In the face of repeated major exploitations of critical U.S. networks, it is past time for the U.S. government to recognize that traditional security systems such as perimeter entry controls or whitelists are no longer adequate. As the SolarWinds hack proved, any security system can be penetrated with enough time and effort. Cybersecurity must be based on zero trust, which assumes that threats exist continually both inside and outside a network or cloud environment. A strategy of zero trust is based on the need to continuously monitor and validate the presence of every individual, organization, device, and piece of information on a network.
In the past year, we have seen just how bad things can get when a lack of planning leads to the worst-case scenario becoming the new reality. A country without a contingency plan for an epidemic has disrupted life as we know it for more than a year. An electric grid without weatherproofing devastates an entire state. Networks without proper security are readily hacked. Planning and preparation for the so-called once in a century event should be standard for all critical infrastructure, given how frequently such events actually occur.
While not acts of God, devastating attacks on our cybersecurity infrastructure can produce results as bad as or worse than any pandemic or natural disaster. Recent intrusions, from the SolarWinds breach to an attack on a Florida towns water supply, continue to expose U.S. industry and government as desperately ill-prepared.
For years, there have been calls for comprehensive cybersecurity planning in the public and private sector to stave off attacks by domestic and international threats. Progress has been mixed. While the Department of Defense (DoD) has made strides in defining requirements and implementing solutions that will strengthen and protect IT networks, there is much that needs to be done.
We heard about some of this progress during the recent hearing on Future Cybersecurity Architectures before the Senate Armed Services Committee (SASC). Senators and witnesses from the National Security Agency (NSA) and the DoD focused heavily on zero trust architecture, a cybersecurity framework that continually assesses the trustworthiness of access requests to information resources. Testimony from DoD witnesses, NSA Director of Cybersecurity Rob Joyce, Senior Information Security Officer/Chief Information Officer for Cybersecurity David McKeown, and Senior Military Advisor for Cyber Policy to the Under Secretary of Defense for Policy Rear Admiral William Chase extolled the virtues of zero trust as the new waypoint on the journey to a secure future.
The National Security Agency, a strong advocate of the new approach, explained it this way: Zero Trust is a security model, a set of system design principles, and a coordinated cybersecurity and system management strategy based on an acknowledgment that threats exist both inside and outside traditional network boundaries. The Zero Trust security model eliminates implicit trust in any one element, node, or service and instead requires continuous verification of the operational picture via real-time information fed from multiple sources to determine access and other system responses.
Though far too soon for a victory lap, DoD has created programs to field much-needed capabilities that will strengthen cybers defenses. Likewise, Congress has driven the pace and funding for these programs since at least 2017. As noted in the Senate hearing referenced above, Rear Admiral Chase highlighted Comply-to-Connect (C2C) as an important foundational component of the DoDs Zero Trust initiative predicated on a simple principle: you can only protect what you know you have.
C2C establishes a framework of tools and technologies operating throughout a network infrastructure. This framework discovers, identifies, characterizes, and reports on all devices connected to the network. C2C does not require network managers or users to trust that the network is secure, as all users are both authorized access and are compliant with the minimum standards of security. This way, C2C allows for an environment of zero trust. In essence, all C2C users and devices must prove their legitimacy to be allowed to operate on DoD networks. Those devices that may be authorized but lack the proper security software can be remediated.
The bigger challenge, largely absent in the SASC hearing, is how to protect everything that is not what we would consider to be an Information Technology asset. The majority of these assetsmany of which can be easily deemed as criticalare part of Industrial Control Systems (ICS) used by the military. Simply put, even if IT networks were protected, every air conditioning unit, power outlet, and water main under DoD is a potential risk to mission readiness at every base, post, camp, and station across the Services. Arguably, C2C should be part of a broader cyber strategy for ICS as well as networks and nodes. The problem is that the managers for ICS do not naturally look to IT security folks to address the security of these other systems.
Despite the U.S. armed services investment in cybersecurity, the country still lacks a thorough cybersecurity strategy for securing the ICS environment. C2C is helping here, as some solutions provide the means to identify ICS vulnerabilities. But the defense department needs to do more of the hard work of securing ICS.
Our adversaries are getting smarter and constantly looking for vulnerabilities in our defenses. What better way to cut us off at our knees than by infiltrating a military bases electric grid and killing the power for the entire installation? Congress is watching to see how the DoD accounts for military ICS security, and will probably become more directive in the next NDAA. In addition, the Biden Administration has identified critical infrastructure cybersecurity as a priority, which is an indicator that military ICS will be a factor in any future federal cybersecurity planning.
In cybersecuritys age of innocence, it was assumed that electronic walls could be built sufficiently high and wide to be made impregnable. The reality is that for a variety of reasons, any network, ICS, and cloud environment can be hackedif not from the outside, then from within. Today, with the rose-colored glasses falling from our eyes, it is clear that only a strategy based on zero trust offers any chance of successful cyber defense.
