CISA Issues Request For Information on Secure by Design Software Whitepaper

The Cybersecurity and Infrastructure Security Agency (CISA) has published a Request for Information from all interested parties on secure by design software practices, including the Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software whitepaper, as part of its ongoing, collective secure by design campaign across the globe.

To better inform CISA’s Secure by Design campaign, CISA and its partners seek information on a wide range of topics, including the following:

- Incorporating security early into the software development life cycle (SDLC): What changes are needed to allow software manufacturers to build and maintain software that is secure by design, including smaller software manufacturers? How do companies measure the dollar cost of defects in their SDLC?
- Security is often relegated to be an elective in education: What are some examples of higher education incorporating foundational security knowledge into their computer science curricula; When new graduates look for jobs, do companies evaluate security skills, knowledge, and experience during the hiring stage, or are employees reskilled after being hired?
- Recurring vulnerabilities: What are barriers to eliminating recurring classes of vulnerability; how can we lead more companies to identify and invest in eliminating recurring vulnerabilities; how could the common vulnerabilities and exposures (CVE) and common weakness enumeration (CWE) programs help?
- Operational technology (OT): What incentives would likely lead customers to increase their demand for security features; Which OT products or companies have implemented some of the core tenants of secure by design engineering?
- Economics of secure by design: What are the costs to implement secure by design and default principles and tactics, and how do these compare to costs responding to incidents and breaches?

“While we have already received a wide range of feedback on our secure by design campaign, we need to incorporate the broadest possible range of perspectives,” said CISA Director Jen Easterly. Our goal to drive toward a future where technology is safe and secure by design requires action by every technology manufacturer and clear demand by every customer, which in turn requires us to rigorously seek and incorporate input. The President’s National Cybersecurity Strategy calls for a fundamental shift in responsibility for security from the customer to software manufacturers, and input from this RFI will help us define our path ahead, including updates to our joint seal Secure by Design whitepaper.

Co-sealed by 18 U.S. and international agencies, our recent Secure by Design guidance strongly encourages every software manufacturer to build products in a way that reduces the burden of cybersecurity on customers. More recently, CISA launched a new series of Secure by Design Alerts outlining the real-world harms that result from technology products that are not secure by design.

With its partners, CISA encourages technology manufacturers and all interested stakeholders to review the Request for Information and provide written comment on or before 20 February 2024. Instructions for submitting comment are available in the Request for Information. The feedback on current analysis or approaches will help inform future iterations of the whitepaper and our collaborative work with the global community.

Most populous city in Philippines leads by example in inclusive DRR

Reducing disaster risk is seemingly never-ending in a country like the Philippines, which is exposed to a multitude of natural hazards.

Increasing urbanization also increases the risk of disasters in cities. New patterns of hazards, exposure and vulnerability are emerging. In this context, local authorities play a dual role. They are the first responders to disasters but are also instrumental in disaster risk reduction (DRR).

Persons with disabilities are often the most affected by natural hazards. Little progress has been made over the past decade in including them in DRR, according to a survey conducted by the United Nations Office for Disaster Risk Reduction (UNDRR) in 2023. Persons with disabilities often do not have access to information about disaster risk and are not included in decision-making related to DRR in communities, and few DRR plans consider the specific needs of persons with disabilities. This is the case in the Philippines as in most countries around the world.
A push in the right direction

The Midterm Review of the Sendai Framework for Disaster Risk Reduction 2015-2030, which concluded in 2023, emphasized that more needs to be done to engage the whole of society in DRR, especially the people and communities most at-risk, and that DRR at the local level is of great importance if we want to implement the Sendai Framework by 2030.

Despite the ambitious agenda to localize DRR and the progress that the Philippines has made in increasing capacities and resources and developing regulations at the smallest government units (barangay), its voluntary national report for the Sendai Framework Midterm Review highlights the need to further strengthen local DRR as a priority area.
A chain of learning

On 28 and 29 November 2023, UNDRR provided a training on urban resilience and disability inclusion in DRR in Quezon City, which is the most populous city in the Philippines and belongs to the Metro Manila region. Representatives from different city departments attended, alongside organizations of persons with disabilities.

