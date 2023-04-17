The days of big software vendors shipping major releases riddled with security holes that are marketed as ‘convenience features’ are one step closer to ending after Australia signed up to a Five Eyes-backed cyber crackdown on crappy code in enterprise applications used by government and critical industries.

In a massive official pushback that’s fortuitously timed to coincide with the 40th anniversary of the announcement of Microsoft Windows in 1983 later this year (just a coincidence, put down the tin foil), Australia has joined cyber agencies across the US, UK, Canada, New Zealand, Germany and the Netherlands to demand software securely built by design before it ships.

“This guidance, the first of its kind, is intended to catalyze progress toward further investments and cultural shifts necessary to achieve a safe and secure future,” the group said in its first official missive.

“To create a future where technology and associated products are safe for customers, the authoring agencies urge manufacturers to revamp their design and development programs to permit only secure-by-design and -default products to be shipped to customers.”

The key word there is “cultural” because it informally puts the US and global software industry on notice there could soon be major liability shifts and regulatory penalties for code that doesn’t come up to scratch or that can be easily circumvented to create systemic vulnerabilities.

Banks and major enterprises have, for decades, been eager to break the symbiotic relationship between cheap and loose code-builds that ship with potential holes in features and functions that open by default, and the tech security industry that extracts handsome rent to plug the leaky pipes.

Almost all malware, whether it be remote access Trojans (break, enter and control software), ransomware, worms, sniffers and keyboard loggers usually finds a way in through code that isn’t properly nailed down or sufficiently tested.

While many software companies offer bug bounties to security researchers who find backdoors when they ethically hack and test applications, there are pointedly mixed views as to whether this approach improves or hinders the issue of sloppy security design.

Hostile landscape

What’s changed manifestly in the past five years is that there is now a hot war between Western-backed Ukraine and Russia, alongside sanctions, with potentially lethal cyber operations occurring now every day.

That security backdrop makes Western-aligned corporate and government systems, including those of NATO states, much more desirable targets for state or defacto-state cyber operations in the event the conflict widens.

Russia has already indicated it regards Western cyber aid to Ukraine, including the safe harbouring of pro-Ukrainian cyber operators and patriotic hackers, as a new frontier beyond previous norms.

Many expected the tempo of cyber-based fraud to escalate after sanctions against Russia were announced and regular sources of cash flow dried up.

There is also a growing belief that many ostensible ransomware hacks that have resulted in big data spills and breaches, like Medibank, Optus and Latitude, are essentially data mining for fraud land grab as technologies like Authorised Push Payments come online in nations using the SWIFT network.

Ironically, while the core SWIFT platform is more secure than other comparable underlying transactional products used by banks, it’s the customer psychology of banks and other businesses coupled with real-time funds clearance that’s being exploited, with scams and bogus payment requests proliferating.

The greater the trove of customer personal information, the greater the funnel for online fraudsters who are known to provide supplemental income to state-tolerated actors.

Pest control prices under scrutiny

One of the big issues for enterprise software customers like banks, who literally spend tens of billions of dollars a year on flyscreen to keep out cyber pests, is that anti-cartel laws essentially stop them from collectively taking a stand against sloppy software suppliers.

“Insecure technology products can pose risks to individual users and our national security,” said the US National Security Agency’s (NSA) Cybersecurity Director Rob Joyce.

“If manufacturers consistently prioritize security during design and development, we can reduce the number of malicious cyber intrusions we see. The international coalition partnering on this report speaks to the importance of this issue.”

Australia is also adding its voice to back the crackdown.

“Cyber security cannot be an afterthought,” said Abigail Bradshaw CSC, Head of the Australian Cyber Security Centre.

“Consumers deserve products that are secure from the outset. Strong and ongoing engagement between government, industry and the public is vital to putting cyber security at the centre of the technology design process.”

Grand designs

Bradshaw’s comments and Australia’s participation in the ‘Secure-by-Design’ push also point to an increased likelihood that the Albanese government its security agencies and regulators will be prepared to go further by codifying quality standards and legal obligations for software suppliers.

A notable shift in the US language is specifically calling out software makers as “manufacturers” because this shifts them onto a far stricter onus of quality control for merchandisable goods and potential liability for defects on par with other industries, like car makers, aircraft manufacturers, food producers and the pharmaceuticals industry.

In Australia, that means US and local software companies could potentially be far more tightly regulated under the forthcoming Cyber Security Strategy, with correctional measures applied to banks, utilities and other providers having poor performance including naming and shaming and big fines.

Of course, the entire data-breach notification regime, which forces businesses to reveal when they have been hacked and looted of customer information, is itself a form of naming and shaming coupled with consumer protection.

Calling IT out

The language of cyber authorities is getting blunter too.

“In addition to specific technical recommendations, this guidance outlines several core principles to guide software manufacturers in building software security into their design processes prior to developing, configuring, and shipping their products,” the US Cybersecurity and Infrastructure Security Agency (CISA) said in its announcement of the crackdown.

Specifically, it’s calling for software manufacturers to:

Take ownership of the security outcomes of their technology products, shifting the burden of security from the customers. A secure configuration should be the default baseline, in which products automatically enable the most important security controls needed to protect enterprises from malicious cyber actors.

Embrace radical transparency and accountability — for example, by ensuring vulnerability advisories and associated common vulnerability and exposure (CVE) records are complete and accurate.

Build the right organisational structure by providing executive-level commitment for software manufacturers to prioritize security as a critical element of product development.

Them’s fightin’ words. And with a hot cyber theatre active in Eastern Europe, the fight just got real.

