April 13, 2023
CSE’s Canadian Centre for Cyber Security (Cyber Centre) joined the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the following international partners to provide recommendations for Information Technology (IT) manufacturers to use secure by design and secure by default principles in the development of their products:
- Australian Cyber Security Centre (ACSC)
- New Zealand: Computer Emergency Response Team New Zealand (CERT NZ)
- New Zealand National Cyber Security Centre (NZ NCSC)
- United Kingdom’s National Cyber Security Centre (NCSC-UK)
- Germany’s Federal Office for Information Security (BSI)
- Netherlands National Cyber
The new guide emphasizes the need to shift the burden of cyber security risk away from the customer and instead encourage technology manufacturers to design safe products that are secure by design and by default.
Technology is integrated into many facets of daily life; internet-facing systems are connected to critical systems that directly impact livelihood ranging from personal identity management to medical care. Insecure technology and vulnerabilities in critical systems may result in cyber incidents, leading to serious potential safety risks. Cyber breaches have real life consequences for many people.
The burden of cyber security, and ultimately customer safety, is currently placed on end users: IT customers and organizations. These end users are required to spend significant resources to keep up to date on emerging threats, as well as to adopt security processes and practices to counter those threats. For too long, the technology industry and the security community have pushed responsibility for protecting systems and information to end users and customers. The changes proposed in this guide are necessary to ensure a better cyber security future for all.
To have a future where technology is safe for everyone, technology manufacturers and suppliers must create and ship safe products. This means products that are secure by design (security is built in from the development, not as an afterthought) and secure by default (products that are safe to use out of the box with little to no configuration changes necessary and are available without additional cost). Secure-by-Design products make the security of the customers a core business requirement, not just a technical feature. We need to ensure the end-users, everyday Canadians, are not responsible for preventing cyber breaches caused by product design flaws. We encourage manufacturers to build their products in a way that prevents customers from having to constantly perform monitoring, routine updates, and damage control on their systems to mitigate cyber intrusions. We need to move towards placing the burden of cyber security on IT manufacturers rather than on IT consumers – whether they are individuals or organizations. This is a key part in creating a future where technology is safer for everyone.