WASHINGTON, D.C. — Today, House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection Chairman Andrew Garbarino (R-NY) delivered the following opening statement in a hearing to examine how the Cybersecurity and Infrastructure Security Agency’s (CISA) “Secure-By-Design” initiative has influenced the cybersecurity posture of businesses that have adopted its principles.

Watch Chairman Garbarino’s opening statement. 

As prepared for delivery:

As cyber threats grow more advanced by the day, enhancing our cybersecurity posture has become one of the defining challenges of our time. This is due in part to how we have traditionally treated cybersecurity: as an add-on, rather than essential.

We have relied upon patches and software updates to fix vulnerabilities once they are discovered. Now that malicious actors can exploit weaknesses faster than we can address them, our reactive approach will not suffice.

To address this issue, CISA launched the “Secure by Design” initiative in April 2023—an effort that encourages companies to prioritize cybersecurity at the outset of product development.

As part of this initiative, CISA created a pledge that captures the seven key pillars of what it means to be “Secure by Design.” These encompass actions for improving software security, to increasing transparency about incidents.

Since the pledge was released in May, over 250 companies have signed on, underscoring widespread industry support and commitment to raising the bar for basic cybersecurity practices.

Today’s hearing provides a valuable opportunity to dive deeper into the Secure by Design framework. In particular, we’ll consider how Secure by Design has benefitted individual companies while enhancing cybersecurity across sectors and our nation.

From my perspective, Secure by Design is a proactive commitment to making cybersecurity part of a company’s core mission. It represents a shift toward viewing security and innovation as complementary, not competing, priorities. As consumers, we must not only want, but also expect, that products we purchase are secure out of the box.

To that end, we must remember that this initiative has worked because it has been voluntary. To continue to incentivize security as a standard practice rather than a costly add-on, it must continue to have industry buy-in.

Companies have implemented Secure by Design principles at a speed and scale that suits their business model. Likewise, CISA has fulfilled its role as a trusted partner by offering implementation guidance and facilitating critical conversations with pledge signatories. I look forward to discussing the pledge’s successes, challenges, and potential for the future.

We risk losing this collaboration if companies are forced to adopt requirements which they cannot meet—especially since many are already burdened with duplicative cyber regulations.

I want to thank our witnesses for their time and expertise. Your insights are critical as we work to strengthen partnerships between government, industry, insurers, and other stakeholders in the cybersecurity ecosystem.

I hope this discussion about the Secure by Design initiative will provide a clearer picture of what’s working, where gaps remain, and how we can continue building the partnerships and policies necessary to enhance our nation’s cybersecurity posture. 

###