Australia has joined a US-led push for software developers to take greater accountability for the security of their products by shifting the current burden of responsibility away from end users.
The Australian Cyber Security Centre (ACSC) on Thursday issued advice with its Five Eyes counterparts in the United States, United Kingdom, Canada and New Zealand, as well as Germany and the Netherlands, to press vendors to take “urgent steps” to bake in security.
“To create a future where technology and associated products are safe for customers, the authoring agencies urge manufacturers to revamp their design and development programs to permit only secure-by-design and -default products to be shipped to customers,” the statement reads.
The push comes just weeks after the release of the US cyber strategy, which seeks to shift burdens and liabilities away from end users towards vendors, including by removing the legal shields afforded to companies through “shrink-wrap licensing”.
Industry has recommended that such an approach should be considered by the Australian government as the national cybersecurity strategy is redeveloped if it wants to become the world’s most cyber-secure country by 2030.
The advice for software manufacturers – the first of its kind to be issued – intends to “catalyse progress toward further investments and cultural shifts necessary to achieve a safe and secure future” through not only technical recommendations but “core principles”.
One such principle is manufacturers taking “ownership of the security outcomes of their technology products, shifting the burden of security from the customer”, which the US Cybersecurity and Infrastructure Security Agency has been pushing for under director Jen Easterly’s leadership.
“A secure configuration should be the default baseline, in which products automatically enable the most important security controls needed to protect enterprises from malicious cyber actors,” the statement said.
Last week, Ms Easterly said that vendors are placing an undue burden for stopping cyberattacks onto customers, particularly small businesses. She highlights well-established practices, such as ‘Patch Tuesday’ – the second Tuesday of the month used by companies to release their latest patches.
The guidance also asks that manufacturers “embrace radical transparency and accountability”, such as by ensuring common vulnerability and exposure records are complete and accurate, and committing to “prioritise security as a critical element of product development”.
“Cyber security cannot be an afterthought. Consumers deserve products that are secure from the outset. Strong and ongoing engagement between government, industry and the public is vital,” ACSC chief Abigail Bradshaw said.
A discussion paper, drafted by an advisory board led by former Telstra boss Andy Penn, to inform Australia’s next cybersecurity strategy said that Australians will expect “advanced cyber security built-in by-design” by 2030.
The only other reference to security-by-design related to consumer-grade IoT devices, which the former government had sought to regulate with a mandatory code of practice prior to last year’s election.
Presently, the government has voluntary minimum cyber security standards for consumer-grade IoT devices, but the principles were found to be difficult to implement by device makers in a 2021 review.
