A senior U.S. cybersecurity official is due to describe some of Microsoft and Twitter's security protocols as "disappointing" as part of a broadside against large technology companies' approach to protecting user accounts.
Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, is scheduled to say in a speech Monday that bad software and unsafe practices are facilitating ransomware attacks that are crippling the nation's most essential services, spanning energy supply, food production, hospitals and schools.
Microsoft and Twitter should by default enroll users in basic safeguards such as multifactor authentication, according to Easterly. Multifactor authentication is a security method in which users log in to their accounts with a username, password and an additional layer of verification. Twitter
Read more:
She will back the prospect of legislation to create liability for technology companies if their products include inordinate risk, saying technology products on sale have thousands of defects and that weak default settings expose customers to undue risk.
Roughly a quarter of Microsoft's enterprise customers and a third of their administrator accounts, which can access and enable changes on multiple other accounts, use multifactor authentication, Easterly is scheduled to say.
Fewer than 3% of Twitter's users rely on the same capabilities, according to the company's 2021 transparency report. Easterly said the Microsoft and Twitter figures are "disappointing."
Neither Microsoft nor Twitter immediately responded to requests for comment.
Read more:
Apple says that 95% of its iCloud users have multifactor authentication enabled because the company activates the setting by default, an example Easterly encouraged other firms to follow.
In addition, Easterly says tech companies should stop charging extra for basic security protections as expensive add-ons, though she didn't name any specific products or companies.
Tech firms should also fix widespread coding problems with software memory, which have created flaws that she said account for two-thirds of all known software vulnerabilities, Easterly said. The best fix is to write or rewrite code in specific programming languages, she said, citing Go, Java, Python and Rust.
The remarks from the top official at CISA, a unit of the Department of Homeland Security, come as the Biden administration is preparing a national cyber strategy that's poised to bring up regulation to force companies to tackle hacking threats.