A key element of the UNDRR-led initiative Making Cities Resilient 2030 (MCR2030) is connecting cities and facilitating peer learning on resilience. A representative from Baguio City in the northern Philippines co-facilitated the training in Quezon City and shared experiences from the inclusion of persons with disabilities in DRR in a context that is familiar to Quezon. In 2022, officials from Baguio City were trained by the MCR2030 Resilience Hub Makati City, which is also part of Metro Manila. Quezon City is thus the third city in this learning chain.
An assessment, an action plan, a platform and lots of commitment

During the training in Quezon City, participants learned how to use the Disaster Resilience Scorecard for Cities and its annex for the inclusion of persons with disabilities in DRR to evaluate disaster risk management practices.

Based on this assessment, they developed an initial action plan on the inclusion of persons with disabilities in institutional capacities, infrastructure resilience, and recovery, including “Building Back Better”.

The aim of the training was not only to increase knowledge about inclusive DRR and risk assessment capacities, but also to build a platform where local authorities and persons with disabilities come together to discuss DRR and where persons with disabilities are involved in risk assessments and decision-making on DRR.

For many representatives from organizations of persons with disabilities, this training was the first time they had been included in discussions about DRR. “We appreciate the opportunity to have a seat at the table and contribute to decisions that concern us”, one representative said.

Together, the city officials and the organizations of persons with disabilities committed to making DRR in Quezon City more inclusive and to transfer their knowledge and lessons learnt to other cities.
Support for local DRR from the national authorities

With the Department of the Interior and Local Governments (DILG) and the Office for Civil Defense (OCD), national authorities were also represented at the workshop.

An official from the OCD highlighted that the inclusion of persons with disabilities is an issue that needs to be further considered in policies and frameworks, at the local and national levels. “The training helped to understand that local planning needs to be more inclusive and also take into account the needs and perspectives of persons with disabilities to build resilience”, he said.

The engagement of national authorities in MCR2030 builds capacity for urban resilience also at the national level, helping to ensure that cities are more resilient to future disasters and the most at-risk are protected.

[Source: Making Cities Resilient 2030 (MCR2030) United Nations Office for Disaster Risk Reduction - Regional Office for Asia and Pacific]

SIRIUS 2023 report: Navigating the new era of obtaining electronic evidence

The latest SIRIUS publication outlines the experiences of EU authorities in retrieving electronic data held by foreign-based service providers, as well as their experiences in delivering data for the purpose of criminal investigations over the past year.

The report highlights a new frontier in electronic evidence

The EU Electronic Evidence legislative package, adopted in July 2023, marks a new era in obtaining electronic evidence, as it will enable competent authorities to issue legally binding orders directly to service providers offering services within the EU, regardless of their place of establishment. This move will help address issues regarding lengthy judicial procedures to obtain data across borders, as well as legal uncertainties surrounding practices of voluntary cooperation between competent authorities and service providers.

Furthermore, other new legal instruments, such as the Second Additional Protocol to the Budapest Convention on Cybercrime will introduce novel legal bases for direct cooperation between competent authorities and private entities. The EU Digital Services Act, which introduces standardised minimum requirements for orders to provide information under EU Member States’ national laws, also provides further tools and clarity for authorities in need of obtaining data across borders.

However, challenges persist. The report highlights the need for comprehensive preparation among all stakeholders. From law enforcement's perspective, social media platforms, messaging apps, and cryptocurrency exchanges are pivotal in investigations. While formal training on electronic evidence has been provided to officers, gaps in familiarity with the new legislation remain, emphasising the need for extensive training programs.

Judicial authorities face time-consuming hurdles when accessing data from foreign service providers, urging the need for enhanced legal powers and EU-wide legislative efforts to regulate data retention for the purposes of criminal investigations and proceedings. Service providers, on the other hand, grapple with authenticating requests and resource allocation, emphasising the benefits of centralisation of requests.

