Credit: 134527457 © 7xpert | Dreamstime.com
A push for a shift in responsibility for the safety and security of software products away from the end user, led by the US, has been backed by New Zealand and Australia.
New Zealand’s National Cyber Security Centre (NCSC), CERT NZ and the Australian Cyber Security Centre (ACSC) have joined remaining Five Eyes members the United States, United Kingdom and Canada, as well as Germany and the Netherlands, in the drive for increased onus on vendors for the safety of their products.
The joint guidance outlines ‘urgent steps’ for vendors to overhaul the design and development of their products with safety for customers prioritised in a “secure-by-design and -default” approach.
“The guidance, the first of its kind, is intended to catalyse progress towards further investments and cultural shifts necessary to achieve a safe and secure future,” the statement reads.
“We recognise the need for governments to work closely with industry and we hope this guidance prompts useful conversations, as well as helping organisations to understand the importance of robust security as a factor when making purchasing decisions,” said Lisa Fond, deputy director-general of NCSC.
“Cyber security cannot be an afterthought,” added ACSC’s head Abigail Bradshaw. “Strong and ongoing engagement between government, industry and the public is vital to putting cyber security at the centre of the technology design process.”
Vendors are urged to take action in three key areas; to take ownership of the security outcomes of their products with security controls automatically enabled, to “embrace radical transparency and accountability”, and to strive for organisational change with executive-level commitment to prioritising product security.
“By creating products that are secure… manufacturers can take much of the burden from end-users,” said Rob Pope, Director of CERT NZ.
“These steps are the cyber equivalent of seatbelts, simple inbuilt default practices that keep people safe. This publication shows that the government of Aotearoa New Zealand is serious about keeping people secure online.”
The guidance comes after the March release of the US National Cybersecurity Strategy, which encompasses virtually all the weaknesses and challenges inherent in cybersecurity, from software vulnerabilities to internet infrastructure vulnerabilities to workforce shortages.
The strategy specifically identifies a "rebalance" in the responsibilities of cyber risk.
