Zero trust is not a "silver bullet" to good cybersecurity, but can define cybersecurity conversations and strategies so as to gradually improve cybersecurity overall, according to new comments from cyber experts at the Navy and data company DLT Solutions.
DLT Chief Cyber Security Technologist Don Maclean and Navy Principal Cyber Advisor Chris Cleary discussed the White House Executive Order on Improving the Nation's Cybersecurity and some of the common pitfalls federal agencies might encounter when deploying zero trust in a new GovFocus interview with GovCIO Media & Research.
"Zero trust is a mindset change, it's not a matter of fixing everything, we're never going to get there," Maclean said in the GovFocus interview. "Most security technologies are commensurate with or supportive of zero trust. If that provides a north star or general mindset for approaching security, that's where its value lies. You're never going to get to the complete zero trust finish line."
Cleary said the group of individuals leading federal cyber policy — such as himself and the Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly — came from either the National Security Agency (NSA) or U.S. Cyber Command (USCYBERCOM), leading to commonalities in the current approach to federal cyber policy.
Cleary said organizations should treat zero trust like a mindset rather than as a set of rules or tools. The Navy will roll out a new identity management this year, which Cleary said will lay the groundwork for zero trust.
"The Navy like the rest of DOD is pursuing an ICAM strategy right now and we were pursuing this prior to zero trust being a big thing," he said during the interview. "Identity is fundamental to a zero trust strategy. If you don't have a good identity strategy or architecture you're never going to get to a zero trust architecture. They're codependent. Zero trust has further accelerated our need for identity, it's not a pet project anymore."
Cleary and Maclean both identified culture change as a major hurdle to implementing zero trust across the federal government. For example, the zero trust concept of least privilege, which involves limiting access and privileges to only the ones an employee needs to do his or her job, can be jarring to some organizations.
"Least privilege is one of the many essential components of zero trust," Maclean said. "All human systems and users only have the privilege they need to do their jobs. I've been involved in least privilege exercises, and what you find is, often, with the hurry to get things done, excessive privileges are given and you don't want to sit there and parse out what they don't need. Once people have privilege, they feel privileged and important. Rescinding those privileges becomes an exercise in human management and knowing what they actually need to do their jobs. That's just one example of the types of cultural things that will be difficult in implementing a zero trust program."
Funding is another issue.
"The executive order sets a tone and encourages certain sets of behaviors, [but] they don't come with the most essential piece of the puzzle, which is money," Maclean said. "My hope is the EO will set the tone and orientation for all of government and the requisite funds and staffing will become available to support that initiative."
Cleary discouraged federal agencies from treating zero trust as an all-or-nothing approach to cybersecurity. This kind of approach isn't very effective because it treats cybersecurity as if there is an end goal in mind, something Cleary said isn't realistic or resourceful. The Defense Department's "comply-to-connect" policy, he said, was treated like "the thing that was going to save us" in terms of cybersecurity until security professionals "move[d] on to the next shiny thing," which could happen with zero trust.
"This is not the last security architecture we're ever going to have," he said. "It wasn't that long ago that this would have been a comply-to-connect discussion. That was the thing that was going to save us. We're coming to the conclusion that that's a really really hard task. Not that zero trust is the next shiny thing, but conceptually, is it better to get to 100% [of comply-to-connect] or stop what you're doing and try to get to a zero trust strategy? I think that's a lot of what the debates are in organizations. How long is it going to take us to roll out a zero trust architecture at scale in the department?"
Cleary compared cybersecurity to the "War on Poverty" or the "War on Drugs" — "perpetual problems that are never going to be solved." Their strategies should reflect that. He also said cyber risks and vulnerabilities should be prioritized and addressed like barnacles on a ship — you can't always remove all of them, but you can address the ones that keep you from running the ship.
"There's never going to be an architecture that's rolled out and adversaries are like, 'Whelp they have zero trust, we better go home,'" he said. "This is a perpetual problem that we need to manage, there's never going to be a silver bullet. I'm never going to scrape all those barnacles off, but I've got to get the ones that are going to impact me the most."
Both Cleary and Maclean are optimistic about the future of federal cybersecurity given the recent shift in mindset in response to last year's barrage of cyberattacks.
"People are realizing that what we're doing is not really working ... it's clear that what we're doing now isn't working so we do need a comprehensive approach from the ground up," Maclean said. "A lot of technologies in zero trust are not just foundational to zero trust, they're foundational to good security. The goal of zero trust is not zero trust, it's to make your security program better."