2021 has been an eventful year for cybersecurity, especially in the federal space. Following a series of high-profile cyberattacks targeting government organizations and public infrastructure, the White House decided to take action this summer with a sweeping executive order that demands broad reforms to improve America’s cybersecurity posture.
Now, federal agencies like the Office of Management and Budget (OMB) are leading the charge with a new strategy for transformation centered on zero trust security. But zero trust is more than a buzzword, or list of new procedures and rituals: instead, it represents a paradigm shift that will impact federal organizations and contractors at every level.
At the end of Cybersecurity Awareness month, we reflect on these developments in the context of a rapidly changing threat landscape, and explore the role that zero trust security will play in hardening federal infrastructure against advanced cyber actors.
Our Current Cybersecurity Crisis
Last year’s attack on IT platform SolarWinds Orion brought renewed awareness to the problem of supply chain security, after it impacted more than 18,000 organizations, including 9 federal agencies and their suppliers. Only five months later, a ransomware attack on Colonial Pipeline highlighted the precarious vulnerabilities of America’s critical infrastructure.
It would be nice to imagine that either of these events were flukes, but that is not the case: according to a study of large enterprises, 64% have been impacted by software supply chain attacks within the last 12 months. Meanwhile, the cost from ransomware attacks is expected to reach $20 billion this year – a 57-fold increase from the cost in 2015.
While there are undoubtedly many reasons that account for the explosive rise of cyber incidents, the White House cited “outdated security models” as a factor in May’s ‘Executive Order on Improving the Nation’s Cybersecurity’. In turn, it mandated a number of correctives, including the adoption of ‘Zero Trust Security Architecture’ throughout the federal government.
The Philosophy of Zero Trust
The principles that will guide federal implementation of zero trust security are outlined in a draft, released by the OMB on September 7th for public comment. At a high level, the philosophy of zero trust shifts the focus of cybersecurity from the perimeter of an organization to its internal networks, treating every user, device and application like it is potentially a threat.
Today, it is common for organizations to harden their public-facing networks against attacks from the outside. Cyber actors focus on overcoming these barriers, and move laterally from their point of entry to higher value targets. While they will meet varying degrees of resistance along the way, there’s a good chance of success as long as they can get their foot in the door.
Under a zero trust model, getting past the door won’t be nearly enough: users will be continually verified with multi-factor authentication as they switch between applications and devices. Checks will be constantly performed, and privileges will only be distributed as needed. Best of all, it works equally well against threats on the inside.
The Zero-Trust Maturity Model
On the same day that OMB released its memo, the Cybersecurity and Infrastructure Security Agency (CISA) issued two documents: a draft technical reference architecture, and a Zero-Trust Maturity Model (ZTMM), which outlines the “optimal” zero trust environment that government organizations will be held to over the coming years.
The ZTMM draft aligns with five specific security goals outlined in the OMB’s memo, which agencies are required to meet by the end of September 2024:
- Identity – personnel must receive an agency-wide identity to access work applications, with phishing-resistant, multi-factor authentication (such as the government’s Personal Identity Verification Standard, or PIV).
- Devices – agencies must maintain a complete inventory of every device it authorizes for use on government networks, with the ability to detect and respond to any cyber incidents originating from them.
- Networks – agencies must encrypt all DNS requests and HTTP traffic within their environment, and segment networks around applications. They are expected to encrypt emails in-transit, if the government identifies a reliable method for doing so.
- Applications – all applications must be treated as Internet-connected, and subjected on a regular basis to “rigorous testing” with the help of external vulnerability reports.
- Data – agencies should work together to deploy protections with the use of data categorization. Cloud security services are recommended to monitor sensitive data access, and implement enterprise-wide logging/information sharing.
Acknowledging the scale of transformation required to meet these goals, the OMB has called on agencies with strong cybersecurity programs to help those in a weaker position. It also anticipates that CISA will offer zero trust maturity surveys in the future, helping agencies to identify and remediate gaps.
The Benefits of Zero Trust
Ultimately, zero trust architecture is just one of many initiatives stemming from May’s executive order. But while it will not magically render organizations invulnerable to cyberattacks, it will bring about significant transformation in more ways than one:
- Constant validation of user identity, activity monitoring and segmentation of apps from networks will make attacking significantly harder, both for foreign cyber actors and malicious insiders.
- Complete and accurate device inventories will give government agencies significantly more control over their infrastructure, rapid insights and the ability to respond quickly in an emergency.
- Ultimately, implementation of zero trust models will accelerate modernization of federal IT by requiring agencies to break down siloes and coordinate information sharing.
Today, threat actors are moving fast. To protect national security, government agencies and contractors will have to move faster. For a long time, our federal infrastructure and cybersecurity strategy has stagnated – but the progress we’ve seen in a single year gives us reason to be hopeful.
Find Your Weaknesses
In its recent memo on zero trust, the OMB recommends that agencies rely on third party vulnerability assessments to identify and remediate application vulnerabilities. Don’t fall prey to the next SolarWinds: partner with cybersecurity experts who can probe your organization for gaps before they are exploited.
Securicon hardens organizations against current and developing threats. With years of expertise trusted by the DoD, DHS and U.S Cyber Command, we help our clients through vulnerability and penetration tests; governance, risk and compliance (GRC) services, and security architecture review. Contact us to learn more