White House get some honest advice about its zero trust cybersecurity program

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

The White House recently received some expert advice about its signature cybersecurity initiative, namely to get every agency to move to zero trust systems architectures. But the group warned the project is at risk of becoming an incomplete experiment. We get the highlights now from the Chairman of the Board of Qualcomm and a longtime member of the National Security Telecommunications Advisory Committee (NSTAC) Mark McLaughlin.

Interview transcript:

Tom Temin: Mr. McLaughlin, good to have you on.

Mark McLaughlin: Good morning, Tom. Thanks for having me.

Tom Temin: And so the NSTAC was charged with looking at zero trust. What did you find primarily? Let’s go over the initial findings here.

Mark McLaughlin: Sure. Well, the the NSTAC is giving advice to the president on items that are related to national security and emergency preparedness. And it’s very hard today to not hear zero trust wherever you go. Zero trust has actually been around for a while as a concept and what everybody’s attempting to do, and what the NSTAC report really is about is assist, in this case, the government on how to take the theories of zero trust, which had been discussed for a long time and turn them into actual realities, in networking cloud architecture. And so this was a specific response to a request from the the White House as to how do we actually make zero trust real in government architectures on the federal civilian side?

Tom Temin: And you found that, again, to just reiterate, what I said at the opening is that without significant action, and I’m quoting the U.S. government risks zero trust becoming an incomplete experiment, a collection of disjointed technical security projects measured in years, rather than the foundation of an enduring, coherent and transformative strategy measured in decades. Maybe elaborate on that for us for a moment?

Mark McLaughlin: You’ve been around a long time to technology as well. And there’s things that get discussed and come along, and they are at various levels, I would say, of foundational importance, right? Not that anything’s unimportant, but some are foundational in nature. And zero trust would absolutely be foundational in nature, meaning it’s a building block at the ground level upon which you would build upon for a long time as part of any security architecture and infrastructure. So the point we’re making there is that when something gets as much attention as something like zero trust does, there can be lots of thoughts as to what does it even mean, let alone how to implement it, right? So getting definitional foundation and an architectural foundation is very important, because this is a, not only a concept, but a way to approach security that should be around for decades, or will be around for decades. And if you don’t start at the right foundation, you can fracture it in many different ways and create interrupt – or noninteroperability over time, as opposed to something that’s very cohesive and seamless. And that really was the point we’re trying to make, which is it’s worth it upfront to spend time on the definitions and seamless nature of this across networks, so that you can build on it for a very long time.

Tom Temin: In many ways, it reminds me of cloud computing, in the sense that the government has awareness that this is where they should be going. But they’re always a step behind industry. And it’s always a, well, let’s just say it, big bureaucratic effort to get it going in a way that starts to become effective operationally for the government.

Mark McLaughlin: Well, I think the government has a very important and very difficult tasks. I’ve run some decent sized organizations, but nothing the size of the DoD, right? When you’re talking about – technology’s an example – when you have these generational things, and you know, Tom, you have been around the block for a while about every decade or so you get a couple of things that come along, that are really important. SaaS, cloud, right, e-commerce, all the way back to the DNS, the internet, and the adoption of those takes a long time. And particularly if you’re responsible for the adoption of that, across a very wide base, like the government would be, it makes sense to take your time to understand things and roll them out.

What happens a lot is there’s a lot of energy and excitement about some ideas, people pile in on them, and they try to do the right thing to get in front of it without completely understanding what it actually means. That’s, that’s just very natural and technology. There’s a famous chart about the hype and trough of disillusionment, and then mainstream right, you know, and, you know, catching the angle of going to mainstream is very important on something that would last for decades. So I think, cloud’s a very good analogy there, where there’s a rush to the cloud, right, you know, 10 years ago, rush the cloud all for good reasons. But actually thinking through what would that look like and how would you implement it took 10 years, trying to figure it out, particularly in security. And we didn’t even know what the right questions were, let alone what the answers were. And I think that’d be the case with zero trust, as well is very thoughtful approach that will last us for decades is foundational element.

Tom Temin: We’re speaking with Mark McLaughlin. He’s a member of the National Security Telecommunications Advisory Committee. He’s also chairman of the board of Qualcomm. And looking at the recommendations that you have to make this completion for zero trust, it seems like there’s a combination of accountability measures, some technical measures, and some organizational measures to make sure that doesn’t become institutionalized or a permanent decades-long process. So maybe just run through what the NSTAC is basically recommending here?

Mark McLaughlin: Yeah sure. In the report itself, there’s 24 recommendations. I won’t try to go through them all, right? Because that’s a lot. But what we really tried to do is to sit down and approach so that we could go faster, and the convergence of zero trust architectures and trusted digital identities as well, which you think is a key part of that. So that was one goal of ours in doing this. The second thing we wanted to do is say, where are the known gaps in what is this emerging ZTA (zero trust architecture) and digital ID implementations? And very importantly in that is make sure we take privacy considerations into account as well, because, without that things are kind of dead on arrival, rightfully, right? And a third is to provide recommendations where we could have standard-based protocols so that digital IDs can be created and bound when appropriate to end users, so that that can actually help the national security and emergency preparedness, so that we’ve got a standards-based approach. When you don’t have a standards-based approach, you get a lot of fracturing. Yeah, you might ultimately come to something but it can be very painful along the way. So that was, those were the three main things we’re attempting to do over the report. Before we got into any specific, hey, here’s some actionable things that the government should do, where it should live, who should administrate all those things are included, as well.