A strategic roadmap to navigate this new frontier in electronic evidence

Amidst the challenges posed by advancing technology and the expanding electronic landscape, the report provides recommendations for law enforcement and judicial authorities, as well as service providers, which serve as a strategic roadmap.

By strengthening capacity and mutual trust, law enforcement and judicial authorities can successfully navigate the complexities of electronic evidence. Collaborative efforts and shared solutions will pave the way for a more secure digital environment in the EU, as well as effective and efficient prosecutions. To prepare law enforcement and judicial authorities as well as service providers to successfully pioneer this new frontier of electronic evidence, it is imperative to raise awareness and provide training on those novel legal instruments so significant to this project.

CISA and ENISA Enhance Cooperation

The European Union Agency for Cybersecurity (ENISA) has signed a Working Arrangement with the Cybersecurity and Infrastructure Security Agency (CISA) of the US, in the areas of capacity-building, best practices exchange and boosting situational awareness.

Geopolitics have shaped the cyber threat landscape, bringing like-minded partners closer together in the wake of common cyber challenges and advances in digital technologies. Today at the EU-US Cyber Dialogue, ENISA and CISA announced the signing of their Working Arrangement as an important milestone in the overall cooperation between the United States and the European Union in the field of cybersecurity, also following the Joint Statement of European Commissioner Thierry Breton and U.S. Secretary for Homeland Security Alejandro Mayorkas of January 2023.

ENISA’s International Strategy directs the Agency to be selective in engaging with international partners and to limit its overall approach in international cooperation to those areas and activities that will have high and measurable added value in achieving the Agency’s strategic objectives. CISA is a key partner to ENISA in achieving these objectives and by extension the EU in achieving a higher common level of cybersecurity. The Working Arrangement is both a consolidation of present areas of cooperation, as well as opening the door to new ones. Current examples are the organisation and promotion of the International Cybersecurity Challenge (ICC), exchanging best practices in the area of incident reporting or ad hoc information exchanges on basic cyber threats.

High Representative of the European Union for Foreign Affairs and Security Policy / Vice-President of the European Commission, Josep Borrell said: “Cyber threats have no borders. This is why international cooperation with our partners is a must. The working arrangement between ENISA and CISA is an important deliverable from the EU-US Cyber Dialogue. It will enable us to effectively combat the escalating cybersecurity threats we confront. By fostering deeper cooperation, we can facilitate information sharing, develop collaborative strategies, and bolster our collective resilience against cyberattacks.”

European Commissioner for Industry, Defence and Technology, Thierry Breton said: “Today’s challenging geopolitical context also manifests in intensified threats facing us in the cyberspace. It is essential that the EU and the United States work hand in hand to advance a secure cyberspace, including through protecting critical infrastructures and improving the security of digital products.”

Signing partners:

CISA leads the United States’ effort to understand, manage, and reduce risk to cyber and physical infrastructure. “In today’s highly complex and borderless cyber threat landscape, collaboration remains key to everything we do,” said CISA Director Jen Easterly. “CISA’s Working Arrangement with ENISA signifies a new chapter in our collective resilience. Together we will enhance cybersecurity awareness, fortify capacity building initiatives, and foster a robust environment for knowledge sharing and best practice exchanges, ensuring a safer digital landscape for our citizens.”

European Union Agency for Cybersecurity (ENISA), Executive Director, Juhan Lepassaar, said: “This new Working Arrangement is an evolution and consolidation of the effective cooperation with our US counterpart. The structured collaboration will address some of our common challenges in the cyber threat landscape.”

This arrangement is broad in nature and covers both short-term structured cooperation actions, as well as paving the way for longer-term cooperation in cybersecurity policies and implementation approaches. Cooperation will be sought in the areas of:

- Cyber Awareness & Capacity Building to enhance cyber resilience: including facilitating the participation as third country representatives in specific EU-wide cybersecurity exercises or trainings and the sharing and promotion of cyber awareness tools and programmes.

- Best practice exchange in the implementation of cyber legislation; including on key cyber legislation implementation such as the NIS Directive, incident reporting, vulnerabilities management and the approach to sectors such as telecommunications and energy.

