There are three key elements agencies need to adopt to survive on this new battlefield: zero trust, resilience and adversarial thinking.
A number of U.S. officials and federal agencies have been sounding the alarm on cybersecurity since the lead-up to Russia’s invasion of Ukraine. But Russia has been testing cyber capabilities in Ukraine for years, such as its attacks on Ukraine’s power plants. The current conflict has simply driven home the fact that cyber is truly a warfighting domain, and agencies need to be prepared to engage on this front.
“There’s a lot of active war going on in the cyber domain that is more aggressive than people see in the classic kinetic sense,” said Doug Jones, chief technology officer for Defense at Leidos. “Some folks also view cyber as a de-escalation technique. If Russia wanted to try to prevent us from getting involved, they may use cyberattacks to say, ‘Do you really want to get involved in this? Because we could actually take down some of your critical infrastructure and take the fight to your home,’ as opposed to it being in Europe.”
There are three key elements agencies need to adopt to survive on this new battlefield: zero trust, resilience and adversarial thinking.
Zero trust is not something agencies can just buy; it’s a philosophy, an architectural paradigm, Jones said. It requires implementing multiple layers of defenses, along with adopting a transactional approach to trust, rather than a permanent one. That involves factoring risk into the decisions about who (or what in the case of devices and other nonhuman components) to trust, when to trust them and with what data.
So how can agencies modernize into that architecture?
Incrementally, Jones says.
Every agency is going to be different. It’s going to have different goals, different needs and a different starting point. Each of these will influence where an agency needs to begin prioritizing zero trust. That’s why Leidos came up with the Zero Trust Readiness Level, to help agencies evaluate where they stand and what their next steps should be.
“Where are you from an identity and access management, multi-factor authentication or networking perspective? Are you ready to get into microsegmentation? Where are you on your application layer?” asked Jones. “As we start understanding where you are, we can put up where you are on the Zero Trust Readiness Level, and then figure out what is a custom plan based on the outcomes you want to achieve to get to the next level.
The idea is to help organizations get closer to their specific cybersecurity needs relative to achieving zero trust, he said. That way “Rather than saying, ‘I need this product because it’ll help me get to zero trust,’ now I can say, ‘I need a suite of these products to solve these five problems because these are the best products to solve those problems, given my infrastructure and my architecture, to get me to the next level of maturity from a zero trust perspective.’ ”
By adopting a zero trust posture through a more focused approach, agencies will be able to develop resiliency, Jones said. Using a maturity model will allow them to be more agile and flexible in responding to unanticipated situations, he said. In the past, much of cybersecurity has revolved around compliance. But compliance is just a snapshot in time; it’s easy to quickly fall into obsolescence, Jones warned. Zero trust, on the other hand, is about understanding the risk associated with every area of a business and then mitigating that risk.
For example, a classic cybersecurity approach would be to have a disaster recovery system. But that’s just checking a box, he said. A more modern solution calls for implementing multiple active systems running across various cloud service providers in tandem, so they can seamlessly pick up workloads and reduce risk. Similarly, agencies should be considering how to prevent other types of risk, from supply chain to architecture and monitoring, Jones advised. Agencies need to consider the tools at their disposal to deal with these kinds of risk.
Once agencies have established a zero trust architecture and implemented the appropriate risk response tools, they need to start thinking like their adversaries to better know how to deploy them. And those adversaries could be anyone, from near-peer competitors to organized cybercrime organizations and hacktivists.
“The thing we always want to think about is what would someone want with my organization’s network or data? Or how would they want to disrupt my mission?” Jones said. “The question is: What are they going to attack? Do they want to take you down? Do they want to prevent you from doing your mission or degrade your mission? Do they want to prevent the integrity of your data so you don’t trust it?”
The key is to understand the value of the data or access to the agency’s systems to potential adversaries, he explained. There may be more than one answer. For example, attacks that compromise personally identifiable information, like the Office of Personnel Management breach or attacks on insurance companies, allow adversaries to build dossiers of trusted individuals in various positions of authority and access. How could that data then be leveraged?
“When you look at classic cyber, they talk about something called the CIA triad. That’s not the intelligence service; that’s confidentiality, integrity and availability,” Jones said. “We’re seeing this whole-of-nation attack vector. It goes back to what would I want to do as an adversary to you to either get your data, prevent you from accomplishing your mission or create distrust in your mission?”
Learn more about the government’s efforts to keep pace with near-peer competitors in Federal News Network’s ebook “Great Power Competition — Taking a Long View.”
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.