Jen Easterly, nominee to be the Director of the Homeland Security Cybersecurity and Infrastructure Security Agency, testifies during her confirmation hearing before the Senate Homeland Security and Governmental Affairs Committee on June 10, 2021 in Washington, DC.
Kevin Dietsch | Getty Images
A top U.S. cybersecurity official urged businesses to take on more of the burden of securing their services for customers and suggested that new legislation should hold them accountable for creating and maintaining secure software.
Cybersecurity and Infrastructure Security Agency Director Jen Easterly held up Apple as a positive example of accountability and transparency for its security practices during a speech delivered Monday at Carnegie Mellon University.
She pointed to Apple’s disclosure that 95% of iCloud users enable multifactor authentication, or MFA, a highly recommended security measure that requires a user to input a code sent to a different device or account during sign-in to guard against hackers. Easterly said the high adoption rate is a result of Apple making MFA the default.
In doing so, Easterly said, “Apple is taking ownership for the security outcomes of their users.”
By contrast, Easterly said there are low MFA adoption rates at Microsoft and Twitter. She said the roughly one-quarter of Microsoft enterprise customers who use MFA, and fewer than 3% of Twitter users who use it, is “disappointing.”
Still, she praised the companies for their transparency in disclosing the numbers.
“By providing radical transparency around MFA adoption, these organizations are helping shine a light on the necessity of security by default,” Easterly said, per her prepared remarks. “More should follow their lead— in fact, every organization should demand transparency regarding the practices and controls adopted by technology providers and then demand adoption of such practices as basic criteria for acceptability before procurement or use.”
Easterly suggested that new legislation should “prevent technology manufacturers from disclaiming liability by contract, establishing higher standards of care for software in specific critical infrastructure entities, and driving the development of a safe harbor framework to shield from liability companies that securely develop and maintain their software products and services.”
Microsoft and Twitter did not immediately provide comment.