The pledge provides examples of how companies can achieve their goals, but states that companies “have the discretion to determine the best way” to do so. The document also emphasizes the importance of companies publicly demonstrating “tangible progress” toward their goals and documenting their techniques “so that others can learn from them.”
Goldstein said CISA developed the pledge in consultation with high-tech companies to understand what is achievable for them while still achieving the agency's goals. That meant making sure the promise was achievable for companies of all sizes, not just Silicon Valley giants.
Tech industry officials said the agency initially tried to use the Joint Cyber Defense Cooperation Organization to encourage companies to sign the pledge, but that “policy and legal issues” prevented companies from using operational cyber security. Questioning the use of the Defense Cooperation Group backfired, industry officials said. Those involved say:
“Industry expressed dissatisfaction with using JCDC to obtain commitments, and CISA wisely withdrew its efforts,” officials said.
CISA then consulted with companies through the Information Technology Sector Coordinating Council and fine-tuned the pledge based on feedback. The pledge originally included more than seven goals, and CISA asked signatories to commit to “robust metrics” to show progress, industry sources said. Ultimately, this person said, CISA removed some goals and “broadened the language” on measuring progress.
John Miller, senior vice president of policy, trust, data and technology at the Information Technology and Innovation Council, a leading industry group, said concrete progress metrics, such as the number of users using multi-factor authentication, will become clearer. Therefore, this change was wise. It may be “easily misunderstood”.
Goldstein said the number of pledge signers so far is “exceeding our expectations.” Industry insiders say they are not aware of any companies that specifically declined to sign the pledge after CISA's launch event at RSA, in part because vendors “wanted to keep the option of signing open.” , he said. “Everyone is in a kind of wait-and-see mode.”
Legal liability is a top concern for potential signatories. “If eventually some sort of security incident inevitably occurs,” Miller says. [a] The company has publicly stated that it could be used in litigation. ”
That said, some global companies facing Europe's tough new security requirements will sign the U.S. pledge to “take credit” for what already needs to be done. Miller predicts.
CISA's Secure by Design campaign is central to the Biden administration's ambitious plan to shift the burden of cybersecurity from users to vendors, a core theme of the Biden administration's National Cybersecurity Strategy. The push for corporate cyber responsibility has been the driving force behind years of devastating supply chain attacks on critical software makers like Microsoft, SolarWinds, Kaseya, and Change Healthcare, as well as ransomware attacks on schools, hospitals, and schools. This comes in the wake of a growing list of widespread software vulnerabilities. Other essential services. White House officials say the pattern of costly and often preventable breaches points to the need for greater corporate accountability.
