U.S. cyber official praises Apple security and suggests Microsoft, Twitter need to step it up
- A top U.S. cybersecurity official urged businesses to take on more of the burden of securing their services for customers and suggested that new legislation should hold them accountable.
- Cybersecurity and Infrastructure Security Agency Director Jen Easterly held up Apple as a positive example of accountability and transparency for its security practices during a speech delivered Monday at Carnegie Mellon University.
- By contrast, Easterly pointed to low MFA adoption rates at Microsoft and Twitter.
A top U.S. cybersecurity official urged businesses to take on more of the burden of securing their services for customers and suggested that new legislation should hold them accountable for creating and maintaining secure software.
Cybersecurity and Infrastructure Security Agency Director Jen Easterly held up Apple as a positive example of accountability and transparency for its security practices during a speech delivered Monday at Carnegie Mellon University.
She pointed to Apple's disclosure that 95% of iCloud users enable multifactor authentication, or MFA, a highly recommended security measure that requires a user to input a code sent to a different device or account during sign-in to guard against hackers. Easterly said the high adoption rate is a result of Apple making MFA the default.
In doing so, Easterly said, "Apple is taking ownership for the security outcomes of their users."
By contrast, Easterly said there are low MFA adoption rates at Microsoft and Twitter. She said the roughly one-quarter of Microsoft enterprise customers who use MFA, and fewer than 3% of Twitter users who use it, is "disappointing."
Still, she praised the companies for their transparency in disclosing the numbers.
"By providing radical transparency around MFA adoption, these organizations are helping shine a light on the necessity of security by default," Easterly said, per her prepared remarks. "More should follow their lead— in fact, every organization should demand transparency regarding the practices and controls adopted by technology providers and then demand adoption of such practices as basic criteria for acceptability before procurement or use."
Easterly suggested that new legislation should "prevent technology manufacturers from disclaiming liability by contract, establishing higher standards of care for software in specific critical infrastructure entities, and driving the development of a safe harbor framework to shield from liability companies that securely develop and maintain their software products and services."
Microsoft and Twitter did not immediately provide comment.
WATCH: Closing keynote: The White House is serious about cybersecurity
Drones attack Russian oil refineries; Germany closes Russian consulates in retaliatory move
39-year-old 'frugal' self-made millionaire: 5 things I refuse to spend my money and time on
Stocks making the biggest moves midday: Intel, C3.ai, Advance Auto Parts, HP and more
Harvard psychologist: If you use any of these 9 phrases, 'you're more emotionally secure than most'
Dow slides 200 points as traders await House vote on debt ceiling