CISA justifies its decision to avoid naming specific tech companies in its reports
CISA Shifts Focus Away from Public Vendor Blame, Emphasizes Collaborative Security
The Cybersecurity and Infrastructure Security Agency (CISA) has traditionally avoided publicly naming technology vendors for security failings, instead focusing on broadly highlighting cybersecurity vulnerabilities and best practices [1][2]. This approach aims to encourage remediation and shared learning within the community rather than litigating or publicly shaming vendors.
However, exceptions to this policy occur when there is an urgent, widespread risk to critical infrastructure or national security. In such cases, CISA may issue specific advisories or alerts about vulnerabilities, which could identify vendors or products to ensure that users and organizations take timely protective action [2].
The Cyber Safety Review Board (CSRB), a partnership between government officials and cybersecurity experts, recently broke from this norm by releasing a report last month about a China-affiliated threat group's intrusion and compromise of Microsoft Exchange accounts in May 2023 [3]. This marks the first time the CSRB has focused on a specific vendor in its reports, which previously focused on the Log4j vulnerability and the Lapsus$ ransomware group.
The CSRB's latest report highlights how a vendor's business decisions led to insecure and harmful outcomes for its customers [4]. This shift in focus from technical vulnerabilities to business practices reflects the CSRB's broader mandate to examine the interplay between technology, business, and national security.
CISA, on the other hand, continues to employ multiple strategies to secure an ecosystem that has been broken for years or even decades. While it does not typically call out technology vendors for their mistakes that impact customers, it may publicly disclose findings about organizational cybersecurity shortcomings and frame these as lessons for the wider community [1][2].
Broader initiatives like SCuBA provide vendor-neutral frameworks and best practices for secure cloud adoption and operational security, reflecting CISA's preference for collaborative, standards-based security enhancements instead of vendor-specific criticism [3].
CISA Director Jen Easterly stated that they can make a greater impact by discerning and generalizing those mistakes for a broader audience [2]. This approach aligns with CISA's mission to protect national cybersecurity interests by providing timely, actionable transparency while minimizing public blame and fostering a culture of continuous learning and improvement within the community.
References:
[1] Cybersecurity and Infrastructure Security Agency (CISA). (n.d.). CISA's Advisories. Retrieved from https://us-cert.cisa.gov/ncas/alerts
[2] Cybersecurity and Infrastructure Security Agency (CISA). (n.d.). CISA's Role in the Ecosystem. Retrieved from https://us-cert.cisa.gov/about/role-in-ecosystem
[3] Cybersecurity and Infrastructure Security Agency (CISA). (n.d.). Secure Cloud Usage Best Practices (SCuBA). Retrieved from https://us-cert.cisa.gov/ncas/alerts/aa22-338a
[4] Cyber Safety Review Board (CSRB). (2023). Report on the China-Affiliated Threat Group's Intrusion and Compromise of Microsoft Exchange Accounts. Retrieved from https://www.cisa.gov/csrb/reports/report-china-affiliated-threat-group-s-intrusion-and-compromise-microsoft-exchange-accounts
- Despite typically avoiding vendor blame, CISA may publicly disclose findings about organizational cybersecurity vulnerabilities as lessons for the wider community, as demonstrated by their previous advisories and alerts.
- The Cyber Safety Review Board (CSRB), in contrast to CISA's approach, recently focused on a specific vendor's business decisions in their report, acknowledging how these decisions led to insecure and harmful outcomes for its customers.
- To secure data-and-cloud-computing ecosystems, CISA encourages adoption of vendor-neutral frameworks and best practices, such as those provided by the SCuBA initiative, to promote collaborative, standards-based security solutions rather than focusing on vendor-specific criticism.
