The Biden administration is asking the world’s largest technology companies to publicly commit to tightening the digital security of their software and cloud services.
The voluntary pledge, first reported by WIRED, represents the latest effort by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) to build support for its Secure by Design initiative, which encourages tech vendors to prioritize cybersecurity while developing and configuring their products.
By signing the pledge, companies promise to make a “good-faith effort” to implement seven critical cybersecurity improvements, ranging from soliciting reports of vulnerabilities in their products to expanding the use of multi-factor authentication, a technology that adds an extra login step to the traditional password.
The pledge—which CISA plans to announce at the RSA cybersecurity conference in San Francisco next week—poses a major test for CISA, which last week marked the one-year anniversary of its Secure by Design campaign. The initiative is a top priority of CISA’s leadership, but it has produced mixed results, with some companies continuing to flout its urgent advice. The tech industry’s reaction to the pledge—and especially the number of software giants that sign it—will serve as a litmus test for how the private sector views CISA’s continuing push for increased corporate investment in cybersecurity.
“We're really excited about the companies that are on board,” Eric Goldstein, CISA’s executive assistant director for cybersecurity, tells WIRED. He declined to say how many vendors have already signed the pledge, but he says they include some “really significant” players in the tech industry.
WIRED asked more than three dozen of the biggest software companies whether they had signed or planned to sign the pledge. Only a handful responded. Login technology provider Okta said it had signed, while security vendor BlackBerry said it was considering doing so. Notably, software giants Amazon, Google, and Microsoft did not say whether they were signing.
“CISA says they have 50 companies that are signing and giving quotations to put on the website,” says a tech industry official familiar with the matter, who requested anonymity to speak candidly. “I don’t know any company that has signed.”
The seven goals laid out in the pledge represent security practices that experts say would dramatically improve companies’ cyberdefenses and make it easier for customers to safely use their products.
The goals include significantly increasing users’ use of multi-factor authentication, including by automatically enabling it or prodding users to activate it; eliminating default passwords, including by requiring users to choose strong passwords at product setup; and making it easier for customers to understand hacks of products they use, including by letting them review logs of suspicious network activity for free.
Companies signing the pledge would also commit to hardening their products against entire classes of vulnerabilities, such as by using memory-safe programming languages that completely block memory-based attacks; fostering better software patching, including by making patching easier and automating it when possible; creating vulnerability disclosure programs that encourage users to find and report product flaws; and publishing timely alerts about major new vulnerabilities, as well as including detailed information in all new vulnerability alerts.
The pledge offers examples of how companies can meet the goals, although it notes that companies “have the discretion to decide how best” to do so. The document also emphasizes the importance of companies publicly demonstrating “measurable progress” on their goals, as well as documenting their techniques “so that others can learn.”
CISA developed the pledge in consultation with tech companies, seeking to understand what would be feasible for them while also meeting the agency’s goals, according to Goldstein. That meant making sure the commitments were feasible for companies of all sizes, not just Silicon Valley giants.
The agency originally tried using its Joint Cyber Defense Collaborative to prod companies into signing the pledge, according to the tech industry official, but that backfired when companies questioned the use of an operational cyberdefense collaboration group for “a policy and legal issue,” the industry official says.
“Industry expressed frustration about trying to use the JCDC to obtain pledges,” the official says, and CISA “wisely pulled back on that effort.”
CISA then held discussions with companies through the Information Technology Sector Coordinating Council and tweaked the pledge based on their feedback. Originally, the pledge contained more than seven goals, and CISA wanted signatories to commit to “firm metrics” for showing progress, according to the industry official. In the end, this person says, CISA removed several goals and “broadened the language” about measuring progress.
John Miller, senior vice president of policy, trust, data, and technology at the Information Technology Industry Council, a major industry trade group, says that change was smart, because concrete progress metrics—like the number of users using multi-factor authentication—could be “easily misconstrued.”
Goldstein says the number of pledge signatories is “exceeding my expectations about where we’d be” at this point. The industry official says they’re not aware of any company that has definitively refused to sign the pledge, in part because vendors want to “keep open the option of signing on” after CISA’s launch event at RSA. “Everyone’s in a kind of wait-and-see mode.”
Legal liability is a top concern for potential signatory companies. “If there ends up being, inevitably, some type of security incident,” Miller says, “anything [a] company has said publicly could be used in lawsuits.”
That said, Miller predicts that some global companies facing strict new European security requirements will sign the US pledge to “get that credit” for something they already have to do.
CISA’s Secure by Design campaign is the centerpiece of the Biden administration’s ambitious plan to shift the burden of cybersecurity from users to vendors, a core theme of the administration’s National Cybersecurity Strategy. The push for corporate cyber responsibility follows years of disruptive supply-chain attacks on critical software makers like Microsoft, SolarWinds, Kaseya, and Change Healthcare, as well as a mounting list of widespread software vulnerabilities that have powered ransomware attacks on schools, hospitals, and other essential services. White House officials say the pattern of costly and often preventable breaches demonstrates the need for increased corporate accountability.
The Biden administration is using the federal government’s contracting power to set new minimum security standards for the software that agencies buy, with the goal of modeling responsible behavior for the entire industry. White House officials are also studying proposals to make all vendors, not just federal contractors, liable for security failures, but that effort faces an uphill battle in Congress.
With no authority to require better cybersecurity for the entire software industry, the White House has tasked CISA with prodding companies to commit to voluntary improvements. That effort began last April with the publication of specific recommendations for incorporating cybersecurity into the product design, development, and configuration process. CISA consulted with the tech industry and the security research community on refinements to that document and released an updated version last October. At around the same time, CISA announced that it had obtained Secure by Design commitments from six major K-12 educational technology vendors. That move, while limited to one industry, signaled CISA’s clear desire to convert its guidance into public corporate pledges.
“It has long been our goal … to move from just the white papers and the guidance to get companies to say, ‘Yes, we agree, and here’s what we're doing,’” Goldstein says. “The pledge really is that concrete manifestation of the guidance that we’ve been developing for a year.”
But the efficacy of the voluntary pledge remains to be seen. “Pledging companies will self-assess and self-report,” says Katie Moussouris, CEO and founder of Luta Security, “so only time will tell if they’ve effectively applied the measures and if the pledge proved to be an effective accountability mechanism.”
Miller says he expects the pledge to keep companies accountable because of the potential legal consequences of neglecting promised improvements. In the meantime, government officials are counting on customers to pressure vendors to both sign and abide by the pledge.
“Right now, we see the demand for safe and secure products to really be significant,” Goldstein says. “We think that … customer demand will drive that progress for us.”