Canadian Centre for Cyber Security Issues Guidance on Security of Tech Products

The Canadian Centre for Cyber Security has issued a joint guidance with government bodies from the US, Australia, New Zealand, the UK, Germany and Netherlands that pushes technology vendors to build products that are secure by design.

Previously, the burden of security tends to fall on the customer, including organizations and consumers. This left the customers scrambling to protect themselves whenever a flaw is found in a vendor’s product. While large organizations have or can acquire the people, money, knowledge and skills to protect themselves, it places a huge burden on regular consumers and small to medium businesses as they do not have the sources, the time, energy, skills, nor manpower to secure themselves. This leaves consumers and small to medium businesses especially vulnerable to attacks.

This joint guidance places more of the burden on vendors to build security into their products from the start and to have the products be secure by default.

Thoughts

This is definitely a step in the right direction. A disproportionate amount of attacks target consumers and small to medium businesses that can cause high amount of damage, and vendors are not the ones paying the price.

However, this is just a guidance. It is not law. For this guidance to have any weight, the recommendations need to become mandatory and penalties need to be awarded if they are not followed. The other issue is the current recommendations are very broad. Even if turned into law, it will not likely be enforceable. To be useful, the general recommendations need to be made more specific. For example, if a product has a web interface for management purposes, then it needs to use HTTPS (or another secure protocol), and use the latest cipher suites considered secure.

This is going to be a long battle. The sheer amount of attacks and breaches in the last few years have been fast and furious. We cannot go through a week without hearing about another massive data breach or attack. Governments need to make cybersecurity policy/law a priority in the modern landscape, and enforce cybersecurity into vendors’ products, not just provide guidance. Vendors need to act and invest in making their products more secure, or else they will be left behind. In the modern world, a data breach can cause the loss of huge amount of customers. If cybersecurity laws are passed, then vendors will also be responsible for penalties and damages. This will hopefully motivate vendors to act quickly in building security into their products, although this will take time and cooperation from all sides.

References

• https://www.cyber.gc.ca/en/news-events/communications-security-establishment-cse-and-partners-issue-joint-guide-shifting-balance-cybersecurity-risk-technology-product-safety

• https://www.cisa.gov/news-events/news/us-and-international-partners-publish-secure-design-and-default-principles-and-approaches