Biden Administration Asks Hackers to Help It Improve Tech Companies’ Cybersecurity

LAS VEGAS — Biden administration officials sat down with cybersecurity professionals and independent hackers on Saturday to discuss how the government should hold tech companies accountable for the security of their products.

The unusual gathering at the DEF CON security conference —in which anyone with a conference badge could line up for the chance to suggest edits to a government document— underscored the administration’s eagerness to enlist the hacker community’s help in developing guidelines for how tech products are designed, built and offered to customers.

At the heart of the discussion was a draft document produced by the Cybersecurity and Infrastructure Security Agency (CISA) offering specific recommendations for how vendors can embrace the agency’s mantra of “secure by design” (meaning built to withstand cyberattacks) and “secure by default” (meaning offered with security features enabled from the start, rather than offered as an optional add-on). CISA released initial guidance in April and revised it in June, but it soon began hearing requests for more specificity in its suggestions.

The DEF CON session was billed as a “red-pen workshop.” A table with space for approximately 30 people was stocked with copies of the draft document and red pens for marking up its contents. (Because the document is a work in progress, participants were not allowed to take it with them or describe its contents.) The drab conference room hosting the session was far too small to fit the dozens of people who’d lined up hoping to secure spots inside.

The gathering was held under the Chatham House rule, meaning that The Messenger was not allowed to attribute specific quotes to their speakers. But the government speakers included CISA Director Jen Easterly, three of her senior advisers and two senior officials from the White House’s Office of the National Cyber Director.

After officials delivered opening remarks, they took questions from attendees, and then participants had roughly 90 minutes of unstructured time to mark up the document.

Several major themes emerged from the question-and-answer session. Among them was a recognition that there is too little data guiding government and corporate efforts to shore up cybersecurity.

“We are an industry that is unburdened by facts and statistics on how things break,” one person said dryly. “We need to figure out how to adopt some of the rigor that we see in other industries.”

The culture at many technology vendors arose as another issue. Companies are often afraid to sunset old and insecure but popular features. Sometimes, making any change at all —even a critically needed security improvement— is viewed as too risky, lest it break something important.

“There’s a cultural mental shift that needs to happen,” one participant argued. “How can we mindfully take actions that, yes, are going to break things, but we’ll be able to build back better, as it were?”

Attendees peppered the government speakers with questions and suggestions. They asked how agencies were ensuring that their own employees followed best practices when they wrote open-source code. They urged officials to help schools integrate cybersecurity into computer science curricula, lest young people continue emerging from coding classes with no understanding of the importance of software security. And they asked whether the government was studying ways to enforce companies’ compliance with security guidance.

Officials have previously said that they are studying various approaches for encouraging or mandating vendors’ compliance, including holding companies accountable for breaches resulting from vulnerabilities that they should have known to fix.

The questions highlighted the scope of the challenge facing the Biden administration as it confronts a vast technology ecosystem rife with insecure products and software programs.

One person asked whether the government was considering direct investments in security research. “This ecosystem really needs direct investment of cash,” the person said, “in order to solve these fundamental problems that no one seems to own and that everyone seems to suffer by.”