Biden Administration Asks Hackers to Help It Improve Tech Companies’ Cybersecurity
An unusual gathering showed how the government is seeking help with sharpening its recommendations for the tech industry
LAS VEGAS — Biden administration officials sat down with cybersecurity professionals and independent hackers on Saturday to discuss how the government should hold tech companies accountable for the security of their products.
The unusual gathering at the DEF CON security conference —in which anyone with a conference badge could line up for the chance to suggest edits to a government document— underscored the administration’s eagerness to enlist the hacker community’s help in developing guidelines for how tech products are designed, built and offered to customers.
At the heart of the discussion was a draft document produced by the Cybersecurity and Infrastructure Security Agency (CISA) offering specific recommendations for how vendors can embrace the agency’s mantra of “secure by design” (meaning built to withstand cyberattacks) and “secure by default” (meaning offered with security features enabled from the start, rather than offered as an optional add-on). CISA released initial guidance in April and revised it in June, but it soon began hearing requests for more specificity in its suggestions.
The DEF CON session was billed as a “red-pen workshop.” A table with space for approximately 30 people was stocked with copies of the draft document and red pens for marking up its contents. (Because the document is a work in progress, participants were not allowed to take it with them or describe its contents.) The drab conference room hosting the session was far too small to fit the dozens of people who’d lined up hoping to secure spots inside.
The gathering was held under the Chatham House rule, meaning that The Messenger was not allowed to attribute specific quotes to their speakers. But the government speakers included CISA Director Jen Easterly, three of her senior advisers and two senior officials from the White House’s Office of the National Cyber Director.
After officials delivered opening remarks, they took questions from attendees, and then participants had roughly 90 minutes of unstructured time to mark up the document.
- The Government Has a Plan To Get Tech Companies To Take Cybersecurity Seriously
- Biden Administration Renews Push For Tech Companies To Build Hacker-Resistant Products
- Why Amazon, Google and Other Tech Giants Are Flouting Some New Government Cybersecurity Recommendations
- Biden’s new strategy to protect US cybersecurity: Hold software companies accountable
- How the White House Wants To Teach Kids About Cybersecurity, Protect EV Chargers and Hold Software Firms Accountable
- America Has a Surprising New Cybersecurity Watchdog
Several major themes emerged from the question-and-answer session. Among them was a recognition that there is too little data guiding government and corporate efforts to shore up cybersecurity.
“We are an industry that is unburdened by facts and statistics on how things break,” one person said dryly. “We need to figure out how to adopt some of the rigor that we see in other industries.”
The culture at many technology vendors arose as another issue. Companies are often afraid to sunset old and insecure but popular features. Sometimes, making any change at all —even a critically needed security improvement— is viewed as too risky, lest it break something important.
“There’s a cultural mental shift that needs to happen,” one participant argued. “How can we mindfully take actions that, yes, are going to break things, but we’ll be able to build back better, as it were?”
Attendees peppered the government speakers with questions and suggestions. They asked how agencies were ensuring that their own employees followed best practices when they wrote open-source code. They urged officials to help schools integrate cybersecurity into computer science curricula, lest young people continue emerging from coding classes with no understanding of the importance of software security. And they asked whether the government was studying ways to enforce companies’ compliance with security guidance.
Officials have previously said that they are studying various approaches for encouraging or mandating vendors’ compliance, including holding companies accountable for breaches resulting from vulnerabilities that they should have known to fix.
The questions highlighted the scope of the challenge facing the Biden administration as it confronts a vast technology ecosystem rife with insecure products and software programs.
One person asked whether the government was considering direct investments in security research. “This ecosystem really needs direct investment of cash,” the person said, “in order to solve these fundamental problems that no one seems to own and that everyone seems to suffer by.”
- Tetris Creator Stuns 13-Year-Old Who Beat the Game With Surprise Zoom Call: ‘This Is So Cool’Tech
- Apple May Face Sweeping Antitrust Lawsuit From Justice Department Over iPhone: ReportBusiness
- Elon Musk’s Take on DEI Slammed by Azealia Banks: ‘No, Stupid’Entertainment
- A Real-Life Spider-Man? This Engineer Made Amazing, Spectacular Web ShootersTech
- This $2,149 Smart Toilet Seat Brings Alexa Into Your BathroomTech
- Why the Next Moon Landing May Be the Most Important Since Apollo 11Tech
- How My AI Coach Helps Me Stay on TrackBusiness
- The BlackBerry Dream Lives On in This iPhone Keyboard CaseTech
- You Can Buy Your Own Custom Version of ChatGPT Next WeekTech
- Mesmerizing Videos Reveal Stormy Weather on a Hellish Planet Where It Rains IronTech
- Largest Known Male of World’s Deadliest Spider Captured in AustraliaTech
- There’s a New ‘Jaws’ Pinball Machine, and We’re Going to Need a Bigger BallTech