After the 2015 hack of the U.S. Office of Personnel Management, the SolarWinds breach, and—just weeks after SolarWinds—the latest Microsoft breach, it is by now clear that the U.S. federal government is woefully unprepared in matters of cybersecurity. Following the SolarWinds intrusion, White House leaders have called for a comprehensive cybersecurity overhaul to better protect U.S. critical infrastructure and data, and the Biden administration plans to release a new executive order to this end.
What should this reinvestment in cybersecurity look like? Although the United States is the home of many top cybersecurity companies, the U.S. government is behind where it should be both in technology modernization and in mindset. Best-in-class cyberdefense technologies have been available on the market for years, yet the U.S. government has failed to adopt them, opting instead to treat cybersecurity like a counterintelligence problem and focusing most of its resources on detection. Yet the government’s massive perimeter detection technology, Einstein, failed to detect the SolarWinds intrusion—which lays bare the inadequacy of this approach.
The sophisticated nature of the SolarWinds supply chain attack shows that adversaries with the time, personnel, imagination, and resources to pursue novel methods of intrusion will succeed. It is not a question of if but when an intruder will break past the gates.
For this reason, it is time for a different model for cybersecurity. U.S. military bases have layers of walls, guards, badge readers, and authentication measures to control access. The United States needs the same mindset for its cybersecurity.
Agencies need to adopt an “assume breach” mindset and invest in the security controls required to stop intruders’ internal movements. To “assume breach” in cyberspace means to invest in a comprehensive defense-in-depth strategy to stop intruders from moving freely throughout a network once they’ve broken past the perimeter. What’s more, the government needs to continuously test its security controls to ensure they work.
This cannot all happen at once. For the first phase in the U.S. government’s cybersecurity modernization, the goal should be both clear and aggressive: achieve a continuously validated zero trust architecture for the government’s most critical high-value assets. A continuously validated architecture “tests” the zero trust claims that an agency is asserting. For instance, the U.S. armed services conduct penetration testing of their bases to ensure that security directives are followed. In a zero trust network, zero trust security controls need to be similarly tested to ensure that a system that should not be able to access another system cannot do so.
To understand why this approach is required, it helps to start with the state of federal cybersecurity capabilities today. Despite decades of investment in cybersecurity personnel and capabilities, today the congressionally run Government Accountability Office (GAO) says U.S. federal cybersecurity capabilities have regressed from prior years—and federal cybersecurity is currently in the GAO’s category of government programs at high risk of failure. Under the “assume breach” mindset, the GAO’s reasoning is clear. There are no internal walls to prevent breaches from spreading.
Today, the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) designs, develops, deploys, and sustains a suite of programs called the National Cybersecurity Protection System (NCPS) to help secure federal civilian executive branch information and networks. Capabilities within the NCPS include intrusion detection, analytics, information sharing, and intrusion prevention capabilities. The system’s most significant investment is Einstein, which provides a federal early warning system and improved situational awareness of intrusions, and seeks to identify and prevent malicious cyberspace capabilities. The Department of Homeland Security also maintains continuous diagnostic capabilities to analyze intrusions, and a federal high-value asset program design to identify the government’s most important aspects.
Taken together, all of these capabilities failed to detect the SolarWinds intrusion. None of these capabilities delivers on the “assume breach” mindset or the high walls required to stop intruders from moving laterally.
Adopting a zero trust strategy will change how the government views its networks for the better. In the case of SolarWinds, the intruder read and stole credentials, and then used those stolen credentials to leverage and travel through unrestricted communications paths between servers—systems that had never tried to communicate with other servers before, and never should have been able to do so. There were no walls between these servers, and that gave the advantage to the intruder. The attacker stole the keys to the kingdom and moved with no restrictions throughout federal agencies.
How would zero trust have prevented this from happening? Zero trust hinges on a policy of “default deny,” meaning that connections between assets are by default not allowed. There is no reason for, say, a low-value server in the Department of the Treasury used for managing human resources issues for department staff abroad to have a direct connection to a high-value server in the United States that hosts the secretary of the treasury’s emails. A zero trust strategy defines acceptable behaviors between assets, including applications and the servers on which they reside, and anything that is not acceptable is denied. This default deny policy essentially forms a wall that prevents servers from establishing unauthorized connections. It requires a human to intervene to alter the policy. In zero trust, servers cannot even present credentials to one another unless they were explicitly allowed to connect with one another.
This is what it means to “assume breach” and prevent breaches from spreading. Zero trust defends against credential theft, another tactic in the MITRE ATT&CK framework that enables an intruder’s lateral movement within a data center. (MITRE ATT&CK is a publicly available knowledge base of adversary tactics, techniques and procedures.) In the case of zero trust, even if the secretary of the treasury was targeted and fell victim to malware, the default deny posture would stop any abnormal communications from her computer, limiting the spread of the breach.
