Cybersecurity Industry Stakeholders Testify on CISA “Secure-By-Design” Initiative’s Effectiveness, Challenges
December 9, 2024
WASHINGTON, D.C. — Last week, the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection, led by Chairman Andrew Garbarino (R-NY), held a hearing with private sector witnesses to examine how the Cybersecurity and Infrastructure Security Agency’s (CISA) “Secure-By-Design” initiative has influenced the cybersecurity posture of businesses that have adopted its principles.
Witness testimony was provided by Heather Adkins, vice president of security engineering at Google; Jim Richberg, head of cyber policy and global field chief information security officer at Fortinet; Shane Fry, chief technology officer at RunSafe Security; and Srinivas Mukkamala, board of regents for New Mexico Tech and board member for El Paso Electric.
In the hearing, Members learned about “Secure-By-Design” initiative implementation challenges, the need for industry buy-in for effectively implementing the pledge, and the gap in the initiative’s cybersecurity guidance for operational technology (OT).
Chairman Garbarino asked Richberg if CISA’s “Secure-By-Design” guidance can be implemented in environments other than information technology (IT):
“Does the IT guidance work for OT? If it doesn’t, why? What might be some foundational elements of OT guidance that should be included?”
Richberg answered:
“It doesn’t work for OT. They share some complexities in terms of the way you think about security, but it is a much different timeline. You’ve got the handful of companies that make the core chips for ICS [Industrial control systems] and SCADA [Supervisory Control and Data Acquisition]; you’ve got the larger number of companies that actually make the operational technology for specific industries. What you use for making cars is different than power plants. And then you’ve got the companies that buy it and customize it. They don’t run it off the shelf—it’s a different ecosystem. We turn over IT in three- and four-year cycles. OT lasts for 30 years. So how do we implement ‘Secure-By-Design’ in something they may not want to buy for 15 years?”
Representative Mike Ezell (R-MS) emphasized the importance of voluntary collaboration with the private sector on the initiative, and asked witnesses what challenges they have faced in implementation:
“The ‘Secure-By-Design’ pledge is a good step towards incentivizing businesses to create more secure products. I want to be clear that while I support efforts such as these, I’m always concerned by efforts to codify or mandate these requirements for businesses. Mandates are often duplicative, costly, and burdensome in time and resources. We have seen over 250 companies, including our industry representative witnesses here today, already signed this pledge [and] have been strengthening their cybersecurity…I’d like to discuss a little bit more which of the seven pillars has been the hardest to adopt and why.”
Adkins answered:
“There is complexity in all seven, but I would probably rank ‘classes of vulnerabilities’ as one of the most difficult. The reason being is that to really fix this problem in its kind of purest form, you have to change the way developers work. And in the workforce, at a company, you have some control over that, but we rely on third-party software, we rely on open-source software, where we don’t have any control over how that software is developed, as well. So, the kind of full list of materials that go into the software is hard. We’ve had to spend a lot of time really innovating in that space to make sure that the way we write code is safe.”
Representative Laurel Lee (R-FL) raised concerns about how government at the local, state, and federal levels can integrate new technologies securely:
“Prior to coming to Congress, I was responsible for running a state agency, and one of the greatest challenges that we had was doing exactly what you described: identify[ing] what are the things that we have, what exists. Then, how do we deal with all of these legacy systems and their vulnerabilities, and do that in the construct of procurements and the appropriation process. Government in particular is so poorly suited to be nimble and be efficient and forward-thinking when it comes to integrating new technology and identifying and guarding against those vulnerabilities.”
In a final statement, Mukkamala emphasized the need to bolster the cybersecurity workforce, a shortage that is addressed by Chairman Mark E. Green’s (R-TN) ‘Cyber PIVOTT Act’:
“The ask for the new Congress is to continue to support [secure-by-design]. And we have to focus on the fundamentals. What that means is reskilling [and] upskilling our existing workforce. ‘Secure-By-Design’ talks about companies focusing on the technical aspects, but nowhere in this pledge [did] the people who have signed it say…‘We’re going to address a fundamental workforce problem.’ I think that absolutely needs to be brought back into first principle on upskilling and reskilling a workforce.”
###