This year’s Global Cyber Summit at the International Cyber Expo boasted an impressive array of speakers from across the public and private sectors, curated by the team at SASIG. The overarching theme of this year’s Global Cyber Summit was ‘resilience’. One notable talk that called for greater industry resilience was Digital Secure By Design on day two.
The session, chaired by Ciaran Martin CB, Oxford University Professor and Former CEO of the National Cyber Security Centre (NCSC), explored the Security by Design initiative, which is supported by the UK government and seeks to transform digital technology and create a more resilient and secure foundation for future tech.
The discussion centred around the question: How do we design a more robust ecosystem that is not susceptible to the vagaries of patching and zero-day vulnerabilities? With speed to market a priority for most organisations, and a lack of regulation to control the security of this process, software and hardware are often sent to market as insecure. Security by design should be the base standard for software and hardware development.
Speakers on the panel included Agata Samojlowicz, Deputy Challenge Director at DsBD, Michelle Kradolfer, National SBD Manager, Police CPI, and Jake Verma, CTO of Quantaco.
Why is the Secure by Design initiative important? According to Kradolfer, it’s important that “ecosystems of devices” (across home and work) are secure for people, organisations and countries. This must be done in collaboration with manufacturers too. Samojlowicz noted: “computers are currently insecure by design”.
The strong case for building securely by design is hard to ignore. Standards are becoming increasingly more important in all sectors, so why not standardise and regulate the building of software and hardware? The industry surely has a responsibility to protect consumers. Kradolfer notes that there are already “too many insecure devices out there”.
The panellists did think that IoT security is making progress though. Earlier this year, the UK became the first country to legally mandate cybersecurity standards for IoT devices. Under the Product Security and Telecommunications Infrastructure (PSTI) mandate, manufacturers will be legally required to build security protections into any product with internet connectivity. Part of this means banning default passwords, as well as requiring manufacturers to publish vulnerability disclosure policies for reporting security flaws, provide mechanisms for securely updating software, and state minimum periods for providing security updates.
The panel discussed why organisations want security by design to be taken seriously. For many organisations providing services, cost is a key factor, despite cybersecurity being everyone’s problem. The cost of regular patching is expensive, resource intensive and time consuming. There’s pressure and demand from end users on computer processing unit (CPU) architecture makers to build securely to reduce costs for end users. There’s also a desire for organisations to know that their entire supply chain is meeting specific requirements, reducing risk. The recent CrowdStrike incident is a good example of this.
The panel argued in favour of a regulation and a consolidated market, which would in turn boost innovation. Why? Because manufacturers can’t be compelled on an individual basis without regulation pressure and/or standards. It’s easier to cut corners – and cheaper. Without litigation, there’s no drive for change.
Another example of a good government-led secure by design initiative is CISA’s aptly named Secure by Design. According to their website, secure by design means:
“Products designed with Secure by Design principles prioritise the security of customers as a core business requirement, rather than merely treating it as a technical feature. During the design phase of a product’s development lifecycle, companies should implement Secure by Design principles to significantly decrease the number of exploitable flaws before introducing them to the market for widespread use or consumption. Out-of-the-box, products should be secure with additional security features such as multi-factor authentication (MFA), logging, and single sign-on (SSO) available at no extra cost.”
However, the panel stressed that it’s necessary that the markers of what it means to be ‘secure’ are laid out clearly, leaving no room for interpretation. Organisations and manufacturers must understand at which point they can say a product is ‘secure by design’. It must also be laid out clearly where organisations should start. Physical security organisations are less good at this than cyber, despite physical security becoming more digitally connected. This mindset is hard to change.
Final takeaway? There are standards for everything (food, banking etc.), so why not the security of hardware and software? Secure by design seems like a natural place to start. Regulations that build confidence and are widely accepted will make devices more secure and strengthen the entire supply chain.