- A top US cybersecurity official has urged companies to take on more of the burden of securing their services for customers and suggested new legislation should hold them accountable.
- Cybersecurity and Infrastructure Security Agency Director Jen Easterly held up Apple as a positive example of accountability and transparency for its security practices during a speech Monday at Carnegie Mellon University.
- In contrast, Easterly pointed to low MFA adoption rates at Microsoft and Twitter.
Jen Easterly, candidate for director of the Homeland Security Cybersecurity and Infrastructure Security Agency, testifies during her confirmation hearing before the Senate Homeland Security and Governmental Affairs Committee on June 10, 2021 in Washington, DC.
Kevin Dietsch | Getty Images
A top US cybersecurity official has urged companies to take on more of the burden of securing their services for customers and suggested that new legislation should hold them accountable for creating and maintaining secure software.
Cybersecurity and Infrastructure Security Agency Director Jen Easterly held up Apple as a positive example of accountability and transparency for its security practices during a speech Monday at Carnegie Mellon University.
She pointed to Apple’s disclosure that 95% of iCloud users enable multi-factor authentication, or MFA, a highly recommended security measure that requires a user to enter a code sent to another device or account when signing in. connection to protect against hackers. Easterly said the high adoption rate is a result of Apple making MFA the default.
In doing so, Easterly said, “Apple takes ownership of the security results of its users.”
In contrast, Easterly said MFA adoption rates were low at Microsoft and Twitter. She said about a quarter of Microsoft enterprise customers who use MFA and less than 3% of Twitter users who use it are “disappointed.”
Still, she praised the companies for their transparency in disclosing the numbers.
“By providing sweeping transparency around the adoption of MFA, these organizations are helping to shine a light on the need for security by default,” Easterly said, according to his prepared remarks. “Others should follow their lead – in fact, every organization should require transparency regarding the practices and controls adopted by technology vendors, and then require the adoption of those practices as baseline acceptability criteria prior to purchase. or use.”
Easterly suggested that the new legislation should “prevent technology manufacturers from contractually disclaiming liability, establish higher standards of protection for software in specific critical infrastructure entities, and foster the development of a framework to protect liability companies that develop and maintain their software products and services.”
Microsoft and Twitter did not immediately provide comment.
Subscribe to CNBC on YouTube.
WATCH: Closing remarks: The White House is serious about cybersecurity