- Knowledge and information sharing to increase common situational awareness: including a more systematic sharing of knowledge and information in relation to the cybersecurity threat landscape to increase the common situational awareness to the stakeholders and communities and in full respect of data protection requirements.

A work plan will operationalise the Working Arrangement and regular reporting at the EU-US Cyber Dialogues is foreseen.

Medical Device Cybersecurity: Agencies Need to Update Agreement to Ensure Effective Coordination

Cybersecurity vulnerabilities that threaten medical devices aren't commonly exploited but still pose risks to hospital networks—and patients, according to a federal study.

The Food and Drug Administration has primary responsibility for medical device cybersecurity. FDA formally collaborates with the Cybersecurity and Infrastructure Security Agency on security guidance for device manufacturers, public alerts about current vulnerabilities, and more.

However, the agencies' formal agreement is 5 years old. We recommended updating the agreement to improve agency coordination and clarify roles.

Medical devices, such as heart monitors, connected to a hospital network may be vulnerable to cyber threats.

According to the Department of Health and Human Services (HHS), available data on cybersecurity incidents in hospitals do not show that medical device vulnerabilities have been common exploits. Nevertheless, HHS maintains that such devices are a source of cybersecurity concern warranting significant attention and can introduce threats to hospital cybersecurity.

Non-federal entities representing health care providers, patients, and other relevant parties identified challenges in accessing federal support to address cybersecurity vulnerabilities. Entities described challenges with (1) a lack of awareness of resources or contacts and (2) difficulties understanding vulnerability communications from the federal government. Agencies are taking steps that, if implemented effectively, can meet these challenges.

Key agencies are also managing medical device cybersecurity through active coordination. Specifically, the Food and Drug Administration (FDA) and the Cybersecurity and Infrastructure Security Agency (CISA) developed an agreement addressing most leading practices for collaboration. However, this 5-year-old agreement did not address all such practices and needs to be updated to reflect organizational and procedural changes that have occurred since 2018.

FDA authority over medical device cybersecurity has recently increased. Specifically, December 2022 legislation requires medical device manufacturers to submit to FDA, among other things, their plans to monitor, identify, and address cybersecurity vulnerabilities for any new medical device that is to be introduced to consumers starting in March 2023. This legislation is limited to new devices and does not retroactively apply to those devices introduced prior to March 2023, unless the manufacturer is submitting a new marketing application for changes to the device.

FDA officials are implementing new cybersecurity authorities and have not yet identified the need for any additional authority. They can take measures to help ensure device cybersecurity under existing authorities such as monitoring health sector and CISA alerts, as well as directing manufacturers to communicate vulnerabilities to user communities and to remediate the vulnerabilities.

According to FDA guidance, if manufacturers do not remediate vulnerabilities, FDA may find the device to be in violation of federal law and subject to enforcement actions.

Cyber threats that target medical devices could delay critical patient care, reveal sensitive patient data, shut down health care operations, and necessitate costly recovery efforts. FDA is responsible for ensuring that medical devices sold in the U.S. provide reasonable assurance of safety and effectiveness.

The Consolidated Appropriations Act, 2023, includes a provision for GAO to review cybersecurity in medical devices. This report addresses the extent to which (1) relevant non-federal entities are facing challenges in accessing federal support on medical device cybersecurity, (2) federal agencies have addressed identified challenges, (3) key agencies are coordinating on medical device cybersecurity, and (4) limitations exist in agencies' authority over medical device cybersecurity.

GAO identified federal agencies with roles in medical device cybersecurity. It also selected 25 non-federal entities representing health care providers, patients, and medical device manufacturers. GAO interviewed these entities on challenges in accessing federal cybersecurity support. In addition, GAO assessed agency documentation and compared coordination efforts against leading collaboration practices; reviewed relevant legislation and guidance; and interviewed agency officials.

GAO is making recommendations to FDA and CISA to update their agreement to reflect organizational and procedural changes that have occurred. Both agencies concurred with the recommendations.

