West News Wire: In an attack on the methods used by major technology companies to safeguard user accounts, a senior US cybersecurity official called the adoption of parts of Microsoft Corp.’s and Twitter Inc.’s security policies “disappointing”.
In a speech on Monday, Jen Easterly, the director of the Cybersecurity and Infrastructure Security Agency, claimed that subpar software and unsafe procedures are enabling ransomware attacks that are crippling the country’s most vital services, including the provision of energy, the production of food, hospitals, and schools.
According to Easterly, Microsoft, Twitter, and other internet companies should automatically enroll users in fundamental security measures like multifactor authentication. Users enter into their accounts using a username, password, and an additional form of verification known as multifactor authentication. On February 17, Twitter on Feb. 17 said it will begin charging users for text-based multifactor authentication, a service that’s traditionally cost nothing.
“Technology manufacturers must take ownership of the security outcomes for their customers,” Easterly said at Carnegie Mellon University, according to prepared remarks shared in advance with Bloomberg News. “The government can also play a role in shifting liability onto those entities that fail to live up to the duty of care they owe their customers.”
She also backed the prospect of legislation to create liability for technology companies if their products include inordinate risk, saying technology products on sale have thousands of defects and that weak default settings expose customers to undue risk.
Roughly a quarter of Microsoft’s enterprise customers and a third of their administrator accounts, which can access and enable changes on multiple other accounts, use multifactor authentication, Easterly said.
Fewer than 3% of Twitter’s users rely on the same capabilities, according to the company’s 2021 transparency report. Easterly said the Microsoft and Twitter figures are “disappointing.”
“I hope that those numbers go up,” Easterly told Bloomberg News following her speech, referring to her comments that described Microsoft’s multifactor authentication numbers as “too low.”
The CISA director also said she hadn’t contacted Twitter directly about its latest policy change. “We don’t tell social media companies what to do,” she said, adding that she hoped the company would be “more thoughtful” about its approach to MFA.
She added the fact that the companies published their multifactor adoption rates among users was a positive sign, however.
Consumers must have transparency so they can “make a decision” about whether to use a given product based on its safety, she said.
Neither Microsoft nor Twitter immediately responded to requests for comment.
Apple Inc. says that 95% of its iCloud users have multifactor authentication enabled because the company activates the setting by default, an example Easterly encouraged other firms to follow.
In addition, Easterly says tech companies should stop charging extra for basic security protections as expensive add-ons, though she didn’t name any specific products or companies.
Tech firms should also fix widespread coding problems with software memory, which have created flaws that she said account for two-thirds of all known software vulnerabilities, Easterly said. The best fix is to write or rewrite code in specific programming languages, she said, citing Go, Java, Python and Rust.
The remarks from the top official at CISA, a unit of the Department of Homeland Security, come as the Biden administration is preparing a national cyber strategy that’s poised to bring up regulation to force companies to tackle hacking threats.