The director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Jen Easterly, issued a dire warning Monday, urging tech companies such as Microsoft and Twitter to curb their use of poorly designed software and unsafe practices that facilitate ransomware attacks.
The attacks threaten to undermine U.S. critical infrastructure, including energy and water supply, oil and gas production, food manufacturing, hospitals and schools.
Easterly called the current threat of cyber intrusions “far more dangerous” than thethat attracted so much attention earlier this month.
“Our country is subject to cyber intrusions every day from the Chinese government, but these intrusions rarely make it into national news,” Easterly said Monday. “These intrusions can do real damage to our nation — leading to theft of our intellectual property and personal information; and even more nefariously, establishing a foothold for disrupting or destroying the cyber and physical infrastructure that Americans rely upon every hour of every day—for our power, our water, our transportation, our communication, our healthcare, and so much more.
Easterly says China’s hacking program is “larger than that of every other major nation combined.” She added, “This is hacking on an enormous scale, but unlike the spy balloon, which was identified and dealt with, these threats more often than not, go unidentified and undeterred.”
The solution, Easterly argued before an audience gathered at Carnegie Mellon University, is to eliminate “dangerous by design” technology and create liability for companies that fail to protect consumers. “Technology manufacturers must take ownership of the security outcomes for their customers,” Easterly said.
Citing one example, Easterly urged Microsoft and Twitter to automatically enroll users in multifactor authentication, a multi-step process that requires customers to log into accounts with a username, password and extra layer of verification.
Earlier this month, Twitter announced it would begin charging users for text-based multifactor authentication, which has historically been a cost-free service.
Roughly a quarter of Microsoft’s customers use multifactor authentication, while fewer than 3% of Twitter’s users use the same feature – numbers Easterly called “disappointing.”
Despite the shortcomings, Easterly — a supporter of “radical transparency” — commended companies for disclosing customer use of security features. “Those numbers are too low, but I think the fact that they actually published them is very positive.”
By contrast, Apple Inc. says 95% of its iCloud users have multifactor authentication enabled, due in large part to default activation.
“The government can also play a role in shifting liability onto those entities that fail to live up to the duty of care they owe their customers,” Easterly added, noting she would push for ways to hold technology companies responsible if they expose their customers to undue risk.
Easterly said she has not yet contacted tech firms or lawmakers in connection with CISA’s new plan but anticipates further guidance in conjunction with the Biden administration’s long-anticipated National Cyber Strategy.
“I’m hoping that thing gets out here in the next week or so,” Easterly noted.
Easterly added that CISA does not “tell social media companies what to do,” but added that, “it’s really important that anybody who uses Twitter, realizes that their account may be more vulnerable to being hacked.”
The top CISA official, whose agency is housed within the Department of Homeland Security, also urged tech companies to address widespread vulnerabilities linked to memory access, accounting for two-thirds of all known software vulnerabilities, according to Easterly. During remote cyber attacks, malware may enter a network or system vulnerabilities in memory devices used to store data and programs. Typically, memory attacks are difficult to uncover because they evade traditional security firewalls. The director touted “memory safe” coding languages like Java, Python and Rust.
In an ominous close to her address, Easterly raised a hypothetical scenario whereby an adversary might target multiple gas pipelines with explosions, mass- pollute U.S. waterways or hijack all telecommunications.
“Attacks against our critical infrastructure in the event of a Chinese invasion of Taiwan is unfortunately not farfetched,” she said.
After her remarks, Easterly told CBS News that the U.S. has not seen an increase in scanning or preparatory behavior from Chinese linked actors but remains concerned about the potential of escalatory attacks.
“I think that China will look at the things that Russia has done and not done and think hard about what they can do to be more successful if in fact, they do try and go after Taiwan,” said Easterly, who was a former army intelligence officer for than two decades.
The cyber official hopes her remarks will stop tech firms who she said routinely pass the buck down to the consumer when it comes to security.
“The American people have accepted the fact that they’re constantly going to have to update their software,” she said. “The burden is placed on you as the user and that’s what we have to collectively stop.”