The pledge offers examples of how companies can achieve the goals, although it notes that companies “have the discretion to decide the best way” to do so. The document also emphasizes the importance of companies publicly demonstrating “measurable progress” on their goals, as well as documenting their techniques “so that others can learn.”
CISA developed the pledge in consultation with technology companies, notably Amazon and Google, seeking to understand what would be feasible for them while still meeting the agency’s goals, according to Goldstein. That meant making sure the commitments were viable for companies of all sizes, not just the Silicon Valley giants.
The agency originally attempted to use its Cyber Defense Joint Collaborative to prompt companies to sign the pledge, according to the tech industry official, but failed when companies questioned the use of an operational cyber defense collaborative group over “a political and legal,” the industry said. says the official.
“The industry expressed frustration with trying to use the JCDC to obtain pledges,” the official says, and CISA “wisely withdrew that effort.”
CISA then held discussions with companies through the Information Technology Sector Coordinating Council and modified the commitment based on their feedback. Originally, the pledge contained more than seven goals, and CISA wanted signatories to commit to “firm metrics” to show progress, according to the industry official. In the end, this person says, CISA eliminated several goals and “expanded the language” about measuring progress.
John Miller, senior vice president of policy, trust, data and technology at the Information Technology Innovation Council, a major industry trade group, says the change was smart, because concrete progress metrics, such as the number of users that use multi-factor authentication, could be “easily misinterpreted.”
Goldstein says the number of pledge signers “exceeds my expectations of where we would be” at this point. The industry official says they are not aware of any company that has definitively refused to sign the pledge, in part because suppliers want to “keep the option to sign open” after the CISA launch event at RSA. “Everyone is kind of in a wait-and-see mode.”
Legal liability is one of the main concerns of potential signatory companies. “If there inevitably ends up being some kind of security incident,” Miller says, “anything [a] The company has publicly said it could be used in lawsuits.”
That said, Miller predicts that some global companies facing tough new European security requirements will sign the U.S. pledge to “get that credit” for something they already have to do.
CISA’s Secure by Design campaign is the centerpiece of the Biden administration’s ambitious plan to shift the burden of cybersecurity from users to providers, a central theme of the administration’s National Cybersecurity Strategy. The push for corporate cyber liability follows years of disruptive supply chain attacks against critical software makers such as Microsoft, SolarWinds, Kaseya and Change Healthcare, as well as a growing list of widespread software vulnerabilities that have fueled ransomware attacks on schools, hospitals and other essential services. White House officials say the pattern of costly and often avoidable violations demonstrates the need for greater corporate responsibility.
