Senior Federal IT experts – including the current and former Federal CISO and the Pentagon’s top IT official – are expressing broad agreement that the necessary ingredients are at hand to begin implementing zero trust security concepts for government networks, and that the time to act is now.
Speaking on April 22 at the Billington CyberSecurity Defense Summit virtual event, Federal CISO Chris DeRusha, Acting Defense Department (DoD) CIO John Sherman, and former Federal CISO Greg Touhill made a strong case for taking the next big, foundational steps to improve Federal network security.
New CISO Talks Streamlined Framework
DeRusha, who became Federal CISO in late January, explained that zero trust security concepts are “rooted in three core principles – verifying every user, validating every device, and then within that, limiting access to intelligence.”
“This is obviously a shift away from the prior trust model that assumed if a user has a firewall, then you know they can be trusted, and obviously this isn’t bearing out,” he said. “So we’ve got to move to this new model that assumes everyone and everything is untrustworthy until we prove otherwise.”
“Government’s been working towards this framework of zero trust for a while, but in earnest in the past few years,” DeRusha said. “Agencies are building out really strong foundations around identity and credential access management. We’re also moving closer and closer to doing DNS monitoring [and] dynamic management.”
Before the rush to zero trust kicks off, however, DeRusha indicated that some framework decisions need to be considered.
“There are a lot of different frameworks in this space right now, and I think that would be one of the things that we’ve got to do is streamline that a little bit [to] ensure that we don’t have too many different kinds of frameworks for what we mean when we talk about zero trust,” he said. “But when you really break it down, a lot of this stuff already exists.”
Another part of achieving the change in big-picture security models, he said, is a “shifting mindset” that will require “some commitment from all sorts of different levels of partners within an organization, [and] business side as well.”
“One could view this as potentially causing some challenges or disruptions in the way the workforce currently does business or accesses resources, and some may find it inconvenient,” DeRusha said. “So when that happens, we’re really going to need the business side of the house to understand why we’re making these changes, and how it’s good for the organization and also for them.”
“As always in this space, this is going to be a lot about managing up to our leadership outside the IT cone, and good communication with the business side of the house is going to be necessary or I think it will just go slower than that it could if we don’t do a good job with that,” he said.
Tech Security Inflection Point
DoD Acting CIO John Sherman said the United States is “at one of these inflection points right now” – similar to the decisive use of radar in the Battle of Britain in World War II, or the use of machine guns in the First World War – where a leap ahead in technology proved decisive against adversaries.
“Our current approaches” to security “are not going to take us into the future,” he said. “We have to run a new play here, a new defense … [adversaries] are getting through to the end-zone too many times.”
He endorsed the core zero trust concept of network micro-segmentation and pointed out that it’s already a very widely discussed strategy. “Zero trust … that is the word du jour,” Sherman said, adding, “you hear it on the radio.” While the name of the security concept may shift further with time, he said at the bottom line “it’s about shifting the victim paradigm” and making it more difficult for adversaries to penetrate networks.
Time to Put Up
Retired Air Force Gen. Greg Touhill, who was Federal CISO in 2016 and is now director of the CERT Division at the Software Engineering Institute, emphasized that zero trust concepts are several years old and that it’s time for organizations to get on with the process of implementation. “The technology is there now,” he emphasized, citing software-defined networking as an example.
“Zero trust is not a buzzword, it’s a business imperative,” Touhill declared. “If you are not implementing the zero trust strategy … you are wearing the cyber ‘kick me’ sign.”
Zero trust, he emphasized, “is not something you buy, it’s a strategy.” He continued, “everyone’s smelling the zero trust coffee, now it’s time to put up.”
Part of the adoption discussion for the Federal government, he advised, is to focus first on the data that needs to be protected. He said that some in the Federal CIO community “have a fixation on the technology … We need CIOs to pull back on the stick, get that 30,000-foot look, and focus on the data.”
Sherman, who laid out a strong case for faster zero trust implementation during a MeriTalk webinar earlier this year, echoed that sentiment at the Billington event and said the department was due to release its own zero trust strategy later this year. “It’s my number one priority right now,” he said.
Sherman said DoD already has a lot of the pieces in place for its DoD 365 application that embodies zero trust concepts including endpoint security and Comply to Connect. “We have a lot of the pieces here … we have a long way to go,” he added. “We are like a house with some framing, some plumbing, maybe a roof,” he said. “But we have more to do to make a brick house.”
“This is one of those pivotal moments here,” Sherman said of the effort to bolster security. “If we get this right, it is going to make life a lot harder for our adversaries in Beijing and Moscow.”