Connect with us

World News

CISA’s security-by-design initiative is at risk: Here’s a path forward on July 29, 2023 at 12:30 pm



The Biden administration’s 2023 National Cybersecurity Strategy identified structural shortcomings in the state of cybersecurity, calling out the failure of market forces to adequately distribute responsibility for the security of data and digital systems. Most prominently, the strategy seeks to “rebalance responsibility [for security] to those best positioned.”


Shortly after the strategy’s launch in March of this year, the Cybersecurity and Infrastructure Security Agency (CISA) kicked off an effort to “shift the balance of cybersecurity risk” by pushing firms to adopt security-by-design (SbD) practices, improving the safety and security of their products at the design phase and throughout their life cycle.

CISA director Jen Easterly’s announcement of these efforts appears to put CISA at the forefront of this rebalancing, addressing technology vendors’ incentives to underinvest in security through changes in how those firms design and deploy the products they sell. As the first substantive proposal from President Biden’s administration to effectuate this rebalancing since the launch of the strategy, the success or failure of the SbD initiative could be a bellwether for one of the strategy’s two fundamental ideas.

Success with SbD is at risk, however, both from the political challenges of implementing SbD practices and the threat of unrealistic expectations. This piece addresses both and highlights a path forward.

Political and structural headwinds

The politics of SbD implementation — which implicitly require a capacity to compel change in vendor practices, as well as the insight to design them — are treacherous ground for CISA, as the fast-growing agency is not a regulator. In time, it might become one, but current and past leadership insist that such responsibilities would be at odds with agency culture and its operational responsibilities.


The agency’s ability to support, build capacity, train, coordinate, and plan together with state, local, tribal and territorial entities, and industry stakeholders is rooted in its disposition as a trusted partner and neutral convener.

This means CISA should be only one of several federal agencies working to implement SbD, with cooperation from regulators like the Federal Trade Commission (FTC), a sharp and pointy complement to CISA’s open-handed approach. Otherwise, the SbD initiative could place CISA in a bind, trying to fix entrenched market incentive problems but without the ability to compel companies to act differently. CISA efforts to create accountability might undermine its attempts to generate goodwill.

Developing and defining a set of SbD practices that vendors can attest to, and that the U.S. government and other parties can verify or enforce, is a tremendous undertaking in and of itself. CISA must build SbD practices alongside an architecture for enforcement that sets clear roles for entities like the FTC, the Department of Defense, the Securities and Exchange Commission, and the General Services Administration.

The White House has responsibility here, too, and specifically the Office of the National Cyber Director, to guide this multi-agency effort within a strategy to manage the industry politics of shifting the incentives in this market — precisely what the office was designed, staffed, and organized to do. CISA’s focus must remain on enumerating and updating the essential SbD practices.


Just one piece of the puzzle

As we have argued before, “no strategy can address all sources of risk at once, but . . . silver bullets often trade rhetorical clarity for crippling internal compromises.” The SbD program could achieve deep, meaningful changes in how some of the largest technology vendors build services and products. Those changes would have material benefits for the security of every technology user.

However, cajoling all firms toward a comprehensive and uniform set of best practices is a fundamentally incompletable task.

Malicious actors perpetually seek new means of exploit; different sectors and system classes face different and unique challenges; and new technologies are prone to modes of failure, both new and unforeseen. Adopting certain new processes, rigorously enforcing them, and fixing existing incentives would still be a much-needed improvement over the current status quo.

However, adopting memory-safe languages or pushing large actors toward better risk management would not necessarily have prevented many significant vulnerabilities in recent memory, such as Log4Shell. To succeed, CISA will also need to understand how large technology companies build products and services — current industry practice is far from complete or perfect, but it is the baseline from which SbD hopes to drive change. Understanding that baseline is critical.


