Surveillance camera maker Axis Communications said Tuesday that it has signed the Cybersecurity and Infrastructure Security Agency’s Secure by Design pledge, which commits the company to improving its products’ digital resilience within a year.
Lund, Sweden-based Axis, one of the largest surveillance cameras vendors in the world and one of the few major vendors not based in China, said it was already implementing many of the pledge’s tenets through its vulnerability disclosure and patching processes, its use of multifactor authentication and its rejection of default passwords.
“By making this pledge, we affirm our continuous commitment to helping customers follow cybersecurity best practices and drive greater accountability in the physical security industry,” Axis chief technology officer Johan Paulsson said in a statement. Cybersecurity is already “a core part of what we offer,” Paulsson said.
Axis’s enlistment in CISA’s Secure by Design movement comes four months after researchers at the operational technology security firm Claroty disclosed four vulnerabilities in Axis cameras that could have let hackers breach companies’ surveillance infrastructure. At the time, Claroty praised Axis for its “quick response” to the researchers’ vulnerability disclosure and its “timely” patching process.
The news also provides a boost to CISA’s Secure by Design initiative, which receded into the background after its key advocates left the agency in April.
A top threat vector
Security cameras are one of hackers’ top targets, both because they offer a vivid window into their victim’s environments and because they provide an often-overlooked vector for ransomware attacks. Many Western governments and businesses use relatively inexpensive Chinese-made cameras that contain serious vulnerabilities, and researchers have found tens of thousands of vulnerable cameras on the internet.
CISA launched the Secure by Design campaign in 2023 to pressure technology vendors to fix basic flaws in their products that made them easy prey for hackers. The U.S. has no national cybersecurity regulations for connected devices, although federal contractors must meet some basic security requirements. CISA officials describe Secure by Design as a voluntary alternative to a regulatory scheme, one that uses the prospect of a reputational boost to encourage companies to design and configure products more securely.
Hundreds of companies have signed the Secure by Design pledge since its launch in May 2024, but Axis is the first major surveillance camera maker to make the commitment.