Cybersecurity Spending , Government , Industry Specific
Security Vendors Need to Take on More Cyber Responsibility
Microsoft Federal Explains Why That's a Good ThingWhen the Biden-Harris administration released its national cybersecurity strategy in March 2023, it marked another executive action designed to raise cybersecurity standards across the federal government. In the past few years, we've had EO 14028, M-21-31 and M-22-09, to name a few. All of this policymaking underscores how serious the federal government is about improving our nation's cybersecurity posture.
See Also: ON-DEMAND WEBINAR: Secure Your Applications: Learn How to Prevent AI-Generated Code Risks
The national cybersecurity strategy calls for regulators to drive adoption of "secure by design" principles by establishing a framework by which government and industry can effectively collaborate. This allows the federal government to both incentivize providers and hold them accountable for the security outcomes of their customers.
While we don't yet know the exact framework on which the national cybersecurity strategy's requirements will be built, there are best practices that we can look to for guidance on how to maintain a security mindset in today's threat landscape. Secure by design and secure by default will play a significant role. At their core, these strategies seek to advance collective security postures by pushing vendors to design more secure technology throughout the software development life cycle and to deploy security features and policies automatically without requiring any action from end users.
Shifting more cyber responsibility to commercial security vendors by using "secure by design" and "secure by default" strategies makes companies, constituents and missions safer.
Why Cybersecurity Vendors Should Take on More Responsibility
Major security events over the past two years have triggered a sweeping change in the way we approach cybersecurity. Previously, we relied on end users to bear the burden of security. They had to use secure passwords and regularly update their devices and software with the latest patches. But history has shown that this is not the most effective model.
Originally, organizations were in charge of their own cyber defenses because they knew their environments best. Security teams understood which compliance or industry regulations their organizations had to follow and which security policies they should deploy based on the needs of their environments.
But over time, we've found that placing the onus on end users results in unequal security postures across agencies with varying degrees of cybersecurity expertise. Many larger, better-equipped agencies are able to bear the burden of security because they have the financial resources and staff to do so. But our government is only as secure as its weakest link, and collective defense demands that we raise all agencies to the same base level of security in order to protect all departments and agencies equally.
Smaller agencies and state and local governments often suffer under this legacy security model because they don't have the same access to resources. This can lead to significant gaps in security as these organizations adopt best practices and new technologies on their own timelines based on budgetary constraints and other shifting factors.
Take multifactor authentication or MFA, for example. MFA is widely considered to be a best practice among cybersecurity experts. It is far more secure than using passwords, and research has shown that MFA can reduce an organization's risk of compromise by 99.2%. Yet 54% of small to medium-sized organizations do not implement MFA, and only 28% actually require it.
By shifting more cyber responsibility to security vendors, we can encourage higher rates of MFA adoption through "secure by default" strategies. This results in a shared responsibility model in which security vendors take on more responsibility for designing secure software and deploying default security policies. Meanwhile, end users must maintain that security through cyber best practices.
Think about driving a car: The manufacturer is responsible for building a reliable vehicle that comes equipped with certain safety features such as seat belts and air bags. Occasionally, there may be a recall in which the manufacturer has to push out an update to the car to ensure it continues operating safely. But if the consumer never takes their car in to be serviced or regularly forgoes wearing their seat belt, then the safety of the vehicle is still compromised. Cybersecurity is much the same.
How Secure by Design and Secure by Default Advance Cybersecurity
According to CISA, secure by design means that the security of customers and end users is a core business requirement of the product, not just a technical feature. These "secure by design" principles should be implemented during the design phase of a product's life cycle development. This minimizes the number of exploitable flaws that an adversary can target within the technology.
By contrast, secure by default involves vendors enabling certain security features across all of their products or software without requiring any action from the end user. This is much harder to do than secure by design, as each end user's environment is different. What works well for one agency might not work for another. When vendors push a new "secure by default" feature, it has often gone through rigorous testing and periods of customer feedback to ensure it will benefit the largest number of end users possible.
At Microsoft, our secure by design, default and deployment strategies are at the core of our Secure Future Initiative. SFI is a multiyear commitment that advances the way we design, build, test and operate our Microsoft Cloud technology to ensure that we deliver solutions that meet the highest possible standard of security for AI. As part of this initiative, we have committed to adding three specific areas of engineering advancement to our journey toward continually improving the built-in security of our products and platforms. These are transforming software development, implementing new identity protections and driving faster vulnerability response.
When rolling out new engineering advancements through SFI, we always notify customers well in advance to give them time to evaluate the policy and make sure it will work for their environment. We also use an incremental rollout model to test the policy in stages and give a diverse range of customers the opportunity to provide feedback. This allows us to fine-tune the policy as needed before rolling it out to the next wave of customers.
This strategy has proven successful. Today, thanks to an incremental rollout of MFA by default, over 50 million users are protected by our security defaults program, which has over 90% customer retention. We're building on that success by automatically rolling out Microsoft-managed Automatic Conditional Access policies to Microsoft Entra ID customers in the coming months.
Secure by design and secure by default are paradigm shifts that have a measurable effect on the way we approach cybersecurity. They require a high degree of collaboration between security vendors and end users to ensure that vendors are designing secure products and agencies are operating them in the safest way possible. By encouraging wider adoption of secure by design and secure by default, we can better secure our nation's digital future.