Even a yubikey isn't resistant to cookie-theft, plenty of TOTP code theft phishing kits exist. Users literally enable third-party apk side-loading and install malicious apks on their android phones because of social engineering. It's not new to security. If you wear a high-vis vest and carry a clipboard, you'd be let into even government buildings. that also is social engineering.
For your house builders statement, that is not a fair analogy. Is there evidence of a trend where software devs are saying "well there's always some other way of getting hacked so let's not bother doing things properly"?
You masterlock analogy is on-point though, because of "threat model", the purpose of most doors and locks in the US for residential use is as a lightweight deterrent. Burglars can just break the glass window and walk by the no-fence perimeter. You can and probably should get a more secure lock, but it is as strong as the door frame and windows, and whatever alarm system you're using. In other words, for that analogy (and for what the CISA boss is saying) to be valid, there needs to be evidence that burglars give up and go home when the lock is secure. I would even go further and ask for a proper root cause analysis. Do the builders of masterlock know how insecure their lock is? If they are indeed making it weak because of cost, then are they really to blame? they're a business after all. Where is the regulation for proper secure locks. As a government agency, CISA shouldn't be blaming vendors, that's a cheap cop-out. They should be lobbying for regulation and laws, and then enforcing them. So, in the end, even if the CISA boss is right, ultimately she shouldn't be blaming vendors but explaining what she's been doing to pass regulations.
For your house builders statement, that is not a fair analogy. Is there evidence of a trend where software devs are saying "well there's always some other way of getting hacked so let's not bother doing things properly"?
You masterlock analogy is on-point though, because of "threat model", the purpose of most doors and locks in the US for residential use is as a lightweight deterrent. Burglars can just break the glass window and walk by the no-fence perimeter. You can and probably should get a more secure lock, but it is as strong as the door frame and windows, and whatever alarm system you're using. In other words, for that analogy (and for what the CISA boss is saying) to be valid, there needs to be evidence that burglars give up and go home when the lock is secure. I would even go further and ask for a proper root cause analysis. Do the builders of masterlock know how insecure their lock is? If they are indeed making it weak because of cost, then are they really to blame? they're a business after all. Where is the regulation for proper secure locks. As a government agency, CISA shouldn't be blaming vendors, that's a cheap cop-out. They should be lobbying for regulation and laws, and then enforcing them. So, in the end, even if the CISA boss is right, ultimately she shouldn't be blaming vendors but explaining what she's been doing to pass regulations.