The US Government says companies should take more responsibility for cyberattacks. We agree.
Should
companies
be
responsible
for
cyberattacks?
The
U.S.
government
thinks
so
–
and
frankly,
we
agree.
Jen
Easterly
and
Eric
Goldstein
of
the
Cybersecurity
and
Infrastructure
Security
Agency
at
the
Department
of
Homeland
Security
planted
a
flag
in
the
sand:
“The
incentives
for
developing
and
selling
technology
have
eclipsed
customer
safety
in
importance.
[…]
Americans…have
unwittingly
come
to
accept
that
it
is
normal
for
new
software
and
devices
to
be
indefensible
by
design.
They
accept
products
that
are
released
to
market
with
dozens,
hundreds,
or
even
thousands
of
defects.
They
accept
that
the
cybersecurity
burden
falls
disproportionately
on
consumers
and
small
organizations,
which
are
often
least
aware
of
the
threat
and
least
capable
of
protecting
themselves.”
We
think
they’re
right.
It’s
time
for
companies
to
step
up
on
their
own
and
work
with
governments
to
help
fix
a
flawed
ecosystem.
Just
look
at
the
growing
threat
of
ransomware,
where
bad
actors
lock
up
organizations’
systems
and
demand
payment
or
ransom
to
restore
access.
Ransomware
affects
every
industry,
in
every
corner
of
the
globe
–
and
it
thrives
on
pre-existing
vulnerabilities:
insecure
software,
indefensible
architectures,
and
inadequate
security
investment.
Remember
that
sophisticated
ransomware
operators
have
bosses
and
budgets
too.
They
increase
their
return
on
investment
by
exploiting
outdated
and
insecure
technology
systems
that
are
too
hard
to
defend.
Alarmingly,
the
most
significant
source
of
compromise
is
through
exploitation
of
known
vulnerabilities,
holes
sometimes
left
unpatched
for
years.
While
law
enforcement
works
to
bring
ransomware
operators
to
justice,
this
merely
treats
the
symptoms
of
the
problem.
Treating
the
root
causes
will
require
addressing
the
underlying
sources
of
digital
vulnerabilities.
As
Easterly
and
Goldstein
rightly
point
out,
“secure
by
default”
and
“secure
by
design”
should
be
table
stakes.
The
bottom
line:
People
deserve
products
that
are
secure
by
default
and
systems
that
are
built
to
withstand
the
growing
onslaught
from
attackers.
Safety
should
be
fundamental:
built-in,
enabled
out
of
the
box,
and
not
added
on
as
an
afterthought.
In
other
words,
we
need
secure
products,
not
security
products.
That’s
why
Google
has
worked
to
build
security
in
–
often
making
it
invisible
–
to
our
users.
Many
of
our
most
significant
security
features,
including
innovations
like
SafeBrowsing,
do
their
best
work
behind
the
scenes
for
our
core
consumer
products.
There’s
come
to
be
an
unfortunate
belief
that
security
features
are
cumbersome
and
hurt
user
experience.
That
can
be
true
–
but
it
doesn’t
need
to
be.
We
can
make
the
safe
path
the
easiest,
most
helpful
path
for
people
using
our
products.
Our
approach
to
multi-factor
authentication
–
one
of
the
most
important
controls
to
defend
against
phishing
attacks
–
provides
a
great
example.
Since
2021,
we’ve
turned
on
2-Step
Verification
(2SV)
by
default
for
hundreds
of
millions
of
people
to
add
an
additional
layer
of
security
across
their
online
accounts.
If
we
had
simply
announced
2SV
as
an
available
option
for
people
to
enroll
in,
it
would
have
failed
like
so
many
other
security
add-ons.
Instead,
we
pioneered
an
approach
using
in-app
notifications
that
was
so
seamless
and
integrated,
many
of
the
millions
of
people
we
auto-enrolled
never
noticed
they
adopted
2SV.
