What President Biden’s New Security Policy Means for the Future of Cyber
This article originally published on Andrew Rubin's LinkedIn.
The Biden Administration just cemented its legacy in cybersecurity policy with a sweeping Executive Order aimed at improving the resilience and reducing the risk of the United States Government. It’s the first time our government has attempted to rewrite its cybersecurity blueprint in nearly two decades, and it comes not a day too soon. Now more than ever, adversaries have the time, personnel, and resources to pursue novel methods of intrusion - and as demonstrated by the recent Colonial Pipeline and SolarWinds attacks, they’re seeing large-scale success in their exploitation efforts.
This isn’t just an American problem, or a federal problem, or a policy problem – a contagion of complacency crept into the system. That’s why I welcome this Executive Order with open arms – because it’s a call to action that we need to change the way we protect ourselves.
Getting ahead of the curve
The U.S. federal government has been woefully behind in information technology and cybersecurity modernization for quite some time. U.S. Department of Homeland Security Secretary Alejandro Mayorkas put the current state of federal cybersecurity in America best when he shared his vision for national cyber resiliency on March 31: “Our government got hacked last year and we didn’t know about it for months. It wasn’t until one of the world’s best cybersecurity companies got hacked itself and alerted the government that we found out. This incident is one of many that underscores a need for the federal government to modernize cybersecurity defenses and deepen our partnerships.”
How is it that one of the wealthiest and most innovative countries in the world has been historically behind the ball when it comes to securing national infrastructure? One would think that the billions of federal dollars that go to securing government assets would mitigate the impact of outside threats.
But the issue isn’t that we lack the resources or the talent or the access to best-in-class cyber defense technologies – the U.S. is after all the proud home of many global cybersecurity leaders. Instead, what I believe Secretary Mayorkas was laying out is an indictment of the entire cybersecurity model - if not for the world, then at least for the federal government.
Globally, we spent $173 billion on cybersecurity last year, yet we have more breaches than at any time in history – and they’re the most catastrophic breaches of all time. Despite our failing strategy and terrible outcomes, we continue to take the same approach to cybersecurity today as we did 20 years ago. Organizations try to prevent attacks from infiltrating the perimeter, then detect attacks when they slip through, and rely on incident response to clean up the mess.
The days when prevention and detection alone saved your agency, business or organization are gone. Attacks are in your infrastructure right now that you do not know are there. They’re hiding. They’re masquerading. They’re trying to move around to steal your IP, customer data, and government secrets or hold it all for ransom. And sadly, our current cybersecurity approach does little to stop these attacks from becoming large-scale cyber disasters.
Moving to Ground Zero
This Executive Order finally acknowledges that the federal cybersecurity model is outdated by laying out the first draft of the new security design. The new approach can be summed up in two words: Zero Trust.
Pick a vendor and you’ll find a million Zero Trust definitions. Forrester publicized the term more than a decade ago, and a recent blog by Forrester analyst Steve Turner put it this way, “Zero Trust is not one product or platform; it’s a security framework built around the concept of ‘never trust, always verify’ and ‘assuming breach.’”
In terms of what Zero Trust looks like at the federal level, there will be a number of core components to the successful implementation and achievement of a Zero Trust strategy. Access, Identity, and Segmentation are three core technologies that I believe will be required at scale. If you’ve used Google Authenticator, Authy or any other multi-factor authentication app, then you’ve taken a step towards Zero Trust, for example. But there are fundamental design principles that are required no matter whose definition you follow.
As a starting principle, the federal government must operate under the “assume breach” mentality, which is the mindset that attacks are already in the infrastructure and new attacks will get through again in the future. From that strategic starting point, federal cyber defenses can then better prepare to stop the adversarial movement of attacks throughout a cloud, network or data center. We’ve learned the hard way that 99.9% effectiveness isn’t enough when .1% of breaches cost taxpayers billions of dollars or force the closure of critical infrastructure, like strategic fuel pipelines. Instead, it’s about preparing for breaches proactively, so organizations can mitigate their reach and impact.
To expand a bit further, the government should follow the principles of Least Privilege and Explicit Trust. This means communications across your infrastructure (between applications, networks, clouds, data centers or devices) should all have the least amount of privilege possible at all times, and agencies should be required to explicitly trust communications before they are allowed to take place between those systems. These principles, for example, could have stopped the SolarWinds attack from causing so much damage. The malware would have been in the infrastructure but isolated and incapable of causing such widespread damage.
The new cyber normal
As Secretary Mayorkas explained, “We must fundamentally shift our mindset and acknowledge that defense must go hand in hand with resilience. Bold and immediate innovations, wide-scale investments, and raising the bar of essential cyber hygiene are urgently needed to improve our cyber defenses. We need to prioritize investments inside and outside of the government accordingly.”
Zero Trust is more than just a national cybersecurity framework - it is something that any corporation, organization, or individual can embrace to achieve true cyber resiliency. What the Biden Administration is advocating for is not an overthrow of the security tools and technologies powering and protecting today’s world but a strategic mindset to supplement those solutions, in order to further bolster our cybersecurity defenses and amplify our preparedness.
Federal cybersecurity modernization obviously cannot happen all at once, but it needs to start with controls designed to isolate malicious activity once they’ve already penetrated the federal networks. It needs to start with an assume breach mindset, across agencies. And it needs to start with adopting Zero Trust strategies at scale.