Dan Gour, Ph.D., is a vice president at the public-policy research think tank Lexington Institute. He has a background in the public sector and U.S. federal government, most recently serving as a member of the 2001 Department of Defense Transition Team. You can follow him on Twitter at @dgoure and the Lexington Institute @LexNextDC.
Image: Reuters.
Go here to read the rest:
A Zero Trust Mindset Replacing the Age of Innocence in Cybersecurity - The National Interest
- WikiLeaks' Julian Assange: NSA critics got lucky because agency had no PR strategy [Last Updated On: April 26th, 2014] [Originally Added On: April 26th, 2014]
- National Speakers Association New Jersey Chapter NSA [Last Updated On: April 26th, 2014] [Originally Added On: April 26th, 2014]
- National Security Agency - Wikipedia, the free encyclopedia [Last Updated On: April 26th, 2014] [Originally Added On: April 26th, 2014]
- NSA - Satu Hari Di Bulan Juni (TULUS) (COVER) - Video [Last Updated On: April 26th, 2014] [Originally Added On: April 26th, 2014]
- Full Show: Disband The NSA or; Corruption in the Capitol FO SHIZZLE {aTV002} - Video [Last Updated On: April 26th, 2014] [Originally Added On: April 26th, 2014]
- Hong Kong: Protesters blow whistles for NSA whistle blower - Video [Last Updated On: April 26th, 2014] [Originally Added On: April 26th, 2014]
- An Inside Look at the NSA With Whistleblower William Binney (Part 2 of 2) - Video [Last Updated On: April 26th, 2014] [Originally Added On: April 26th, 2014]
- USA: NSA leaker Snowden is a hero, say Washington protesters - Video [Last Updated On: April 26th, 2014] [Originally Added On: April 26th, 2014]
- ShmooCon 2014: The NSA: Capabilities and Countermeasures - Video [Last Updated On: April 26th, 2014] [Originally Added On: April 26th, 2014]
- NSA ~ (Autodidactism) Whistleblowing - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- The Mises View: Our NSA Economy | Mark Thornton - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- George Galloway's Sputnik: Ewen MacAskill on Guardian / Edward Snowden NSA leaks (26Apr14) - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- Dropping #NSA Knowledge Like a Clumsy Librarian - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- NSA DOCUMENTARY SIX YEARS BEFORE SNOWDEN - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- NSA Knew Of Heartbleed Bug, Refused To Protect Americans - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- Former NSA Head To Become Columnist For Conservative Paper To Discuss Intelligence - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- An Inside Look at the NSA With Whistleblower William Binney (Part 1 of 2) - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- Keynote Address by Shri Shivshankar Menon, NSA at International Seminar on Kautilya - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- NSA WHISTLEBLOWER - TOM DRAKE - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- NSA Wiretapping: A 4th Amendment Violation?: Blake Norvell at TEDxSMU - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- Rucka Rucka Ali Blurred Lines Parody Obama Been Watchin' NSA - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- Hang with Rand: Email Privacy, NSA Spying, and Defending Our Civil Liberties - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- NSA Surveillance and What To Do About It - Bruce Schneier - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- Umfrage: NSA-Spionage und die Bundesregierung | Politik direkt - So ticken die Deutschen - Video [Last Updated On: April 28th, 2014] [Originally Added On: April 28th, 2014]
- CIA & NSA DIRECTED ENERGY WEAPON ATTACK ON WHISTLE BLOWER - Video [Last Updated On: April 28th, 2014] [Originally Added On: April 28th, 2014]
- NSA TARGETED OBAMA, CONGRESS, SUPREME COURT, & THEIR SPOUSES, CHILDREN - Video [Last Updated On: April 28th, 2014] [Originally Added On: April 28th, 2014]
- Book TV - 2014 San Antonio Book Festival: Panel on the NSA, Big Brother, and Democracy - Video [Last Updated On: April 28th, 2014] [Originally Added On: April 28th, 2014]
- READER SUBMITTED: NSA CT April 2014 Meeting [Last Updated On: April 28th, 2014] [Originally Added On: April 28th, 2014]
- NSA Throwdown: John Oliver v. 60 Minutes [Last Updated On: April 28th, 2014] [Originally Added On: April 28th, 2014]
- New water records show NSA Utah Data Center likely behind schedule [Last Updated On: April 28th, 2014] [Originally Added On: April 28th, 2014]
- German opposition says US should destroy Merkel's NSA file - Video [Last Updated On: April 28th, 2014] [Originally Added On: April 28th, 2014]
- MVI 1847 Obama's NSA Denies FOIA About MH 370! - Video [Last Updated On: April 28th, 2014] [Originally Added On: April 28th, 2014]
- NSA Surveillance 2 - Video [Last Updated On: April 28th, 2014] [Originally Added On: April 28th, 2014]
- NSA Surveillance Panel 1 - Video [Last Updated On: April 28th, 2014] [Originally Added On: April 28th, 2014]
- NSA reveals some cyber security flaws are left secret [Last Updated On: April 30th, 2014] [Originally Added On: April 30th, 2014]
- NSA data center uses less water than expected [Last Updated On: April 30th, 2014] [Originally Added On: April 30th, 2014]
- April 2014 Breaking News Do you use Google or Yahoo? NSA Intercepts Google And Yahoo Traffic - Video [Last Updated On: April 30th, 2014] [Originally Added On: April 30th, 2014]
