In December, the US discovered a massive breach that affected networks and devices belonging to US government agencies. Given the breadth and depth of this attack, current and former officials advocate for cyber security reforms and a new approach that assumes hackers have already burrowed into computer systems.
“We’ve got to run a new play, run a new defense, because they’re getting through to the end zone too many times here,” says John Sherman, acting chief information officer for the Defense Department.
In an analysis of the December breach, the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI) observed that the cyber intruders managed to gain unfettered access into systems. The bad actors arranged back doors into businesses and quietly created administrative accounts.
Rather than pursuing a more reactive approach to cyber security, Sherman suggests that organizations opt for a prevention-first strategy; one that includes zero trust models. With zero trust, organizations can configure systems to continuously verify the authenticity of an individual, a device or a program. The public sector and the private sector alike can benefit from this approach, says Sherman.
The notion of zero trust emerged in the early 2000’s. Nonetheless, misunderstandings regarding what it is and how it can protect systems has led to delayed adoption. In contrast with common assumptions, zero trust does not require disposing of firewalls. Rather, it functions as a layer of security on top of existing security protocols. It simply adds a layer of defense.
“No one who actually understands zero trust says abandon the perimeter,” states Sherman. “But the reality of it is that you need to understand your perimeter’s probably already compromised, especially when you’re in a remote space.”
The Pentagon and zero trust
According to Sherman, the US Pentagon is in the process of implementing zero trust policies and procedures. Nonetheless, Wanda Jones-Heath, Chief Information Security Officer in the Office of the Secretary of the Air Force noted that shifting into zero trust is not a speedy process. It requires time and research.
“Zero trust is not a technology, it’s not something you buy, it’s a strategy,” stated Carnegie Melon’s Director of the Computer Emergency Readiness Team, Gregory Touhill.
Federal CISO Chris DeRusha supports the use of a zero trust model. At the same time, enhanced threat intelligence is also a must, says DeRusha. Threat intelligence sharing needs to occur in a fast, transparent way across public and private organizations. This will enhance defenses.
In the wake of the SolarWinds breach, collaboration across government and industry groups reached its zenith. Via collaborative efforts, the FBI managed to identify 100 companies and nearly a dozen federal agencies that experienced a SolarWinds-related cyber intrusion. According to DeRusha, the public-private partnerships in this situation contributed to the speed of recovery. He advocates that such partnerships continue. “What I want to think about is how we bottle lightning here and we move forward in our public-private partnerships,” he stated.