CISA Releases Joint Guide for Software Manufacturers: The Case for Memory Safe Roadmaps

As part of the Secure by Design campaign, CISA has published The Case for Memory Safe Roadmaps: Why Both C-Suite Executives and Technical Experts Need to Take Memory Safe Coding Seriously in collaboration with the following partners:

• United States National Security Agency
• United States Federal Bureau of Investigation
• Australian Signals Directorate’s Australian Cyber Security Centre
• Canadian Centre for Cyber Security
• United Kingdom National Cyber Security Centre
• New Zealand National Cyber Security Centre
• Computer Emergency Response Team New Zealand

Malicious cyber actors routinely exploit memory safety vulnerabilities, which are common coding errors and the most prevalent type of disclosed software vulnerability. Preventing and responding to these vulnerabilities cost both software manufacturers and their customer organizations significant time and resources.

The Case for Memory Safe Roadmaps details how software manufacturers can transition to memory safe programming languages (MSLs) to eliminate memory safety vulnerabilities. The guidance provides manufacturers steps for creating and publishing memory safe roadmaps that will show their customers how they are owning security outcomes, embracing radical transparency, and taking a top-down approach to developing secure products—key Secure by Design tenets.

CISA and our partners urge C-suite and technical experts at software manufacturers to read this guidance and implement memory safe roadmaps to eliminate memory safety vulnerabilities from their product.

Enea Evolves Mobile Network Security Portfolio to Improve Resilience Amid Growing Threats

Enea consolidates its suite of network security solutions to serve the unique needs of Mobile Network Operators and CPaaS providers as the volume of messaging and signaling attacks continues to break records and threaten critical infrastructure.

Enea, a leading provider of telecom and cybersecurity solutions, has consolidated its suite of network security solutions to address the mounting challenges of mobile network security and regulatory compliance and addresses two key areas: signaling security and messaging security. The portfolio update emphasizes intelligence-driven adaptability and accuracy and comprises four solutions tailored to the critical and growing demands of Mobile Network Operators (MNOs) and Communication Platform as a Service (CPaaS) providers and aggregators, and a further solution designed for the unique requirements of national security agencies.

The four network security solutions announced today for mobile network operators, CPaaS providers, and aggregators are as follows:

- Enea Adaptive Signaling Firewall accurately detects and blocks malicious signaling traffic to protect against threats such as person location tracking, interception of calls and messages, subscriber privacy intrusions, and DoS attacks on mobile networks. It combines the multi-protocol signaling firewall with unified enhanced reporting and signaling threat intelligence, providing a uniquely comprehensive three-point defense against signaling threats to keep attackers in check.

- Enea Signaling Intelligence Layer uses aggregated and obfuscated data from a worldwide footprint of signaling firewalls, combined with qualified threat intelligence, to provide insights on global network traffic. It gives mobile network operators unrivaled, up-to-the-minute visibility of the dynamic threat landscape, which can be used to guard against evolving threats on the network.

- MNOs will also benefit from the Enea Adaptive Messaging Firewall, which detects, blocks, and protects from rapidly adapting messaging threats such as phishing and spam and protects against revenue leakage to grey routes. Mobile network operators can filter malicious and unmonetized messages using advanced technologies such as tamper-resistant fingerprinting, intelligent message categorization, and URL classification, backed with up-to-the-minute threat intelligence.

- CPaaS providers and aggregators, who transmit A2P messages from brands to mobile networks, will be able to leverage the Enea Adaptive Messaging Firewall for CPaaS to filter messages for compliance and use granular controls to prioritize message delivery and guard against rising threats such as Artificial Inflation of Traffic (AIT), which exploit communication platforms for financial gain, often at the cost of the sending brands.

All three firewall solutions are based on Enea’s latest cloud-native platform technology, which enables deployment in public or private cloud, on virtual infrastructure, or on bare-metal servers. Granular control for multi-site deployments improves resilience and manages regulatory compliance for cross-border needs. The platform uses flexible configurations, allowing swift upgrades to counter new threats. Mobile network operators typically require both messaging and signaling firewalls and therefore benefit from a unified platform for both solutions.