There is danger when rhetoric around shifting responsibility in cyberspace suggests that cybersecurity problems and challenges exist only because technology vendors cut corners or that all cybersecurity risk can be avoided by following a simple set of straightforward practices. The increasingly interconnected, dependent nature of software systems, as well as the variety of organizations and systems they connect to, creates risks all its own.

SbD is an important piece of managing this — the status quo of responsibility deferred to the user is broken — but describing SbD as a panacea risks creating backlash when insecurity inevitably persists.

It is clear CISA recognizes that success in SbD could be one of the most impactful policy interventions in cybersecurity in the last decade. It is also clear that the program, even in its most successful incarnation, will leave some problems unsolved. Specificity about the scope and goals of the program will help prevent its inevitable critics from distorting the debate into all-or-nothing terms.

Risk and opportunity

SbD — the first policy manifestation of the National Cybersecurity Strategy’s effort to shift responsibility — will not come about by sheer goodwill alone. CISA is not a regulator, and it must define a path for federal agencies that are regulators so that the implementation of SbD leverages the broader standards setting, enforcement, and regulatory powers of the federal government.


Shying away from direct government enforcement of these security practices risks consigning the effort to history, alongside many other “voluntary” and “industry-led” programs.

The growing and talented team at CISA have 18 months until January 2025, which will bring either the paralyzing tumult of transition or the still-chaotic maturation of a first-term administration into a second. The largest vendors that would participate in this program are not going anywhere and can afford to wait.

In this sense, CISA and the wider U.S. government’s cyber policy apparatus is on the clock. CISA must focus on the essential elements of SbD and organize, build, and engage with a clear deadline in mind. The clock is ticking.

​ Success with security-by-design is at risk, both from the political challenges of implementation and the threat of unrealistic expectations. 


Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *


TikTok Sues US Gov’t



TikTok is suing the US government to stop the enforcement of a bill that seeks to force the app’s Chinese owner to sell the app or face a ban. The lawsuit argues that the bill violates constitutional protections of free speech and is an “unprecedented violation” of the First Amendment.

Visit of Shou Zi Chew, CEO of TikTok, to the European Commission


  • The bill, the Protecting Americans from Foreign Adversary Controlled Applications Act, was passed last month.
  • The lawsuit was filed in the US Circuit Court of Appeals for Washington, DC.
  • TikTok argues that the bill is a permanent, nationwide ban on a single speech platform and restricts free speech without sufficient reason.

Consulting Firm for your Brand and Film

Government Response

  • The Department of Justice has not commented on the lawsuit.
  • A White House spokesperson directed a request for comment to the Justice Department.
  • John Moolenaar, chairman of the House Select Committee on the Chinese Communist Party, stated that TikTok poses a grave risk to national security and the American people.

Legal Proceedings

  • The lawsuit is expected to add to an already lengthy timeline for a potential ban or sale of the app.
  • ByteDance, TikTok’s Chinese owner, already had over a year to make a move, and legal proceedings will pause the timeline, meaning it could be years before a ban goes into effect.

TikTok’s Efforts

  • TikTok has made efforts to assure the public and US officials that it takes data security seriously.
  • In 2022, the company started “Project Texas,” a move meant to provide data security and transparency around the information the app collects about US users.


  • The lawsuit states that Congress has not offered any evidence suggesting that TikTok poses data security risks or foreign propaganda spread that could justify the law.
  • TikTok claims the law violates the right to due process under the Fifth Amendment and is an unconstitutional bill of attainder.

Continue Reading


Universal Music Group & TikTok Partner in New Licensing Agreement



In a monumental move, Universal Music Group (UMG) and TikTok have announced a pioneering licensing agreement that will transform the music landscape. This historic deal unites UMG’s vast music catalog with TikTok’s massive user base, unlocking unprecedented opportunities for artists, songwriters, and fans worldwide.

