CYBERSECURITY
Cybersecurity agencies publish new guidance on safe software design: Here’s why it matters
Apr 19, 2023
Need for cybersecurity protection: Technology breaches can impact critical systems that affect all of us.
Need for cybersecurity protection: Technology breaches can impact critical systems that affect all of us.
Image: Pexels/Mikhail Nilov
Akshay Joshi
Head of Industry and Partnerships, Centre for Cybersecurity, World Economic Forum
Victoria Masterson
Senior Writer, Forum Agenda
Share:
OUR IMPACT
What’s the World Economic Forum doing to accelerate action on Cybersecurity?
THE BIG PICTURE
Explore and monitor how Cybersecurity is affecting economies, industries and global issues
A hand holding a looking glass by a lake
CROWDSOURCE INNOVATION
Get involved with our crowdsourced digital platform to deliver impact at scale
Stay up to date:
Cybersecurity
This article is part of:
Centre for Cybersecurity
Listen to the article
10 min listen
Cyberattacks can impact critical systems, like hospitals cancelling surgeries.
Software manufacturers are now urged to build in cyber safety to their products at the design stage.
New principles for software that is “secure-by-design and -default” have been published by the CISA, FBI and NSA in the US and cybersecurity agencies in six partner countries.
Software should have cybersecurity protection built-in before it goes on sale.
This is the core message of new guidance from cybersecurity authorities in the United States, Australia, Canada, the United Kingdom, Germany, the Netherlands and New Zealand.
For the first time, these countries have produced joint guidance urging software manufacturers to ensure as a priority that the products they ship are designed to be secure and have cybersecurity built in as standard. The guidance is outlined in the following report: Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default.
Which cybersecurity authorities are behind this guidance?
There are three federal government agencies in the US and eight international partners behind the joint software cybersecurity guidance.
The US agencies are the Cybersecurity and Infrastructure Security Agency (CISA) – America’s cyber defense agency; the Federal Bureau of Investigation (FBI) – the national security and law enforcement agency for the US; and the National Security Agency (NSA) – a national intelligence agency focused on protecting national communications systems.
DISCOVER
What is the World Economic Forum doing on cybersecurity?
Their international partners include Canada’s Centre for Cyber Security (CCCS); Germany’s Federal Office for Information Security (BSI); New Zealand’s Computer Emergency Response Team (CERT NZ); and the UK’s National Cyber Security Centre (NCSC-UK).
Why is secure-by-design guidance needed?
Cyberattacks have led to hospitals cancelling surgeries globally. This is just one example of how technology breaches can impact critical systems that affect all of us, the cybersecurity authorities say.
Insecure technology products can “pose risks to individual users and our national security,” explained NSA Cybersecurity Director Rob Joyce. He added: “If manufacturers consistently prioritize security during design and development, we can reduce the number of malicious cyber intrusions we see.”
A graphic showing the global cybersecurity outlook 2023 key findings.
Key findings of the global cybersecurity outlook 2023. Image: World Economic Forum.
In its Global Cybersecurity Outlook 2023, the World Economic Forum finds that 93% of cyber leaders and 86% of business leaders think a “far-reaching, catastrophic cyber event” is moderately or very likely in the next two years because of global geopolitical instability.
“The threat landscape has become increasingly volatile,” the Forum says. “Professionalized cybercriminal groups have continued to grow and create a higher volume of new attack types.”
In its State of the Connected World 2023 report, the Forum identified that growing reliance on connected devices and related technologies has made organizations, governments and individual users increasingly susceptible to cyber threats. The ability of connected devices and related technologies to protect individuals from cyberattacks is, therefore, a leading concern.
The Centre for Cybersecurity’s community – part of the Incentivizing Secure and Responsible Innovation initiative – established that if entrepreneurs and innovators were encouraged and incentivized to prioritize security features in their product development from the very beginning, a much safer cyberspace would be incrementally possible.
What are software manufacturers being asked to do?
The Shifting the Balance in Cybersecurity Risk report’s guidance for software secure-by-design includes specific technical recommendations, such as using programming languages that eliminate vulnerabilities.
There are also a number of core principles for software manufacturers. These include that software is already configured with the most important security controls when it comes out of the box, so it is not left for the customer to fix.
Software manufacturers are also asked to “embrace radical transparency and accountability”. This might include sharing information, for example, about customer take-up of default cybersecurity controls.
Companies must also build the right organizational structure and leadership to ensure security is prioritized as a critical part of software development.
The principles published by CISA, and endorsed by several national cybersecurity agencies globally, provide software manufacturers with the much-needed incentive to boost product security and can play a key role in strengthening cybersecurity and resilience across the ecosystem.
Have you read?
7 trends that could shape the future of cybersecurity in 2030
Experts at Davos 2023 call for a global response to the gathering ‘cyber storm’
How to prioritize resilience in the face of cyber-attacks
Don’t miss any update on this topic
Create a free account and access your personalized content collection with our latest publications and analyses.
License and Republishing
World Economic Forum articles may be republished in accordance with the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License, and in accordance with our Terms of Use.
The views expressed in this article are those of the author alone and not the World Economic Forum.
Share:
