Inside AI Policy

February 8, 2025

AI Daily News
Black Hat News

CISA chief Easterly calls software vulnerabilities a ‘product defect,’ urges liability regime

By Charlie Mitchell / August 8, 2024

LAS VEGAS. Cybersecurity and Infrastructure Security Agency Director Jen Easterly foot-stomped her critique of “defective” software products as the root cause of the nation’s cybersecurity problem and said CISA’s secure-by-design initiative is generating voluntary commitments from software vendors and stirring a secure-by-demand movement among industry, government and individual consumers.

Easterly said Congress should establish a “liability regime” for software makers with a legal safe harbor for those that adhere to secure-by-design standards, while saying “leaders at all levels should demand more from their technology vendors.”

Software security is a top priority under the Biden administration’s national cyber strategy and is viewed as essential to producing safe and secure artificial intelligence.

“We don’t have a cybersecurity problem, we have a software quality problem,” she declared in an Aug. 8 speech on the final day of Black Hat 2024. Easterly opened the cyber mega-conference with a keynote on Wednesday and she will speak Friday at the related Def Con conference here.

“We don’t need more security products,” Easterly told the Black Hat audience. “We need more secure products.”

Backed by a boisterous audio-visual display, Easterly told “the story of cybersecurity, brought to you by the letter ‘V,’” for villains, victims -- who she said are often unfairly blamed -- and “the vendors.”

“The cybersecurity industry was created to solve a problem created by another set of vendors, the technology companies and software makers,” she said. “For decades tech vendors have been allowed to create insecure software.”

“It’s a myth,” she declared, “that software vulnerability is an inevitability. … It’s the same classes of defects we’ve known about for decades and known how to fix for years.”

Cyber adversaries are exploiting “the same old vulnerabilities” and “we wouldn’t accept such a defect in any other product,” she said.

“We really should call it a product defect,” she said, because “’vulnerability’ disperses responsibility.”

Easterly said “other industries are obsessed with driving down risk but somehow this doesn’t apply to software. We’ve fallen prey to the myth of techno-exceptionalism.”

But she said secure-by-design is gaining momentum. The cyber agency this week released a secure-by-demand guide for consumers and on Aug. 1 released software acquisition guidance for government.

CISA last year launched its secure-by-design initiative.

Easterly said 20 international partners have signed onto the initiative, and 200 vendors have signed the agency’s secure-by-design pledge.