The U.S. Government Needs to Overhaul Cybersecurity. Here’s How.

President Biden and Vice President Harris in the Oval Office of the White House. (White House Photo by Adam Schultz). After the 2015 hack of the U.S. Office of Personnel Management, the SolarWinds breach, and—just weeks after SolarWinds—the latest Microsoft breach, it is by now clear that the U.S. federal government is woefully unprepared in matters of cybersecurity. Following the SolarWinds intrusion, White House leaders have called for a comprehensive cybersecurity overhaul to better protect U.S. critical infrastructure and data, and the Biden administration plans to release a new executive order to this end.  What should this reinvestment in cybersecurity look like? Although the United States is the home of many top cybersecurity companies, the U.S. government is behind where it should be both in technology modernization and in mindset. Best-in-class cyberdefense technologies have been available on the market for years, yet the U.S. government has failed to adopt them, opting instead to treat cybersecurity like a counterintelligence problem and focusing most of its resources on detection. Yet the government’s massive perimeter detection technology, Einstein, failed to detect the SolarWinds intrusion—which lays bare the inadequacy of this approach.  The sophisticated nature of the SolarWinds supply chain attack shows that adversaries with the time, personnel, imagination, and resources to pursue novel methods of intrusion will succeed. It is not a question of if but when an intruder will break past the gates.  For this reason, it is time for a different model for cybersecurity. U.S. military bases have layers of walls, guards, badge readers, and authentication measures to control access. The United States needs the same mindset for its cybersecurity. Agencies need to adopt an “assume breach” mindset and invest in the security controls required to stop intruders’ internal movements. To “assume breach” in cyberspace means to invest in a comprehensive defense-in-depth strategy to stop intruders from moving freely throughout a network once they’ve broken past the perimeter. What’s more, the government needs to continuously test its security controls to ensure they work.  This cannot all happen at once. For the first phase in the U.S. government’s cybersecurity modernization, the goal should be both clear and aggressive: achieve a continuously validated zero trust architecture for the government’s most critical high-value assets. A continuously validated architecture “tests” the zero trust claims that an agency is asserting. For instance, the U.S. armed services conduct penetration testing of their bases to ensure that security directives are followed. In a zero trust network, zero trust security controls need to be similarly tested to ensure that a system that should not be able to access another system cannot do so.  To understand why this approach is required, it helps to start with the state of federal cybersecurity capabilities today. Despite decades of investment in cybersecurity personnel and capabilities, today the congressionally run Government Accountability Office (GAO) says U.S. federal cybersecurity capabilities have regressed from prior years—and federal cybersecurity is currently in the GAO’s category of government programs at high risk of failure. Under the “assume breach” mindset, the GAO’s reasoning is clear. There are no internal walls to prevent breaches from spreading.  Today, the Department of Homeland Security Cybersecurity and Infrastructure Security Agency ( CISA ) designs, develops, deploys, and sustains a suite of programs called the National Cybersecurity Protection System (NCPS) to help secure federal civilian executive branch information and networks. Capabilities within the NCPS include intrusion detection, analytics, information sharing, and intrusion prevention capabilities. The system’s most significant investment is Einstein, which provides a federal early warning system and improved situational awareness of intrusions, and seeks to identify and prevent malicious cyberspace capabilities. The Department of Homeland Security also maintains continuous diagnostic capabilities to analyze intrusions, and a federal high-value asset program design to identify the government’s most important aspects.  Taken together, all of these capabilities failed to detect the SolarWinds intrusion. None of these capabilities delivers on the “assume breach” mindset or the high walls required to stop intruders from moving laterally.  Adopting a zero trust strategy will change how the government views its networks for the better. In the case of SolarWinds, the intruder read and stole credentials, and then used those stolen credentials to leverage and travel through unrestricted communications paths between servers—systems that had never tried to communicate with other servers before, and never should have been able to do so. There were no walls between these servers, and that gave the advantage to the intruder. The attacker stole the keys to the kingdom and moved with no restrictions throughout federal agencies. How would zero trust have prevented this from happening? Zero trust hinges on a policy of “default deny,” meaning that connections between assets are by default not allowed. There is no reason for, say, a low-value server in the Department of the Treasury used for managing human resources issues for department staff abroad to have a direct connection to a high-value server in the United States that hosts the secretary of the treasury’s emails. A zero trust strategy defines acceptable behaviors between assets, including applications and the servers on which they reside, and anything that is not acceptable is denied. This default deny policy essentially forms a wall that prevents servers from establishing unauthorized connections. It requires a human to intervene to alter the policy. In zero trust, servers cannot even present credentials to one another unless they were explicitly allowed to connect with one another.  This is what it means to “assume breach” and prevent breaches from spreading. Zero trust defends against credential theft, another tactic in the MITRE ATT&CK framework that enables an intruder’s lateral movement within a data center. ( MITRE ATT&CK is a publicly available knowledge base of adversary tactics, techniques and procedures. ) In the case of zero trust, even if the secretary of the treasury was targeted and fell victim to malware, the default deny posture would stop any abnormal communications from her computer, limiting the spread of the breach.  The good news is that zero trust is gaining traction in Washington. In a memo to the federal government just a few weeks ago, the National Security Agency (NSA) recommended that federal civilian agencies explore the zero trust model and focus on “assume breach.” The NSA strongly recommends that a zero trust security model be considered for critical U.S. government networks, including national security systems, which are used for intelligence operations; Department of Defense networks; and defense industrial base systems, which are used for research and development, manufacturing, and design of military weapons. Following the NSA’s memo, CISA endorsed the memo to agencies for their review and included zero trust in draft discussion documents.  The Biden administration has an opportunity to drive the adoption of zero trust capabilities for high-value assets. The executive order reportedly includes a clause for software vendors to notify their federal government customers when the company experiences a cybersecurity breach. While prompt breach disclosure is vital for supply chain attacks like SolarWinds, the fact is that the SolarWinds intrusion could have been slowed if the government had adopted zero trust in advance. The Biden administration should require that departments and agencies explain to the White House that they have identified their high-value assets, and report how they plan to achieve a validated zero trust architecture within 60 days of the executive order.  Based on our combined experience holding executive roles in cybersecurity companies and a senior cybersecurity role in the U.S. Defense Department, we believe the U.S. government can transform its cybersecurity by adopting the following layered components into its security stack. The same strategy can apply to any organization that seeks to defend its own high-value assets.  A new, validated zero trust architecture should include the following aspects in the security stack: An endpoint monitoring system (commonly known as endpoint detection and response, or next-generation anti-virus) that is always on and can provide a centralized analytic view to block malware. An endpoint is an end device: a desktop, laptop, smartphone, tablet, server or “Internet of Things” device. In the case of the SolarWinds breach, endpoint monitoring tools reported repeated false positives of SolarWinds software before the breach. SolarWinds recommended turning off these monitoring systems, which is part of what allowed the breach to occur. A security segmentation capability to stop attacks fro
The U.S. Government Needs to Overhaul Cybersecurity. Here’s How. posted first on http://realempcol.tumblr.com/rss