Visit of Shou Zi Chew, CEO of TikTok, to the European Commission

A New Era for Music Consumption and Monetization

The agreement marks a significant milestone in the UMG-TikTok relationship, allowing users to once again create videos featuring music from global superstars and emerging talent. The deal also paves the way for innovative monetization opportunities, with TikTok investing in artist-centric tools and campaigns to support UMG artists across genres and territories globally.
A Shared Commitment to Valuing Music and Creativity
Sir Lucian Grainge, Chairman and CEO of UMG, and Shou Chew, CEO of TikTok, hailed the agreement as a “new chapter” in their partnership, built on a shared commitment to promoting the value of music, human artistry, and the welfare of the creative community.

Sir Lucian Grainge, Chairman and CEO of UMG on the left of the photo.

Addressing Generative AI Concerns
The deal also tackles concerns around generative AI, with TikTok committing to work with UMG to ensure that AI development in the music industry protects human creativity and the economics that flow to artists and songwriters.
Deeper Connections and Responsible AI Development
Ole Obermann, TikTok’s Global Head of Music Business Development, emphasized that the agreement will “create deeper connections between artists, creators, and fans” and ensure that AI tools are developed responsibly to enable a new era of musical creativity and fan engagement.
Transformational Partnerships and Advancements
Michael Nash, Chief Digital Officer and EVP of UMG, welcomed the renewed relationship with TikTok, citing the potential for “transformational partnerships” and “significant advancements” in commercial and marketing opportunities, as well as protections for UMG’s industry-leading roster.
A Win for the Music Industry
This groundbreakingagreement is a major victory for the music industry, which has long sought to strike a balance between promoting artistic creativity and protecting the rights of artists and songwriters in the digital age. With UMG and TikTok working together, the possibilities for innovation and growth are endless, and fans can look forward to enjoying music from their favorite artists in new and exciting ways.
Thanks for reading! If you’re interested in reaching an engaged audience and growing your brand, consider advertising with Bolanle Media. Our platform offers a range of opportunities to connect with our readers and promote your products or services. Contact us at to learn more about our advertising options and how we can help you achieve your marketing goals.

Continue Reading


House of Lords to Host Nigerian Innovators



Clean Cyclers, alongside Sustainability Unscripted and other sustainability partners, is gearing up to host the 3rd Edition of the Global Sustainability Summit in the United Kingdom. Scheduled for March 28 – 29, 2024, at the prestigious House of Lords in the Palace of Westminster, the summit aims to raise awareness, promote collaboration across disciplines, tackle global challenges with local solutions, and advocate for social equity.

Canon Otto, the organizer and founder of Clean Cyclers, emphasized the summit’s commitment to inclusivity, prioritizing climate action, environmental stewardship, and identifying policy pathways for sustainable development. Under the theme “Advancing Sustainability, a Journey Towards a Greener Future,” the summit will gather leading visionaries, experts, innovators, and change-makers from global corporations, organizations, and government agencies to brainstorm strategies for adopting the 2030 Sustainable Development Goals.

Sustainability Businessman Otton Canon

The summit will feature panel sessions addressing urgent topics such as climate action, circular economy, renewable energy revolution, sustainable cities, biodiversity conservation, green finance, sustainable agriculture, and climate justice. Additionally, it will recognize and celebrate companies, governments, organizations, and individuals demonstrating commitment to sustainability through practical initiatives and the realization of short-term objectives and long-term goals.

In a statement, the organizers highlighted the broad spectrum of sustainability practices, policies, and innovations aimed at mitigating climate change, conserving biodiversity, protecting natural resources, and promoting social equity. The theme “Advancing Sustainability” underscores the need for a shift from short-term exploitative approaches to long-term regenerative ones, reflecting humanity’s ability to learn, adapt, and innovate.


The summit aims to foster knowledge exchange, collaboration, and actionable solutions over two days of physical gathering at the House of Parliament in London. Participants will explore diverse perspectives, share knowledge, and work together to shape strategies that drive meaningful change and accelerate progress towards a sustainable future.

Continue Reading


    Your Cart
    Your cart is emptyReturn to Shop