Cybersecurity is moving out of the realm of private technology and into the realm of national security. While national security agencies have always been concerned, and even involved, in providing tech security, the Biden administration is moving a step beyond that and looking to private tech companies to bolster the security infrastructure of the U.S. by developing an infrastructure built on a Zero Trust model.
The White House's Cybersecurity Initiative
Last week, President Biden met with private sector and education leaders to discuss the whole-of-nation effort needed to address cybersecurity threats. He cited recent high-profile cybersecurity incidents as proof that both U.S. public and private sector entities increasingly face sophisticated malicious cyber-activity.
Speaking during a press briefing after the event, Biden pointed out that at the heart of the problem was the fact that the workforce that deals with these kinds of threats has not grown fast enough. He told reporters, “We’ve seen time and again how the technologies we rely on — from our cell phones to pipelines, to the electric grid — can become targets of hackers and criminals."
“At the same time, our skilled cybersecurity workforce has not grown fast enough to keep pace. We’re about — the estimates many of you have given us and we’ve concluded are — on our own, about a half a million cybersecurity jobs remain unfilled.”
The meeting follows the issuing of Executive Order (EO) 14028, titled Improving the Nation’s Cybersecurity, last May which outlined the problems and measures that the government wants organizations to take in order to improve security. But it's more than just a wish list. The administration is looking to develop an entire framework to improve national security.
At the meeting last week Biden announced that the National Institute of Standards and Technology (NIST) would collaborate with industry and other partners to develop that framework to improve the security and integrity of the technology supply chain. Among those companies that have already committed are:
- Amazon, which will offer the security awareness training it offers to employees to the public.
- Apple will establish a new program to drive continuous security improvements and drive the mass adoption of multi-factor authentication, security training, vulnerability remediation among other tings
- Google is to invest $10 billion over the next five years to expand zero-trust programs
- IBM will train 150,000 people in cybersecurity skills over the next three years
- Microsoft is to invest $20 billion over the next five years to accelerate efforts to integrate cyber security by design
There are many other initiatives and there will undoubtedly be other companies jumping onboard over the coming months and years. At the heart of it is the notion of Zero Trust and the measures and services that are being enabled by Big Tech.
What is the Zero Trust Model
Santosh Putchala is director of privacy at Bristow, VA-based Kuma, a global privacy and security consulting firm. He points out that zero trust is not a position, but rather a security model. It is a set of system design coupled with cybersecurity and system management strategy. It is based on an admission that threats exist both inside and outside traditional network boundaries.
In a zero trust model, any attempt by a user or device to access a resource is restricted regardless of whether they [user or device] have previously accessed the same resource. Any user or device must always go through an authentication and verification process to access the resources. This is irrespective of the physical location, whether inside the organization or remotely. The entire enterprise private network is not considered an implicit trust zone. No resource is inherently trusted. Remote enterprise subjects and assets cannot fully trust their local network connection.
“The beauty of Zero Trust security model is that it eliminates the need to place absolute trust in any one element, connection or service related to the network,” he said. The characteristics of this kind of model are:
- The model assumes that a breach is inevitable. It also actively considers that a breach has already occurred. Due to this, the model focuses on limiting access to only what is absolutely needed to perform a said activity.
- The model also constantly tries to identify any malicious activity: or activity that is not normal of the system or group of interconnected systems.
- The hallmarks of this model are (a) comprehensive continuous security monitoring, (b) risk-based access controls, and (c) security automation.
The result is that the Zero Trust Policy defines who can traverse the perimeter at any point in time and aims at minimizing and preventing exfiltration of sensitive data through the following policies:
- Policy Defining Assessment, Control, and Recovery Operations: Defines the expectations under the three pillars of the Zero Trust model.
- Policy Decision Point (PDP): Defines decision making process to ensure policy adherence.
- Policy Enforcement Point (PEP): Executes and enforces the stated policy requirements and authorization solutions.
The Advantages of Trusting Nothing
There are two main advantages to that kind of approach, Jim Barkdoll, president and CCO for Sweden-based Axiomatics told us. First, it focuses on trusting nothing and verifying everything, which is a necessity in today's 'work from anywhere' environment. Second, it's a methodology that's evolved over the past few years and leverages existing technologies. So as Google and other organizations have done, you can take planned innovation and adapt it to a Zero Trust framework.
Whether it helps or not will really depend on the approach an enterprise takes in their Zero Trust implementation. When you consider all the dynamic challenges and opportunities organizations face today — remote or hybrid workforces, digital transformation projects and understanding who or what access you should validate is one of the most critical things you can do.
“Companies that look at Zero Trust with dynamic authorization at the center, as emphasized in the latest NIST guidelines, will see more success,” he said. “This means seeing context around each request for access so you can ensure the right people have the right access to the right information at the right time. To my mind, that's the approach that's going to see success in implementing Zero Trust.”
May's Executive Order
The May Executive Order advocated for significant changes and investments in security protocols. According to Benny Czarny, founder and CEO of Tampa, FL-based Opswat, this involved removing barriers to sharing threat information, modernizing government cybersecurity, enhancing supply chain security posture, establishing a cyber safety review board, improving the government’s response vulnerabilities, and much more.
It was followed by another National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems in July, making the point that the government cannot do this all alone — securing critical infrastructure and adopting zero-trust is a shared responsibility among both the public and private sectors.
“Although it is still too early to determine how these initiatives will play out, increased attention on the catastrophic impacts of critical infrastructure cybersecurity events (e.g. Colonial Pipeline) have pushed organizations to take steps in the right direction,” he said. “And with giants like Apple, Google, Microsoft, and JPMorgan Chase engaging in conversations like these, we can hope that others will follow suit.”
Walnut Creek, Calif.-based Servadus is headed up by Ron Tosto who has previously acted as subject matter expert in information security for the Department of Defense (DoD) network communications. He says that a Zero Trust architecture assumes devices have no relationship with any other devices regardless of the location. For example, a computer in a corporate network or a home could not talk to any other computer even if it is in the exact network location. Before network devices can communicate, they must establish trust.
The systems must use a protocol for tridirectionally authentication. There is a third-party device that controls the trust and communication links.
The President signed the Executive Order on Improving the Nation’s Cybersecurity on May 12 of this year. It directs all federal agencies to advance towards a Zero Trust architecture; each agency within the federal government was to have a plan in place by mid-July 2021. Additionally, the OMB was to have a security strategy guidance published 90 days so that agencies could move closer to Zero Trust. The date for the OMB action is in the past as well.
“Most complex programs require a long-term time commitment and money. The new policy will only work with an appropriately trained workforce within the federal government with contractors and a long-term commitment to implement,” he said. “I think using Zero Trust within the executive order is a buzzword reference without a proper understanding of the complexities of implementing such a policy.”
Zero Trust architecture can be effective, but if it were straightforward and inexpensive non-government agencies would already be using it. This week the President called the corporations for them to spend the money instead of the government which indicates the lack of funding commitment required to effectively implement the executive order.