Tom Temin: Sure. And I noticed that you have some specific assignments, potentially anyway, for the Cybersecurity and Infrastructure Security Agency here, too.

Mark McLaughlin: Yeah. Our recommendation, administratively, organizationally, would be, CISA would take charge of this right and set up a federal run by CISA meaning for civilian zero trust program office. And they should be that, they should be that entity in the government to do that. We think they’re, where they sit in the government and their expertise is exactly what’s needed here.

Tom Temin: And also one of them is to advance zero trust in international standards bodies. And I guess my question is, are there any standards for what constitutes zero trust? And should there be and what’s the status of those standards making?

Mark McLaughlin: It’s early. So as far as there being anything widely adopted yet, in the United States, let alone internationally, I’d say it’s early innings, to use a baseball analogy. But we do know from experience that for any of these – I’ll call – tectonic, very large technology shifts that become foundational in nature, if you don’t have a standards-based approach, like I said, it fractures, and then it’s a very globally connected world. And so if those approaches are not trying to take into account the global infrastructure, you end up with fractured things globally, right? That can work but it really reduces the value in any geography then about the interoperability. So we really would like to focus on the standards bodies and trying to get some level of commonality there that people can build upon.

Tom Temin: And beyond standards, of course, there’s two ways of looking at cybersecurity, zero trust. One: Do they have it, does it seem to meet the criteria that are commonly understood to be zero trust? But then there’s the effect of it. And it’s very hard to measure cybersecurity effects because you’re measuring a negative of something that’s not happening. So what’s your best thinking on how the government can ensure both that it does have that compliance with what is best practice, and also begin to understand the return on investment by the lack of something happening?

Mark McLaughlin: Great question, and something that bedevils many efforts, right? And so, in this case, what we were recommending is that there’s the capability to have the transparency for where you’re starting and the progression path. And then also the accountability then for how you’re doing along the way. And one of the beginning points in that which we recommended was that CISA de-establish what we call the zero trust shared security service for discoverable assets on the internet. It’s a truism in security, cybersecurity, that you can’t you can’t protect anything you don’t see. So everything starts with visibility. And that should be the case here as well. And so, CISA are playing a role where they are providing a visibility mechanism into these networks, they say, on a dynamic basis, not a static basis. Where are you now, where are you now, where are you now, right? And then the beginning point, when we laid out the report sort of a progression path to say phase zero of ZTA would look like this, phase one would look like this, so that there’s a way to have a reference ability on an absolute basis about where am I as an organization on the path to ZTA and then also a reference ability on a relative basis as to where am I compared to others so we can have best practice issue.

Tom Temin: The final question with respect to zero trust has to do with nonhuman entities that are accessing networks. I don’t hear enough talk about how zero trust can extend to the bots to the artificial intelligence algorithms into other nonhuman, nondevice entities. Is that an important part of it, though?

Mark McLaughlin: I think so. And I think it will be continually for the reason you just said and that’s part of, two of the recommendations really tie in to that. The one I just mentioned, which is to have a internet accessible asset discovery – an asset in this case does not mean human, right, or necessarily just human, it’s all assets, many of which are increasingly robotic in nature. And then the second is, in order to understand using AI and ML, I’m not trying to get buzzy here on the buzz terms –

Tom Temin: Oh, we’re used to those two terms a lot here.

Mark McLaughlin: Well, using those two terms is when you have that kind of asset discovery capability, making sure who’s on the other end. And this kind of goes into the identity piece of this as well, which is who/what is on the other end, really, as opposed to what it appears to be, right? So that’s an important part of this as well.

Tom Temin: By the way, what happens to the report at this point?

Mark McLaughlin: It’s gone to the White House, and we’ll report this out to the president here shortly. And hopefully, it’s adopted and becomes part of the policy of the United States government. I’d just like to take a second real fast, Tom, before you wrap up just to also thank my colleague John Donovan, the co-chairs of this report. John is the current chairman of the NSTAC and working with him has been a pleasure.

Tom Temin: Mark McLaughlin is a member of the National Security Telecommunications Advisory Committee, chairman of the board of Qualcomm. Thanks so much for joining me.

Mark McLaughlin: Thank you, Tom.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories

    AP Photo/Manuel Balce CenetaFILE - In this Feb. 25, 2015 file photo, the Homeland Security Department headquarters in northwest Washington. President Joe Biden has selected two former senior National Security Agency officials for key cyber roles in his administration.  Chris Inglis, a former NSA deputy director, is being nominated as the government's first national cyber director. Jen Easterly, a former deputy for counterterrorism at the NSA, has been tapped to run the Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security. (AP Photo/Manuel Balce Ceneta, File)

    White House 2023 budget request prioritizes more staff for CISA, funding for zero trust security measures

    Read more