Apple security was praised by U.S. cyber officials, while Microsoft and Twitter need to improve

A top U.S. official in the cybersecurity field has called on businesses to take more responsibility for safeguarding their services for their customers and suggested that new legislation should be enacted that makes them responsible for creating and maintaining secure software for their customers.

‍

When Jen Easterly, the director of the Cybersecurity and Infrastructure Security Agency, made a speech on Monday at Carnegie Mellon University, she regarded Apple as a good example of a company that is accountable and transparent about its security practices.

‍

Apple announced last week that 95% of iCloud users enable multi-factor authentication, commonly known as MFA. This is a highly recommended security measure that requires the user to input a code sent to a different device or account during the sign-in process to guard against hackers. A key reason for the high adoption rate of MFA is the fact that Apple has made it the default method.

‍

As a result, Easterly stated, “Apple is taking ownership of the security outcomes of their users.”

‍

In contrast, Easterly said that there is a low adoption rate for MFA at both Microsoft and Twitter. There are approximately one-quarter of Microsoft enterprise customers use multifactor authentication, and fewer than 3% of Twitter users use it, which according to her is disappointing.

‍

Nonetheless, she praised the companies for their transparency in disclosing the numbers in a timely manner.

‍

In her prepared remarks, Easterly said that by providing radical transparency around the adoption of MFA, these organizations are helping to illuminate the necessity of security by default. “I think more organizations should follow their lead-in fact, every organization should demand transparency regarding the practices and controls adopted by technology providers, and subsequently demand that these practices be adopted as a basic criterion to determine whether a technology is acceptable before it can be bought or used."

‍

In Easternly's view, new legislation should prohibit technology manufacturers from claiming liability by contract, establish higher standards of care for software used by specific critical infrastructure entities, and encourage the development of a safe harbor framework to shield companies from liability who develop and maintain secure software products.

‍

Twitter and Microsoft did not immediately respond to requests for comment.