Security by Design and Default – How to Address the Cybersecurity Challenge

In recent discussions between leading U.S. AI technology producers and the Biden-Harris administration, a commitment was made to prioritize cybersecurity in their platforms. This commitment involves safeguarding AI models against cyber and insider threats, sharing best practices, and implementing standards to protect national security. However, there is skepticism about whether this commitment will go far enough in ensuring cybersecurity. The Federal Communications Commission proposed a voluntary program to encourage companies to include information about the security status of their technological products. This program aims to reward companies that meet special standards with a U.S. Cyber Trust Mark. While security by design and default is not a new concept, it often takes time for businesses to adopt these recommendations. The shift towards prioritizing cybersecurity can be seen in the backlash against Big Tech’s lack of privacy and security protections, leading to calls for federal data privacy laws. Several states have already passed privacy protection laws, and more are introducing new privacy bills. The question remains as to how many tech startups are willing to invest in incorporating security into their development processes. The NIST Special Publication 800-160 provides a framework for building secure systems, but often, manufacturers rely on bug bounty hunters to identify vulnerabilities before taking action. The CISA and FBI have encouraged technology manufacturers to build products that do not require constant monitoring and updates from end-users. However, without strict regulatory compliance and enforcement, voluntary change in the industry may delay laws with consequences. The cybersecurity industry faces challenges such as a shortage of skilled professionals and vendor sprawl, with companies relying on numerous cybersecurity tools that lack visibility and correlation. While rewarding tech companies for taking cybersecurity measures is a positive step, it is not a comprehensive solution. Change in the cybersecurity sector takes time, and it is important to support and encourage any steps towards cybersecurity by design and default.