A SENIOR US cybersecurity official is due to describe some of Microsoft and Twitter’s security protocols as “disappointing” as part of a broadside against large technology companies’ approach to protecting user accounts.

Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA), is scheduled to say in a speech on Monday (Feb 27) that bad software and unsafe practices are facilitating ransomware attacks that are crippling the nation’s most essential services, spanning energy supply, food production, hospitals and schools.

Microsoft and Twitter should by default enrol users in basic safeguards such as multifactor authentication, according to Easterly. Multifactor authentication is a security method in which users log in to their accounts with a username, password and an additional layer of verification. Twitter on Feb 17 said it will begin charging users for text-based multifactor authentication, a service that’s traditionally cost nothing.

“Technology manufacturers must take ownership of the security outcomes for their customers,” Easterly will say at Carnegie Mellon University, according to prepared remarks shared in advance with Bloomberg News. “The government can also play a role in shifting liability onto those entities that fail to live up to the duty of care they owe their customers.”

She will back the prospect of legislation to create liability for technology companies if their products include inordinate risk, saying technology products on sale have thousands of defects and that weak default settings expose customers to undue risk.

Roughly a quarter of Microsoft’s enterprise customers and a third of their administrator accounts, which can access and enable changes on multiple other accounts, use multifactor authentication, Easterly is scheduled to say.

GET BT IN YOUR INBOX DAILY

Start and end each day with the latest news stories and analyses delivered straight to your inbox.

Sign UpVIEW ALL

Fewer than 3 per cent of Twitter’s users rely on the same capabilities, according to the company’s 2021 transparency report. Easterly said the Microsoft and Twitter figures are “disappointing.”

Neither Microsoft nor Twitter immediately responded to requests for comment.

Apple says that 95 per cent of its iCloud users have multifactor authentication enabled because the company activates the setting by default, an example Easterly encouraged other firms to follow.

In addition, Easterly says tech companies should stop charging extra for basic security protections as expensive add-ons, though she didn’t name any specific products or companies.

Tech firms should also fix widespread coding problems with software memory, which have created flaws that she said account for two-thirds of all known software vulnerabilities, Easterly said. The best fix is to write or rewrite code in specific programming languages, she said, citing Go, Java, Python and Rust.

The remarks from the top official at CISA, a unit of the Department of Homeland Security, come as the Biden administration is preparing a national cyber strategy that’s poised to bring up regulation to force companies to tackle hacking threats. BLOOMBERG