Government IT teams are worried and for good reason. Confronted by the rising threat of sophisticated cyberattacks, they are looking at an uncertain future and wondering if they have the best tools to defend their systems. When defenders create new technology, attackers defeat it. This has resulted in numerous high-profile attacks against critical infrastructure, supply chains, and more.
But what will it take to combat this threat? According to Don Maclean, Chief Cybersecurity Technologist at DLT, the answer is simple: adopt a zero trust methodology.
Zero trust is nothing new, however, Maclean noted in a recent interview with GovCyberHub that it has taken on new relevance. Here are his thoughts.
GovCybersecurityHub: Over the last 12 months, we’ve seen government agencies, their private sector security partners, and other private sector organizations make a lot of changes. How have these changes manifested themselves? What caused them and where did they come from?
Don Maclean: Adopting a zero-trust methodology, or the interest in exploring zero trust is the biggest change that I’ve seen recently. Many organizations are revamping their cybersecurity from scratch. There is a huge interest in approaches to cybersecurity that create profound positive effects on security. That interest is due to the cyberattacks plaguing the industry.
Recently we saw the Log4j vulnerability — just one of many. Granted, Log4j was one of the more pernicious and dangerous ones that we’ve seen, but you could just pick up any newspaper and read about another breach, another attack. From public interest outlets to industry news, these stories of attacks and breaches tell us, that our approach to cybersecurity is just not effective.
Those attacks in turn have caused the highest levels of government to take an active role in boosting agencies’ cybersecurity. The Biden Administration’s executive order on cybersecurity mandates planning and adoption of zero trust architecture throughout the government.
GovCybersecurityHub: Are these attacks the main reason we see zero trust receiving more attention than other approaches? Is a zero trust approach just inherently better at addressing the concerns raised by these attacks?
Don Maclean: Zero trust encourages organizations to take a whole new look at how they protect their systems and redesign their security approaches.
“Zero trust is a way of thinking that stakeholders must accept if the implementation is to succeed.” – Don Maclean
The Biden Administration’s executive order is unusual in recommending a specific approach to security: zero trust. This recommendation shows the gravity of the situation and the need for a comprehensive re-evaluation of our nations’ security posture.
However, there is more to zero trust than deploying a new set of security technologies. Zero trust entails a significant culture change at all levels of the organization. Zero trust is a way of thinking that stakeholders must accept if the implementation is to succeed.
GovCybersecurityHub: Let’s talk about the Log4j vulnerability. In your opinion, is it the most high-profile breach in recent memory? Were there any others that stood out? Do we know the impact of any of these breaches, or can we even know or understand the full impact?
Don Maclean: The Log4j vulnerability is one of the biggest cyberthreats that we’ve seen, but we should remember that it was only one of many that have occurred recently. Log4j is certainly the top of mind for many cybersecurity professionals right now, but that is largely because of what it represents.
“How many other attacks like this have occurred? How many more are occurring right now?” – Don Maclean
At its core, Log4j was an easy-to-use attack (as little as 12 characters) that affected a huge array of systems. Finding it and mitigating it was difficult. However, the real concern is the scope of the vulnerability, not just of this particular hack, but of others still unknown.
So Log4j was certainly one of the more dangerous and ubiquitous security events that we’ve seen in a long time. Its easy implementation was frightening and makes me wonder how many other attacks like this have occurred? How many more are occurring right now?
In addition, think how tiring it is to be one of those cybersecurity professionals. A vulnerability like Log4j just shows that no matter what you do to defend, you must remain constantly vigilant. Vigilance on weekends, holidays, late at night, it’s fatiguing. Many cybersecurity professionals are sick of these attacks and having to scramble constantly to keep systems safe.
Basing an organization’s cybersecurity around zero trust doesn’t provide all the answers. However, it requires organizations to take a cold, hard look at their cybersecurity. That is an important mindset and one that can help mitigate attacks no matter how potentially damaging they might be.
GovCybersecurityHub: How have attack vectors changed in 2022? Do we see an uptick in attacks? Are they using the same attack vectors or are there new and better tools that cybercriminals are using?
Don Maclean: The quick answer is “no”. I don’t believe malicious actors are using newer and better tools, but there has been an uptick in attacks. They are using their experience and tools to exploit weaknesses in cybersecurity defenses.
Based on the frequency of attacks, it’s clear there are many gaps in current cybersecurity defenses. Integrating security solutions is complicated, creating the potential for cybercriminals to gain entry. There are no fundamental or conceptual differences in the approaches that these criminals employ, they just find the newest weakness and exploit it.
A lot of those weaknesses revolve around human behavior. This leads to an inevitable and difficult decision between the expense of cybersecurity protection versus the value of what you’re protecting. It’s the classic risk/benefit analysis, and in the new hybrid work environment, it’s a difficult equation for any defender to assess.
GovCybersecurityHub: We’ve discussed some of the immediate trends that have emerged from last year, but looking ahead to 2022 and beyond, do you see these trends among both defenders and cybercriminals continuing? Do we already see some evolution among them?
Don Maclean: Two words will keep coming up: zero trust. We are seeing a renewed focus on zero trust, not as a set of principles, but as a plan of action.
Zero trust has become a way to work cybersecurity into every aspect of an organization. Zero trust could be just another flash in the pan, many experts believe it represents a significant change to our approach to cybersecurity.
“My hope for trends among defenders is that they continue down the zero trust path, and more importantly, that they get the financial support they need to realize the approach.” – Don Maclean
I don’t think we will see zero trust become like a Gartner hype cycle, where initial excitement yields to disinterest. We have seen severe and frequent cyberattacks for many years prompting a fundamental re-evaluation of cybersecurity practices. Many security teams will embrace zero trust.
My hope for trends among defenders is that they continue down the zero trust path, and more importantly, that they get the financial support they need to realize the approach. Executive orders are, of course, incredibly useful in setting a tone and pushing projects forward, but without a budget attached, a government agency cannot accomplish much. If the trends we are seeing from both defenders and attackers continue — and I believe they will — then government IT will need a budget to adopt a zero trust approach.
I hope the government’s emphasis on a zero trust methodology carries over to the commercial industry, too. Our enemies today will attack a government partner as readily as they attack the government itself. The entire United States IT ecosystem is one big target, so we need meaningful collaboration between government and business.
In addition, I hope that programs like the CMMC continue. I expect that they will, but much like zero trust, they take commitment. CMMC is a great step forward in protecting industry and government data that resides on systems belonging to private industry.
The adoption of a zero trust methodology and of CMMC-like approaches will continue. However, I’m unsure if these approaches will receive adequate financial support. It’s easy to say “Yes, we should really protect our data,” but then if you sit down and look at what it’s going to cost to protect that data, it’s not so easy to say, “go for it.”
I believe the cost is worth it. If government IT is serious about preventing the next Solar Winds, Kaseya, or Log4j, they will reach out to their IT partners like DLT and ask what zero trust can do for them. We’re more than ready to help.
To learn more about how organizations like DLT and their partners are working to make government IT more secure through a zero trust methodology, click here.