Governments around the world are now consistently advocating secure by design principles, particularly for those digital products and services used by thousands of organizations.
The principal is that software manufacturers and system operators ought to take much of the security burden away from the end user, for example by ensuring there are no known vulnerabilities present.
The push for this approach has come from the likes of the US Cybersecurity and Infrastructure Security Agency's (CISA) Secure by Design initiative and the UK government-backed Digital Security by Design (DSbD) program.
Despite this, tech software and products used by millions of organizations appear more vulnerable than ever to attack.
This has been demonstrated by the mass exploitation of network edge devices in the past 18 months, impacting vast numbers of end users. Frequently these exploits involve vulnerabilities that are known and avoidable.
During the recent CYBERUK conference, UK National Cyber Security Centre (NCSC) CTO, Ollie Whitehouse, said that the issue is not a technical one, but rather a market incentive one.
“The ecosystem has the expertise, it has the skills, but the market does not currently support and reward those companies that make that investment and build secure products,” he commented.
Whitehouse added: “That means that the risks of that are borne disproportionately not by the people making the technology, but by their customers, by society and by governments as a whole.”
A panel of experts at CYBERUK highlighted five ways the technology marketplace can be influenced to incentivize security by design among technology vendors and operators.
Penalties for Avoidable Vulnerabilities
One approach to encourage security by design is through regulatory channels. In this scenario, tech providers could face regulatory action and government penalties for “unforgivable” vulnerabilities.
Ben Aung, global CISO at Sage Group, gave the example of SQL injection as a vulnerability class that could potentially be considered unforgiveable, and subject to penalties.
“You should not be releasing software that has a transactional value that has basic, discoverable, and fixable vulnerabilities in it,” he commented.
However, some of the CYBERUK panel disagreed with the idea of government penalties for security failings in technology products. Stuart McKenzie, Managing Director of Mandiant, said such an approach would risk leading to “security by lawyers.”
“If you’re getting things really badly wrong, the market will penalize you because people will stop buying your products,” he added.
There is legislation in place in some jurisdictions which gives regulators the power to penalize manufacturers for certain security failings in their products.
This includes the UK’s Product Security and Telecommunications Infrastructure (PSTI) Act, in which smart device manufacturers can be fined for in-built issues such as shipping products with default easy-to-guess passwords.
Government Guidance and Standards
Whether through regulatory action or guidance, governments have an important role in providing recommended security practices to firms.
Bridget Walsh, Associate Head of the Canadian Centre for Cybersecurity, noted that governments often have a unique insight into evolving attack pathways as cyber-attack victims share information with government agencies, either through voluntary cooperation or due to regulatory requirements.
“Governments can take that information and put together a strong understanding of where those root causes, making sure that advice and guidance are set to match,” she commented.
Government guidance – even though not compulsory – can also be a key driver for security teams gaining boardroom buy-in and investment for building security into products by design.
McKenzie noted that guidance from bodies like NCSC can be used to help influence boardroom investment decisions in cybersecurity.
This guidance should provide clear, actionable steps on what is expected for different organizations.
An example of this is the UK government’s recently published Software Security Code of Practice, which sets out essential steps every organization developing or selling software should be taking to secure their products.
The experts emphasized that government guidance should be used for all organizations in the technology ecosystem, not just operators and manufacturers.
This should seek to ensure security is being considered in purchasing decisions across the supply chain.
“You should not be releasing software that has a transactional value that has basic, discoverable, and fixable vulnerabilities in it"
Creating Consumer Pressure Through Transparency
Increasing the transparency of providers’ cybersecurity investments is another way governments can create incentives for security by design practices.
Such initiatives should provide an easy way for consumers to assess the security of technology suppliers when making purchasing decisions.
In 2024, CISA launched the Secure by Design pledge, encouraging software manufacturers to commit to making progress across a range of secure by design principles.
Then CISA director, Jen Easterly, urged company leaders to ask if their software suppliers have signed the pledge.
In the UK, the government launched two new cybersecurity assessment schemes, one of which will see a network of assured facilities developed to independently audit the cybersecurity of technology vendors’ products.
Such transparency can help end users distinguish between suppliers who are committed to secure practices and those who are not, helping drive incentives for cybersecurity by design.
Industry-Led Supply Chain Controls
In addition to government initiatives, private industries can create demands for specific cybersecurity controls across their supply chain.
During CYBERUK, Emma Smith, CISO at Vodafone, highlighted the defense industrial base in the US as a good role model for establishing strong requirements for suppliers, in collaboration with government.
“They’ve funneled down the controls into about 10 key areas that they expect all suppliers of the defense industrial base to meet. If you’re a supplier to the defense industrial base, you know exactly which security controls matter to the whole of the industry,” she noted.
Smith acknowledged that a similar joined-up approach is currently missing in many other key sectors.
“When I compare it with the telecommunications sector, we haven’t aligned on the supplier security controls that we expect,” she commented.
Role of Cyber Insurance
The growing take up of cyber insurance policies should also gradually create incentives for stronger security practices – across all organizations.
This revolves around the security controls that insurance policies typically require from their clients, such as multi-factor authentication (MFA) and vulnerability management.
“By default, they’re driving a baseline of security for organizations that think cyber insurance is important, which is most organizations these days,” explained Smith.
Insurers could go further in driving secure practices, by publicly disclosing insights into the most common security risks through their extensive analyses.
Walsh commented: “There’s a really important role for the industry to play in informing where that investment can be made.”
Conclusion
Security by design has become a critical strategy for governments around the world. While the concept is clear, the next stage is implementation. That means ensuring technology providers are incentivized to prioritize strong cybersecurity controls in the products and services they are offering.
With the current technology marketplace failing to properly reward such practices, governments have an important role to play in influencing the direction of travel, in collaboration with industry.
This can come in a variety of forms, from holding firms who have avoidable failings accountable, to providing mechanisms to make providers’ cybersecurity practices transparent.
It’s time to move security by design forward, from theory to practice.