the globe to better protect all technology users. As software now powers the critical systems and services we collectively rely upon every day, consumers must demand that manufacturers prioritize product safety above all else.”

In the United States, CISA’s contributions were joined by the Federal Bureau of Investigation (FBI) and the National Security Agency (NSA). They, along with their international partner agencies, made it clear that while many private sector entities have worked to advance security, there still needs to be an international conversation and concerted effort to emphasize unified priorities, investments, and decisions.

“Insecure technology products can pose risks to individual users and our national security,” Rob Joyce, NSA cybersecurity director, said. “If manufacturers consistently prioritize security during design and development, we can reduce the number of malicious cyber intrusions we see. The international coalition partnering on this report speaks to the importance of this issue.”

Specifically, these government entities called for private organizations to take ownership of the security outcomes of their products and shift the burden off of their customers to implement the best protections against malicious cyber actors. They also called for radical transparency and accountability, such as ensuring accurate vulnerability advisories and common vulnerability and exposure records. This, they added, could also benefit from a proper organizational structure where software manufacturers prioritize security.

“Cyber security cannot be an afterthought,” said Abigail Bradshaw, head of the Australian Cyber Security Centre. “Consumers deserve products that are secure from the outset. Strong and ongoing engagement between government, industry, and the public is vital to putting cyber security at the centre of the technology design process.”

It should be noted, however, that this guidance was just that – guided recommendations. They were not binding rules to which the private sector is presently subject.