Software suppliers who ship buggy, insecure code are the true baddies in the cyber crime story, Jen Easterly, boss of the US government’s Cybersecurity and Infrastructure Security Agency, has argued.
“The truth is: Technology vendors are the characters who are building problems” into their products, which then “open the doors for villains to attack their victims,” declared Easterly during a Wednesday keynote address at Mandiant’s mWise conference.
Easterly also implored the audience to stop “glamorizing” crime gangs with fancy poetic names. How about “Scrawny Nuisance” or “Evil Ferret,” Easterly suggested.
Even calling security holes “software vulnerabilities” is too lenient, she added. This phrase “really diffuses responsibility. We should call them ‘product defects,’” Easterly said. And instead of automatically blaming victims for failing to patch their products quickly enough, “why don’t we ask: Why does software require so many urgent patches? The truth is: We need to demand more of technology vendors.”
In addition, a lot of cybercrime involves social engineering as part of the attack vector. You can’t roll out a security patch for Karen from HR.