There’s something wrong with cybersecurity in 2021, and it has to do with the way organizations are approaching protecting their networks.
Gone are the days when government agencies and companies could use the “castle and moat” approach to cybersecurity – where once someone has access to a network they have free reign.
According to Helen Patton, Advisory Chief Information Security Officer for Duo Security, organizations need to be more skeptical when it comes to accessing networks, a concept called zero trust.
“What zero trust tries to do is to change the philosophy that says we can inherently trust you because of who you are or the device you’re using or particularly the location you’re coming in from,” Patton said in a discussion sponsored by Duo Security. “Instead, we have to continuously verify that you are who you say you are, that the things you’re doing are trustworthy, and we have to be able to take action immediately if something changes about your trust profile that causes concern.”
The White House is already jumping onto this concept and sent out a May 2021 executive order titled “Improving the Nation’s Cybersecurity.”
“Incremental improvements will not give us the security we need; instead, the federal government needs to make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life,” the order reads. “The federal government must bring to bear the full scope of its authorities and resources to protect and secure its computer systems, whether they are cloud-based, on-premises, or hybrid.”
Patton said the White House’s order is one of the first to talk about zero trust and a handful of agencies will be mainly responsible for ensuring it is implemented. Those include the Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency, but also the Defense Department.
“It’s one of the first orders to connect administrative agencies with defense agencies, so there starts to be this bridge between what we’re seeing in the military – what I would loosely term offensive agencies – and with internal administrative agencies,” Patton said. “This is really necessary because what they’re recognizing that all the agencies are connected and if one of those agencies has weak cybersecurity controls that becomes a place through which an attacker could impact our more strategic assets.”
Patton said there are a number of next steps that the administration needs to take to ensure that zero trust becomes engrained in the government’s cybersecurity standards. A few are explicit in the order, such as pursuing multifactor authentication. The agencies were asked to create a a plan for multi-factor authentication within six months of the order.
“More broadly, though, zero trust isn’t a commonly understood term,” Patton said. “I think the federal government is going to have to collaborate across agencies, and this is where CISA is going to be that coordinating function, to agree on what they mean by zero trust. They need to agree on priorities forwhere they will apply the zero trust philosophy because it’s not a tool. You can’t just go buy a zero trust tool. It’s a number of different architectural elements, includingtraining elements for your workforce.”
Patton said the government will also need to draw up a strategic plan on zero trust. She said she expects that to happen fairly quickly and for the government to coalesce around the order within the next six months to a year.
One downside, however, is that the order does not come with funding. The White House will have to depend on Congressional appropriators for money to implement the plan.
“I think there is appetite in the legislature to fund this kind of work,” Patton said. “There are many cybersecurity bills going through Congress. One of the challenges has been that there are multiple people in charge of different pieces of security. There are different committees, there are different interest groups, and they’ve all been trying to solve this piece of the problem from whatever aspect they represent. The short answer is ‘Yes, I think the appetite is there,’ but I’m not sure if the structures are there to allow that to happen very quickly or cleanly.”
One of the more simple things Congress can do, according to Patton, is modernize IT systems.
“They sometimes have really old applications and systems that they haven’t upgraded for a really long time because they haven’t had the money,” Patton said. “It’s going to be really hard to wrap zero trust around those kinds of infrastructures without doing some major investment and upgrading.”