Jen Easterly, the head of the Cybersecurity and Infrastructure Security Agency, spoke at Carnegie Mellon University in Pittsburgh on Monday and called on the tech industry to take cybersecurity more seriously. Easterly urged the industry to prevent vulnerabilities from accumulating before products are shipped to the public. She criticized the practice of releasing products with "dozens, hundreds or thousands of defects" and called for an end to it.
Easterly praised Apple for encouraging users to activate multifactor authentication and expressed disappointment in the take-up rate among Microsoft and Twitter users. She also criticized the industry's acceptance of monthly patch releases as normal, citing it as evidence of a willingness to operate dangerously.
Easterly argued for a stronger government role in cybersecurity and called for the shifting of liability onto companies that fail to live up to a cybersecurity duty of care. She urged legislators to prevent technology manufacturers from disclaiming liability by contract. However, she also acknowledged that regulation is not a panacea.
Easterly suggested that the private sector could improve cybersecurity by transitioning to memory-safe programming languages such as Rust, Go, Python, and Java. She cited statistics showing that roughly two-thirds of known software vulnerabilities stem from bugs that capitalize on poor practices around how computer memory is accessed. Hackers take advantage of organizations that use programming languages such as C and C++, which lack mechanisms to prevent coders from introducing memory errors. Easterly specifically called out Google's August 2022 debut of Android 13, which was the first Android release in which a majority of the new code added to the release was in a memory-safe language.
Easterly urged universities to make taking a security course a graduation requirement for all computer science students, as most schools currently do not require a security course for a computer science degree. She also criticized the industry for not putting their money where their mouth is, and not prioritizing safety and security over competitive pressures to get products to market.