To ensure optimal protection, all solutions integrate extensive threat intelligence provided through a combination of Enea’s expert security analysts, machine learning, and intelligent algorithms. Both signaling and messaging security rely heavily on the actionable insights threat intelligence provides to keep defense up-to-date and ahead of threat actors, fraudsters, and scammers.

The portfolio announced today ensures the needs of different users are comprehensively addressed and separated into discrete solutions. This approach makes it easier for buyers to assess the values offered by the portfolio and will increase the speed at which Enea can bring important innovations to the market and deliver new value to its customers. This agility is vital in the context of a rapidly evolving threat landscape, when signaling-borne and message-based threats are on the rise. As far as messaging is concerned, phishing remains the number one attack vector globally. A recent survey based on a poll of 8,000 consumers identified a 70% increase in fraudulent messages. As well as the considerable damage cybercrime causes victims, fraudulent messages also erode trust in brands, negatively impacting revenue and churn, making it a growing concern for CPaaS providers and aggregators.

Signaling threats, often posed by nation-state-sponsored threat actors, have come under increased scrutiny by regulators because of their risk to privacy and national security. In a series of recent research publications, Enea has shown how mobile networks in Ukraine have been attacked through the signaling network with the aim of damaging civil and military defenses.

“As is increasingly recognized by both regulators and leading telcos, cybersecurity operations in the telecom sector needs to be increasingly threat-intelligence driven” said Patrick Donegan, Principal Analyst, HardenStance. “It’s good to see a mobile network security leader like Enea leading with this as it refreshes and repositions its portfolio.”

John Hughes, senior vice president and head of Enea’s network security business, commented, “In a zero-trust world, mobile network operators and communications services providers are under near-constant attack. Faced with the pressure to protect their networks and comply with regulations, Enea’s suite of intelligence-driven network security solutions give accurate, granular control, simplify and streamline operations, and can scale easily to match modern-day data usage trends.”

The Enea Adaptive network security solutions are today deployed in more than 90 service providers worldwide, securing services for 2.4 billion subscribers. In excess of 3 billion messages are handled by Enea’s messaging firewalls every day.

NCSC warns of enduring and significant threat to UK's critical infrastructure

The UK's cyber chief has signalled that the threat to the nation’s most critical infrastructure is ‘enduring and significant’, amid a rise of state-aligned groups, an increase in aggressive cyber activity, and ongoing geopolitical challenges.

In its latest Annual Review, published today, the National Cyber Security Centre (NCSC) – which is a part of GCHQ – warned that the UK needs to accelerate work to keep pace with the changing threat, particularly in relation to enhancing cyber resilience in the nation’s most critical sectors.

These sectors include those that provide the country with safe drinking water, electricity, communications, its transport and financial networks, and internet connectivity.

Over the past 12 months, the NCSC has observed the emergence of a new class of cyber adversary in the form of state-aligned actors, who are often sympathetic to Russia’s further invasion of Ukraine and are ideologically, rather than financially, motivated.

In May this year, the NCSC issued a joint advisory revealing details of ‘Snake’ malware, which has been a core component in Russian espionage operations carried out by Russia’s Federal Security Service (FSB) for nearly two decades.

Today, the NCSC is reiterating its warning of an enduring and significant threat posed by states and state-aligned groups to the national assets that the UK relies on for the everyday functioning of society.

More broadly, the UK government remains steadfast in its commitment to safeguarding democratic processes. Recent milestones include the implementation of digital imprint rules under the Elections Act to foster transparency in digital campaigning, fortifying defences against foreign interference through the National Security Act, and advancing online safety measures through the implementation of the Online Safety Act.

NCSC CEO Lindy Cameron said:

“The last year has seen a significant evolution in the cyber threat to the UK – not least because of Russia’s ongoing invasion of Ukraine but also from the availability and capability of emerging tech.

“As our Annual Review shows, the NCSC and our partners have supported government, the public and private sector, citizens, and organisations of all sizes across the UK to raise awareness of the cyber threats and improve our collective resilience.

