Chinese hackers are too frequently going “unidentified and undeterred,” and software companies aren’t doing enough to secure their products from cyber-attacks that “can do real damage” to US interests through the loss of trade secrets, a top US cyber official said Monday.
“The risk introduced to all of us by unsafe technology is frankly much more dangerous and pervasive than the spy balloon, but somehow we’ve allowed ourselves to accept it,” US Cybersecurity and Infrastructure Security Agency Director Jen Easterly said in a speech at Carnegie Mellon University.
Easterly was referring to a suspected Chinese surveillance balloon that flew over multiple US states before the US military shot it down on February 4. The episode had increased tensions in US-China relations and caused US Secretary of State Antony Blinken to postpone a trip to Beijing .
Easterly’s speech reflects frustration from US officials that major software programs used by millions of people are routinely released with gaping flaws that can be exploited by hackers. After a series of high-profile hacks, the Biden administration introduced cybersecurity regulations for sectors such as pipelines. US officials have not ruled out more regulation in an effort to raise defenses.
While the balloon caused a public uproar, cybersecurity officials from across the US government have been warning for years that China has been quietly amassing US government and corporate secrets through hacking. Beijing denies the allegations.
The alleged Chinese cyber espionage campaigns have often exploited wildly popular software that has allowed them a foothold into US government agencies and corporations alike. In late 2021, for example, suspected hackers used a popular password management software to breach multiple US defense contractors, according to researchers.
Easterly, who spent years working on offensive cyber operations with the US National Security Agency, said the frequent hacks of US organizations by China and other foreign governments and criminal groups are merely a “symptom” rather than a cause of US insecurity in cyberspace.
The bigger problem, he said, is that too many major software makers are not designing their products more securely and making it easy for the user to maintain that security.
Easterly did not single out specific companies for poor software design, but instead cited statistics from Twitter and Microsoft saying just a fraction of users or enterprise customers are using an extra layer of security when signing into their accounts.
“[T]the burden of safety should never fall solely upon the customer,” Easterly said. “Technology manufacturers must take ownership of the security outcomes of their customers.”
She called on technology manufacturers to “embrace radical transparency” by sharing more of their software design plans so publicly they can be scrutinized by experts.