The Register: Extracting vendor promises won’t fix cybersecurity. Extracting teeth might

Source URL: https://www.theregister.com/2024/09/30/security_opinion/
Source: The Register
Title: Extracting vendor promises won’t fix cybersecurity. Extracting teeth might

Feedly Summary: One branch of tech has learned to work together to solve the near-impossible. Now it’s our turn
Opinion To say cybersecurity is mostly very good is like saying Boeing’s Starliner parts mostly work – true, but you’re still going to be sleeping in the office. Moreover, it’s questionable whether either are getting any better.…

AI Summary and Description: Yes

Summary: The text critiques the current state of cybersecurity, highlighting the persistent flaws in software security and vendor accountability. It emphasizes the need for stricter standards, industry collaboration, and a paradigm shift in how cybersecurity is approached, likening it to the rigorous processes in the semiconductor industry.

Detailed Description:
The author, drawing insights from Jen Easterly, head of the Cybersecurity and Infrastructure Security Agency (CISA), argues that the state of cybersecurity is far from satisfactory, especially in software security. Key takeaways include:

– **Current Landscape**: The analogy of Boeing’s Starliner implies that while things aren’t catastrophic, they certainly aren’t improving significantly. The quality of software security is highlighted as particularly lacking.
– **Industry Accountability**: There is a call for software vendors to be held to account for their pledges to improve security, suggesting that consequences should be enforced if they fail to deliver. This would require companies to make purchasing decisions contingent on software vendors meeting certain security standards.
– **Cultural Issues**: The text mentions a tendency among IT departments to accept vendor promises as a means of deferring responsibility, highlighting a culture within the industry that allows for failure without accountability.
– **Need for Standards**: Greater investment in research and development is urgently needed to address fundamental flaws in software security. The author advocates for realistic standards and contractual liability for software vendors, suggesting that this could be a meaningful impetus for change.
– **Collaboration and Data Sharing**: The piece emphasizes the necessity of cross-industry collaboration in cybersecurity efforts, drawing parallels to the semiconductor industry’s stringent validation processes. Here, successful cooperation among competing entities is portrayed as essential in creating robust cybersecurity measures.
– **Perception of Risk**: A significant point made is that the cybersecurity landscape does not appear “scary” enough to compel significant changes in responses and practices, even in the face of frequent cyberattacks and data breaches.
– **Vision for the Future**: The author envisions an industry where cybersecurity is as prioritized as semiconductor manufacturing quality, advocating for continual innovation, collaboration, and an honest approach to addressing cybersecurity challenges.

In summary, the text serves as a critical commentary on the stagnant state of software security and an urgent plea for transformative change through accountability, cooperation, and a reassessment of risk perception within the industry.