A senior US cybersecurity official described adoption of some of Microsoft and Twitters security protocols as disappointing as part of a broadside against large technology companies approach to protecting user accounts.
Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, said in a speech Monday that bad software and unsafe practices are facilitating ransomware attacks that are crippling the nations most essential services, spanning energy supply, food production, hospitals and schools.
Microsoft, Twitter and other technology companies should by default enroll users in basic safeguards such as multifactor authentication, according to Easterly. Multifactor authentication is a security method in which users log in to their accounts with a username, password and an additional layer of verification. Twitter on Feb. 17 said it will begin charging users for text-based multifactor authentication, a service thats traditionally cost nothing.
Technology manufacturers must take ownership of the security outcomes for their customers, Easterly said at Carnegie Mellon University, according to prepared remarks shared in advance with Bloomberg News. The government can also play a role in shifting liability onto those entities that fail to live up to the duty of care they owe their customers.
She also backed the prospect of legislation to create liability for technology companies if their products include inordinate risk, saying technology products on sale have thousands of defects and that weak default settings expose customers to undue risk.
Roughly a quarter of Microsofts enterprise customers and a third of their administrator accounts, which can access and enable changes on multiple other accounts, use multifactor authentication, Easterly said.
Fewer than 3% of Twitters users rely on the same capabilities, according to the companys 2021 transparency report. Easterly said the Microsoft and Twitter figures are disappointing.
I hope that those numbers go up, Easterly told Bloomberg News following her speech, referring to her comments that described Microsofts multifactor authentication numbers as too low.
The CISA director also said she hadnt contacted Twitter directly about its latest policy change. We dont tell social media companies what to do, she said, adding that she hoped the company would be more thoughtful about its approach to MFA.
She added the fact that the companies published their multifactor adoption rates among users was a positive sign, however.
Consumers must have transparency so they can make a decision about whether to use a given product based on its safety, she said.
Neither Microsoft nor Twitter immediately responded to requests for comment.
Apple Inc. says that 95% of its iCloud users have multifactor authentication enabled because the company activates the setting by default, an example Easterly encouraged other firms to follow.
In addition, Easterly says tech companies should stop charging extra for basic security protections as expensive add-ons, though she didnt name any specific products or companies.
Tech firms should also fix widespread coding problems with software memory, which have created flaws that she said account for two-thirds of all known software vulnerabilities, Easterly said. The best fix is to write or rewrite code in specific programming languages, she said, citing Go, Java, Python and Rust.
The remarks from the top official at CISA, a unit of the Department of Homeland Security, come as the Biden administration is preparing a national cyber strategy thats poised to bring up regulation to force companies to tackle hacking threats.
Learn how to navigate and strengthen trust in your business with The Trust Factor, a weekly newsletter examining what leaders need to succeed. Sign up here.