“Beyond the present challenges, we are very aware of the threats on the horizon, including rapid advancements in tech and the growing market for cyber capabilities. We are committed to facing those head on and keeping the UK at the forefront of cyber security.”

CISA Announces Secure by Design Alert Series: How Vendor Decisions Can Reduce Harm at a Global Scale

CISA leads the national effort to understand, manage, and reduce risk to our cyber and physical infrastructure. We continuously we publish alerts and advisories to help defenders prioritize their work based on the current threats and software vulnerabilities. We additionally provide defenders with ongoing help prioritizing their scarce resources; for example, our Known Exploited Vulnerabilities (KEV) program identifies the common vulnerabilities and exposures (CVEs) that malicious actors are actively exploiting in the wild.

But to reduce the nation’s risk, we need to do more than warn defenders about the most current attacks and software vulnerabilities. We need to look much further “left-of-boom” and into the software development practices in order to fix things before intrusions cause harm to the American people. We need to identify the recurring classes of defects that software manufacturers must address by performing a root cause analysis and then making systemic changes to eliminate those classes of vulnerability. We need to spot the ways in which customers routinely miss opportunities to deploy software products with the correct settings to reduce the likelihood of compromise. Such recurring patterns should lead to improvements in the product that make secure settings the default, not stronger advice to customers in “hardening guides”.

Most importantly, we need to convey that insecure technology products are not an issue of academic concern: they are directly harming critical infrastructure, small businesses, local communities, and American families. Today CISA is launching a new series of products: Secure by Design Alerts. When we see a vulnerability or intrusion campaign that could have been reasonably avoided if the software manufacturer had aligned to secure by design principles, we’ll call it out. Our goal isn’t to cast blame on specific vendors; to the contrary, we know that vendors make software development and security choices as part of broader business decisions. Instead, our goal is to shine a light on real harm occurring due to these “anti-security” decisions. While the usual dialogue around an intrusion is about how victims could have done more to prevent or respond, alerts in this new series will invert this dialogue by focusing attention on how vendor decisions can reduce harm at a global scale.

Our first publication in the Secure by Design Alert series focuses on malicious cyber activity against web management interfaces. It brings attention to how customers would be better shielded from malicious cyber activity targeting these systems if manufacturers implemented security best practices and eliminated repeat classes of vulnerabilities in their products – and aligned their work to Secure by Design principles.

One of the core principles we identified in our Secure by Design whitepaper is to “take ownership for customer security outcomes”. By identifying the common patterns in software design and configuration that frequently lead to customer organizations being compromised, we hope to put a spotlight on areas that need urgent attention. The journey to build products that are secure by design is not simple and will take time. We hope Secure by Design Alerts will help software manufacturers evaluate their software development lifecycles and how they relate to customer security outcomes.

CISA and UK NCSC Unveil Joint Guidelines for Secure AI System Development

In a landmark collaboration, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the UK National Cyber Security Centre (NCSC) are proud to announce the release of the Guidelines for Secure AI System Development. Co-sealed by 23 domestic and international cybersecurity organizations, this publication marks a significant step in addressing the intersection of artificial intelligence (AI), cybersecurity, and critical infrastructure.

The Guidelines, complementing the U.S. Voluntary Commitments on Ensuring Safe, Secure, and Trustworthy AI, provide essential recommendations for AI system development and emphasize the importance of adhering to Secure by Design principles. The approach prioritizes ownership of security outcomes for customers, embraces radical transparency and accountability, and establishes organizational structures where secure design is a top priority.

The Guidelines apply to all types of AI systems, not just frontier models. We provide suggestions and mitigations that will help data scientists, developers, managers, decision-makers, and risk owners make informed decisions about the secure design, model development, system development, deployment, and operation of their machine learning AI systems.

This document is aimed primarily at providers of AI systems, whether based on models hosted by an organization or making use of external application programming interfaces. However, we urge all stakeholders—including data scientists, developers, managers, decision-makers, and risk owners make—to read this guidance to help them make informed decisions about the design, deployment, and operation of their machine learning AI systems.

1 2 3 4 49