While many agencies are working to keep pace with the digital developments of the last decade, even more transformation is coming. Government will rely on zero trust architecture and a cyber aware workforce to stay agile in the midst of an ever-evolving threat landscape.
“This is a cat and mouse game, right?” Defense Information Systems Agency (DISA) CTO Stephen Wallace said at GovCIO’s Cloud Modernization event last week. “There isn't a, 'Sweet, we've done all these things. We can declare zero trust. We're done.’”
Cybersecurity is all about increasing the cost to the adversary through an agile process, said Nate Smolenski, CISO and head of cyber intelligence strategy at Netskope. New strides in architecture security will only push adversaries to find and exploit new vulnerabilities, and so cybersecurity strategies need to be adaptable.
“When you increase the cost for the adversary, when you make it more difficult, then they're gonna go find the easier target, right?” Smolenski said. “As much as we've transformed and moved to the cloud, they're doing the same thing. That's why malware delivery doesn't happen as often from some bizarro website that was spun up yesterday at 2 p.m. — it's happening from Google and Microsoft and AWS because those are trusted services. We have to continue to make sure that we're upping the ante, increasing that cost from the adversary perspective.”
DISA is upping the ante with its new Thunderdome prototype, a network security system built on zero trust principles.
“How do we start to integrate, not just vertically across the network, but also horizontally where you have your endpoint defenses?” Wallace said. “Right now, most of the endpoint defenses don't talk with the mid-tier defenses, which don't talk to the application defenses — so how do we really get an integrated view of what's going on? So that we can move away from just the, 'Well the user has a valid credential, so they must have access to the application,' and get to a more integrated flow. ... So overall, we're looking for a better user experience, but also far greater security.”
Wallace said that the core mission of cyber teams is to ensure the end users have secure and easy access to their workflows.
“In some ways, I think that we've kind of lost our way,” Wallace said. “At the end of the day, our job is to get the user to the data that they deserve to have access to. Full stop. That's why we're here. The user needs access to that data. We've loaded a lot of things that encumbered the user's experience in the name of attempting to protect them that actually inhibit them, and in many cases drives them to different means of getting access to that data or exchanging data.”
Cumbersome security architecture can push users to insecure methods for data access and sharing, which is why excellent user experience is key to building a successful cybersecurity system.
“If you don't have good cyber hygiene, the users are going to find a way,” said Government Accountability Office (GAO) IT and Cybersecurity Director Kevin Walsh. “They're going to gmail it, or they're going to take a picture and text it to their buddy.”
With the Thunderdome prototype, DISA hopes to build a dynamic cybersecurity system that serves the user.
“That is part of what we're trying to do via Thunderdome, is get to that better user experience — not just via the network path per se, but also trying to refine what's going on on that endpoint to improve that user's experience,” Wallace said.
While cybersecurity systems must be built with the end user in mind, training a cyber aware workforce is also critical. Walsh pointed to stuxnet, a malicious computer worm first uncovered in 2010 in Iranian nuclear facilities, as an example of how untrained users can introduce network vulnerabilities.
“Stuxnet was on an air-gap network,” Walsh said. “How did that happen? Well, they were probably selling USB keys at the vendor outside, and that's all it takes. Somebody said, ‘I need a USB key and I left mine at home, so I'm gonna go out to the hotdog cart and buy a USB key,’ and then they're screwed. You can have the best security in the world defeated by a hotdog cart.”
While users can introduce new vulnerabilities to a system, with the proper training, they can also serve as the linchpin that helps to secure it.
“When you look at the Solar Winds hack, that was discovered by a user who had a multi-factor authentication pop up and they reported the fact that, 'Hey I didn't do this,’” Wallace pointed out. “It wasn't some fancy tool. At the end of the day, it was a well-trained user who did the right thing.”