We’ve
taken
this
approach
even
further
by
building
the
“second
factor”
right
into
phones
–
giving
people
the
strongest
form
of
account
security
as
soon
as
they
have
their
device.
As
for
secure
by
design:
We
all
have
to
shift
our
focus
from
reactive
incident
response
to
upstream
software
development.
That
will
demand
a
completely
new
approach
to
how
companies
build
products
and
services.
We’ve
learned
a
lot
in
the
past
decade
about
reengineering
security
architectures,
and
actively
apply
those
learnings
to
keep
people
safe
online
every
day.
Ensuring
technology
is
secure
by
design
should
be
like
balancing
budgets
—
a
part
of
business
as
usual.
However,
it
isn’t
easy
to
cut-and-paste
solutions
here:
developers
need
to
think
deeply
about
the
threats
their
products
will
face,
and
design
them
from
the
ground
up
to
withstand
those
attacks.
And
the
same
principles
are
true
for
securing
the
development
process
as
they
are
for
users:
the
secure
engineering
choice
must
also
be
the
easiest
and
most
helpful
one.
Building
security
into
every
stage
of
the
software
development
process
takes
work,
but
recent
innovations,
like
our
SLSA
framework
for
secure
software
supply
chains,
and
new
general
purpose
memory-safe
languages,
are
making
it
easier.
Perhaps
most
significantly,
adopting
modern
cloud
architectures
makes
it
easier
to
define
and
enforce
secure
software
development
policies.
Persistent
collaboration
between
private
and
public
sector
partners
is
essential.
No
company
can
solve
the
cybersecurity
challenge
on
its
own.
It’s
a
collective
action
problem
that
demands
a
collective
solution,
including
international
coordination
and
collaboration.
Many
public
and
private
initiatives
—
threat
sharing,
incident
response,
law
enforcement
cooperation
—
are
valuable,
but
address
only
symptoms,
not
root
causes.
We
can
do
better
than
just
holding
attackers
to
account
after
the
fact.
As
Easterly
and
Goldstein
write,
“Americans
need
a
new
model,
one
they
can
trust
to
ensure
the
safety
and
integrity
of
the
technology
that
they
use
every
hour
of
every
day.”
Again,
we
agree,
but
in
this
case
we’d
take
it
a
step
further.
Building
this
model
and
ensuring
it
can
scale
calls
for
close
cooperation
between
tech
companies,
standards
bodies,
and
government
agencies.
But
since
technologies
and
companies
cross
borders,
we
also
need
to
take
a
global
view:
Cybersecurity
is
a
team
sport,
and
international
coordination
is
essential
to
avoid
conflicting
requirements
that
unintentionally
make
it
harder
to
secure
software.
Broad
regulatory
cooperation
on
cybersecurity
will
promote
secure-by-default
principles
for
everyone.
This
approach
holds
enormous
promise,
and
not
just
for
technologically
advanced
nations.
Raising
the
security
benchmark
for
basic
consumer
and
enterprise
technologies
that
all
nations
rely
on
offers
far
more
bang
for
the
buck.
A
far
wider
range
of
countries
and
companies
can
take
these
simple
steps
than
can
employ
advanced
cyber
initiatives
like
detailed
threat
sharing
and
close
operational
collaboration.
Given
the
interdependent
nature
of
the
ecosystem,
we
are
only
as
strong
as
our
weakest
link.
That
means
raising
cyber
standards
globally
will
improve
American
resilience
as
well.
Of
course,
raising
the
security
baseline
won’t
stop
all
bad
actors,
and
software
will
likely
always
have
flaws
–
but
we
can
start
by
covering
the
basics,
fixing
the
most
egregious
security
risks,
and
coming
up
with
new
approaches
that
eliminate
entire
classes
of
threats.
Google
has
made
investments
in
the
past
two
decades,
but
contributing
resources
is
just
a
piece
of
the
puzzle.
It’s
work
for
all
of
us,
but
it’s
the
responsible
thing
to
do:
The
safety
and
security
of
our
increasingly
digitized
world
depends
on
it.
About Author