- Rand Paul My Reaction To Judge Ruling NSA Spying On Americans Illegal Is He's Exactly Right - Video [Last Updated On: April 30th, 2014] [Originally Added On: April 30th, 2014]
- Views from the Street on NSA Activities and Liberty (6/6) - Video [Last Updated On: April 30th, 2014] [Originally Added On: April 30th, 2014]
- Views from the Street on NSA Activities and Liberty (3/6) - Video [Last Updated On: April 30th, 2014] [Originally Added On: April 30th, 2014]
- Views from the Street on NSA Activities and Liberty (5/6) - Video [Last Updated On: April 30th, 2014] [Originally Added On: April 30th, 2014]
- Views from the Street on NSA Activities and Liberty (1/6) - Video [Last Updated On: April 30th, 2014] [Originally Added On: April 30th, 2014]
- Germany: NSA may have accidentally outed secret base - Video [Last Updated On: April 30th, 2014] [Originally Added On: April 30th, 2014]
- Dick Cheney Gets Awkward On Fox & Friends Over NSA Spying - Video [Last Updated On: April 30th, 2014] [Originally Added On: April 30th, 2014]
- February 2014 Breaking News Barack Obama Gun control NSA worldwide people control last day - Video [Last Updated On: April 30th, 2014] [Originally Added On: April 30th, 2014]
- MVI 1871 NSA Might Be OnTo Me! - Video [Last Updated On: April 30th, 2014] [Originally Added On: April 30th, 2014]
- ZyXEL NSA 325 v2 Installations-Wizard - Deutsch / German notebooksbilliger.de - Video [Last Updated On: April 30th, 2014] [Originally Added On: April 30th, 2014]
- ZyXEL NSA 325 v2 Hands On - Deutsch / German notebooksbilliger.de - Video [Last Updated On: April 30th, 2014] [Originally Added On: April 30th, 2014]
- CNET Update NSA spy games targeted World of Warcraft ! Byy Adana - Video [Last Updated On: April 30th, 2014] [Originally Added On: April 30th, 2014]
- Supreme Court could weigh in on NSA case, justice says [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- New NSA chief: Agency has lost trust [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- NSA on Heartbleed: 'We're not legally allowed to lie to you' [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- What's The NSA Doing Now? Training More Cyberwarriors [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- Anonymous NSA - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- Cutting off H2O to the NSA - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- Brazil: Greenwald slams US media, shares tips to avoid NSA - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- NSA Interception: Spy malware installed on laptops bought online - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- NSA IS TRYINGG 2 KILL ME FAMS - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- Hacking is NSA's 'growth area,' Times says in agency profile! - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- Judge Napolitano 'It's Time for Congress to Clip the NSA's Wings' - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- Global Economic Crisis 2013 Economic Terrorism, NSA CIA - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- What was more popular on Twitter, NSA, NRA or NBA..today? - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- THE CIA , FBI and NSA Spying Technology is Free and out in the open , DOWNLOAD IT NOW - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- CIS111: NSA Uncovered - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- Views from the Street on NSA Activities and Liberty (4/6) - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- Views from the Street on NSA Activities and Liberty (2/6) - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- Budget 2014 Malaysia mystery NSA listening in - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- NSA misrepresented the scope of its data collection - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- NSA whistleblower Edward Snowden: 'I don't want to live in a society that does these sort - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- NSA: the story of the summer - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- Thinkerview - Interview B Bayart - Neutralit du net, CSA NSA - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- German Chancellor Angela Merkel visits US, after the NSA eavesdropping scandal - Video [Last Updated On: May 2nd, 2014] [Originally Added On: May 2nd, 2014]
- NSA Reveals Planned Police State - US to enter MARTIAL LAW - Video [Last Updated On: May 2nd, 2014] [Originally Added On: May 2nd, 2014]
- NSA spies on more US citizens than Russians Snowden [Last Updated On: May 3rd, 2014] [Originally Added On: May 3rd, 2014]
- THE NEXT NSA?Police under scrutiny for using spying technology [Last Updated On: May 3rd, 2014] [Originally Added On: May 3rd, 2014]
- Ukraine and NSA will test Merkel - Video [Last Updated On: May 3rd, 2014] [Originally Added On: May 3rd, 2014]
- Civil liberty activists say Obama's curb on NSA don't go far enough - Video [Last Updated On: May 3rd, 2014] [Originally Added On: May 3rd, 2014]
- The Latest Attacks On NSA Whistleblower Edward Snowden - Kevin Gosztola Discusses - Video [Last Updated On: May 3rd, 2014] [Originally Added On: May 3rd, 2014]
- NSA proof phone Case - Video [Last Updated On: May 4th, 2014] [Originally Added On: May 4th, 2014]
- Still Report #246 - NSA Classifies MH370 Material - Video [Last Updated On: May 4th, 2014] [Originally Added On: May 4th, 2014]