CISA: Tech industry 'shouldn't tolerate' Patch Tuesday, unsecured software

CISA director Jen Easterly speaking at a House Committee hearing
(Image credit: Getty Images)

The director of the US’ cyber security authority, CISA, has criticised the tech industry for normalising unacceptable security practices, including Microsoft’s Patch Tuesday.

Patch Tuesday is a monthly round of security updates on which IT system administrators rely to keep their organisation’s IT estate safe from vulnerability exploits.

The fact that the industry has accepted this as normal is “evidence of our willingness to operate dangerously”, Jen Easterly argued.

Easterly acknowledged that while it’s impossible to prevent all security vulnerabilities, the tech industry should be demanding higher standards for the products it produces and uses.

During a speech made at Carnegie Mellon University (CMU) this week, the CISA director went on to cite some of the major cyber attacks in recent years, such as school districts shutting down, a gas pipeline shutting down, and patients being diverted from hospitals affected by ransomware attacks.

“And that’s just the tip of the iceberg, as many - if not most - attacks go unreported,” she said.

“As a result, it’s enormously difficult to understand the collective toll these attacks are taking on our nation or to fully measure their impact in a tangible way.”

The industry has reached the point at which it accepts that technology is “dangerous by default”, and that it wouldn't be accepted with the likes of car airbags, for example.

The normalisation of deviance theory by sociologist Diane Vaughan posits that when swathes of people grow accustomed to deviant behaviours, those behaviours no longer seem deviant to many over time.


Trend Micro security predictions for 2023

Prioritise cyber security strategies on capabilities rather than costs


Easterly cited the theory, drawing parallels between it and the state of the tech industry currently.

It has been accepted as normal that Patch Tuesday only comes once a month and usually fixes around 100, often more, vulnerabilities with each package.

It also seems normal that software is still written in memory-unsafe languages like C and C++, a practice the US government has hoped to stamp out through public information campaigns over the past year.

The idea of encouraging the use of secure software development practices feeds into one of the three core principles CISA is currently trying to enact across the industry.

  1. Placing greater emphasis on manufacturers of technology products to assume responsibility for security issues
  2. Technology manufacturers to “embrace radical transparency” to disclose customer safety challenges
  3. Focus on building products with both the ideas of security by design and security by default at the core of production

At the federal level, the Biden administration has already mandated that all civilian executive branch (FCEB) agencies must patch a list of the most common vulnerabilities by a given deadline to limit the potential for a major cyber attack on the government.

However, there is still work that needs to be done at both the government and education levels in order to raise cross-industry standards, Easterly said.

Better incentives need to be introduced so manufacturers are rewarded for producing secure products. In the tech industry, no such rewards exist.

The idea of incentivising proper security practices is not a new one, but little movement has been made among leading countries to reward manufacturers for providing secure software.

Easterly said the government needs to improve its approach to legislating positive change, such as preventing companies from disclaiming liability by contract, for example, and mandating a more transparent production process.

Private companies should shoulder some burden of security too. For example, making multi-factor authentication (MFA) a default setting in user accounts across all technologies and platforms is one way the industry could prevent a sizeable number of breaches.

Apple’s iCloud service has a 95% uptake of MFA among users compared to Twitter’s 3%, a contrast Easterly said was due to Apple enabling MFA by default.

At the education level, the CISA director praised CMU specifically for introducing its CS 112 programming class which teaches students how to code in Python - a memory-safe programming language.

Areas for improvement that were highlighted included embedding security throughout all IT-related classes and courses, and supporting the open source and research communities to adopt memory-safe programming.

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.