The good news is that zero trust is gaining traction in Washington. In a memo to the federal government just a few weeks ago, the National Security Agency (NSA) recommended that federal civilian agencies explore the zero trust model and focus on “assume breach.” The NSA strongly recommends that a zero trust security model be considered for critical U.S. government networks, including national security systems, which are used for intelligence operations; Department of Defense networks; and defense industrial base systems, which are used for research and development, manufacturing, and design of military weapons. Following the NSA’s memo, CISA endorsed the memo to agencies for their review and included zero trust in draft discussion documents.
The Biden administration has an opportunity to drive the adoption of zero trust capabilities for high-value assets. The executive order reportedly includes a clause for software vendors to notify their federal government customers when the company experiences a cybersecurity breach. While prompt breach disclosure is vital for supply chain attacks like SolarWinds, the fact is that the SolarWinds intrusion could have been slowed if the government had adopted zero trust in advance. The Biden administration should require that departments and agencies explain to the White House that they have identified their high-value assets, and report how they plan to achieve a validated zero trust architecture within 60 days of the executive order.
Based on our combined experience holding executive roles in cybersecurity companies and a senior cybersecurity role in the U.S. Defense Department, we believe the U.S. government can transform its cybersecurity by adopting the following layered components into its security stack. The same strategy can apply to any organization that seeks to defend its own high-value assets.
A new, validated zero trust architecture should include the following aspects in the security stack:
- An endpoint monitoring system (commonly known as endpoint detection and response, or next-generation anti-virus) that is always on and can provide a centralized analytic view to block malware. An endpoint is an end device: a desktop, laptop, smartphone, tablet, server or “Internet of Things” device. In the case of the SolarWinds breach, endpoint monitoring tools reported repeated false positives of SolarWinds software before the breach. SolarWinds recommended turning off these monitoring systems, which is part of what allowed the breach to occur.
- A security segmentation capability to stop attacks from moving between endpoints and within the broader infrastructure. Such platforms build walls where there were no walls. This includes mapping out all communications between applications, containers, clouds, data centers, and networks and allowing only trusted communications to happen around high-value assets.
- A next-generation firewall to monitor and filter network traffic between large environments (zones) and agencies.
- An automated testing platform aligned to the MITRE ATT&CK framework and robust cyber threat intelligence to validate the organization’s overall security program effectiveness. This platform should be testing security programs and security controls continuously, at scale, and in a production environment, and should emulate real-world adversary behaviors.
These investments need to be considered holistically. If one endpoint is compromised, it should not be able to affect other laptops. If one application is compromised, it should not impact other applications. If a large zone is compromised, a security control should prevent the breach from compromising other aspects of the organization and spreading outside the organization. This strategy looks at the federal information technology infrastructure and creates compartments around endpoints, applications, and networks in the same way compartments are built within military bases and vessels.
Yet none of these investments should be trusted to work as intended without being continuously exercised. To upgrade President Reagan’s old aphorism for the cyber age, don’t trust any of your connections, and verify all of your defenses.
Security controls are composed of people, processes and technologies. Failing to test such controls is equivalent to the military not putting its forces through regular, consistent training exercises. Absent continuous testing, leaders lack data-driven visibility into their security program’s overall performance. Untested organizations without metrics exist in a state of poor readiness, likely to fail when an adversary attacks because they have neglected to focus on and prepare for the most critical threats.
Today, the U.S. federal government has limited visibility into its cybersecurity. This is a dangerous state of affairs: In the absence of visibility, the security team lacks control, and if the security team lacks control, the adversary wins. The goal therefore should be to maintain a validated zero trust architecture where security teams have comprehensive, data-driven control over their security and can test their organizations on a moment’s notice to ensure effectiveness. Security teams should use scenarios aligned to the MITRE ATT&CK framework and sector-specific threat intelligence to prepare for known threat behaviors.
With performance data generated from automated testing, security leaders can adjust failing programs, identify gaps and areas of investment, and then measure their program effectiveness in a continuous fashion. The net result of this approach is a validated zero trust environment in which all of the security controls work as intended. This is what visibility really means. To prepare for future breaches, security leaders can use performance data to report with confidence to their leadership teams, Congress and the public about the true effectiveness of their cybersecurity programs.
Today the U.S. federal government faces a range of challenges to its cybersecurity and information technology, to include sprawling networks, legacy systems, and, most importantly, diligent and capable nation-state adversaries. There is a reason why large organizations design strategies to address complex challenges: You cannot solve every problem all at one time. The only path is to prioritize what matters most.
The Biden administration can make meaningful progress in its first year by delivering a validated zero trust architecture for the missions and assets that matter most—not only investing in the defense capabilities required, but also ensuring that the security controls in place will work as intended when the adversary inevitably breaks through. It would be a signal achievement to go from the SolarWinds breach to a validated zero trust architecture. The government should set this as an aggressive but achievable strategic goal.
This piece originally appeared in Lawfare on April 9, 2021.