There's a hole in the Hololive English Minecraft server.  It's claimed three lives - Kiara (twice) and IRyS, and nobody knows who created it.

So by the power of weaponised autism, the internet discovered the random seed used by the HoloEN server, recreated their game world in its original state, did a frame-by-frame analysis of all 173 Minecraft streams, narrowed down the creation of the hole to between the 9th and 12th of October last year, and blamed Ina.

Who says she is Ina-cent.

1 A big national effort to improve cybersecurity will fail if it has incorrect premises baked into it. Major national cybersecurity breeches have occurred directly because of 'Presidents' apparently cheated in by electoral fraud. Throwing big software companies at it looks like a way to distract from starting at physical security and working on from hardware next. Basic first step includes getting rid of the damned electronic voting machines, which is an appropriate task to plan and carry out at the local/county level.

2 Google has never had a security catastrophe.  Those have all been failures of your expectations.

3 After actually reading that absurd Info Security piece . . . there's a lot of High-Quality Stupidâ„¢ out there in the world.  Amazon and Apple are going to make things more secure with a massive multi-factor authentication effort.  So now the Chinese and Russian hackers will have everyone's biometric passwords in addition to all the other crap they've exfiltrated from these idiots's servers.

"Microsoft has committed $20bn over five years to drive security by design"
Ford Motor Company has committed $100bn over five years to drive transportation by design.  Hasbro Inc has committed $15bn over five years to drive My Little Pony by design.  Google has committed $400bn over five years to drive mental illness by design.

"Aside from these commitments, the White House announced the expansion of its Industrial Control Systems Cybersecurity Initiative, from the electricity sector to natural gas pipelines, and said the National Institute of Standards and Technology (NIST) would develop a new framework for supply chain security." Unplug the network cable, you idiots.  Disable the network stack on critical systems.  Build systems that don't have the capability of being remotely penetrated, and then make physical access extremely difficult, like putting guys with machine guns around it.

4 'security by design' is probably at least a semi-legitimate concept.

There's a bunch of 'design for x' sub-fields of engineering, like design for manufacturability, etc. 

Engineering tries to solve problems by breaking them into bits that can be studied separately, and maybe by letting specialists work on each bit.  Like, with an electric motor powering a propeller on a shaft, you have a solid mechanics guy thinking about the shaft, a fluid mechanics team thinking about the propeller, and none of the mechanical people are thinking about how electricity works.  (Or maybe you have one guy that knows the fields well enough.)  Obviously, designing a rotating pump, an internal combustion engine, and a circuit board are wildly different.  But the design theory folks think they can condense common elements enough so that someone can read design theory, and read the specialized technical theory applicable to the type of device, and get somewhere without apprenticing under an engineer that knows how to design that type of device. 

Security definitely has to be designed into software, and cannot be implemented afterwards.  So, naively it would seem like 'design for security' could be legitimate.  Two problems.  One, you are limited in your options for security by the complexity of the rest of your design.  So you could not design a system from scratch to be secure without already being a good designer of the type of system.  Security design probably is not a skillset that stands on its own, and which can be learned as a stand alone field.  Two, if you have a large private bureaucracy try to develop a field, it is going to come up with a bureaucratic body of knowledge, and you will have trouble applying it in a different organization, if you can even get the information and permission to use it.

Additionally, HR already does not understand software design skillsets, or how to hire software experts, and management does not understand how to tell good ideas from bad, or how to judge quality of work.  So even a good example of a top down solution of this sort would be bad.  You can get organizations to enthusiastically mouth the words, but you could not compel people to understand.

We would not have had the increase in industrial controls compromises if the effin' technocrats had not screwed things up so badly with covid alarmism.   Industrial controls were not perfectly designed for security, but rapid implementation of covid compliance seems to have resulted in a bunch of holes being opened to allow for remote access.

Big thing for supply chain security: Do not let commie scum buy influence to promote their manufacturing. 

Big thing for industrial security: Don't let the Democrats capriciously screw things up. 

I have a lot of positive things to say about NIST.  Thinking that any federal bureaucracy is the answer here is not a thing I would say. 

Gen. Miley formerly ran the Army Research Lab.  Some of the ARL folks were told after the GAO compromise, that self driving military vehicles were a bad idea unless they could prevent a reoccurance of such leaks.  ARL folks promised that measures would be taken.  Then Gen. Miley failed to Boogaloo against Biden, and now we have the current theatrical pretense, which is the early stages of allowing for further security compromises, preventable compromises, by everyone from the PRC to particularly incompetent mid east terrorists.

5 'security by design' is probably at least a semi-legitimate concept.

Except in Microsoft's case it would require scrapping everything and starting over.  I mean: it's not secure (by design because it was never intended to be so), and you can't make it so just by saying so.  If you try to start from secure by design concepts you'll pretty quickly end up at "no one will use this" or "we're lying and just suck it up because it will never be secure".