We rely on software all the time—you probably joined a video call, sent an email, or logged into your banking application today. Businesses rely on software to sell goods and services, governments rely on it to deliver public services, and critical infrastructure relies on software to manage electricity and water. These activities require the storage and processing of massive amounts of sensitive data including personally identifiable and proprietary information. It is critical to keep such data secure from malicious actors who may find political or financial gain in leaking data or holding it for ransom.

Software that is not designed to secure data threatens the digital foundations of our everyday lives, and it is the software manufacturers that control this critical security. However, the current paradigm in the software industry is that consumers, rather than manufacturers, disproportionately bear the cybersecurity burden. This risk means that the products we rely on are not always built to be safe from the outset. As a result, consumers must regularly apply patches, review network logs, and purchase additional security products to keep individuals and organizations safe from cyber threats. Imagine if, after buying a car, you had to purchase additional products to prevent accidents and ensure your safety—like paying extra for seatbelt and airbag installation.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recommends a new approach to addressing cybersecurity risks: Secure By Design. This model shifts the responsibility of cybersecurity from consumers to manufacturers, to create a secure world in which consumers can trust the safety of their technology. The concept of Secure By Design, while initiated by CISA, provides a strong model from which to enhance cybersecurity around the globe and through international development activities.

Secure By Design Explained

In April 2023, CISA launched the Secure By Design concept via a seminal white paper that was issued in collaboration with various international organizations. CISA emphasizes that security needs to be prioritized from the earliest stages of product development, decreasing the number of possible exploitable flaws before a product goes to market.

The Secure By Design guidance lays out three principles for software manufacturers to adopt: (1) own the responsibility for customer security outcomes; (2) lead the way for radical transparency and accountability; and (3) build organizational structure and leadership to achieve these goals, ensuring that CEO prioritizes security.

A key element of the Secure By Design initiative is the Secure by Design Pledge. The Pledge contains seven goals for technology products, such as incorporating multi-factor authentication and default passwords; reducing entire classes of vulnerability; using security patches; and transparency in vulnerability reporting. Taking the Pledge signifies a company’s commitment to work towards the goals over the following year. CISA recommends that companies publicly document instances where they make measurable progress towards the goals and, in cases where they do not make progress, share with CISA the steps taken and challenges faced.

Progress to Date

A year-and-a-half in, the Secure By Design initiative has built momentum toward shifting the balance of responsibility around software security. More than 199 companies signed the Pledge; and CISA released additional technical guidance, a public consultation-based update to the Secure By Design white paper, and a new Secure By Design action-oriented alert series. The alerts are released in response to cybersecurity threats and highlight the connection between cybersecurity breaches and product defects.

Considerations for Global Development Practitioners

Cybersecurity is a critical concern for developed and developing countries across the globe. The Secure By Design framework offers a proactive solution for enhancing baseline cybersecurity for all users. In the international development context, this model can drive more secure digital ecosystems by empowering individuals, small organizations, governments, and local technology providers to prioritize cybersecurity from the start. Below are three key approaches for applying the Secure By Design concept for improved cybersecurity in the international development sphere.

1. Raise cybersecurity awareness among individuals and small organizations to drive demand. It is basic economics that software suppliers (manufacturers and developers) want to deliver consumer-requested products and features. Therefore, it is critical that consumers demand security. However, if consumers (individuals and organizations) are not aware of the importance of cybersecurity, they will not be equipped to generate demand for more secure technologies. International development practitioners should consider integrating cybersecurity awareness-raising in existing activities that use digital tools or as standalone public awareness campaigns. For example, if farmers are being trained to use a new agricultural extension mobile application, they should also be informed of the associated cybersecurity risks and how to safeguard against them. Under the Digital Frontiers project, DAI implemented various cybersecurity awareness-raising efforts across Asia, which yielded important lessons learned such as understand the audience including their habits and perception of risk and consider unconventional local partners. While U.S.-centric, CISA’s guidance for how to better understand a software manufacturer’s approach to cybersecurity is a great starting point for initiating a global Secure By Design demand movement where consumers are equipped with the knowledge to ask the right questions and demand security specifications of software manufacturers.

2. Engage government stakeholders to drive the adoption of Secure By Design software. In many countries governments comprise a sizeable portion of software consumption. If governments demand that secure standards are met for all procurements, software manufacturers and developers may be more motivated to comply. For example, in March, CISA and the U.S. Office of Management and Budget released the secure software development attestation form. This form is intended to ensure companies that supply software to the federal government use secure software development practices. Of course, all countries and their governmental operations are unique. This approach would have to be tailored to fit government capacity, legislative protocol, procurement policies, and local technology sector capacity. Another approach for supporting governments to spearhead a more secure approach to software development is to follow the European Union model, which proposed a Cyber Resilience Act in September 2022. The Act intends to improve cybersecurity by requiring common standards and enhanced transparency for digital products across the market.

3. Support local technology companies to prioritize Secure By Design principles. If consumers demand increased product security, but suppliers do not have the capabilities or resources to meet that demand, there will of course continue to be a mismatch. Consider providing technical capacity building or financial support to local private sector technology providers to enable investment in enhanced product security. If international technology companies are major software providers in a country, they should be directed to CISA’s Secure By Design resources and Pledge. Cybersecurity threats and protection are borderless, the Secure By Design movement, while driven by CISA, can certainly have a global impact.