To maximize cybersecurity dollars, lean on Zero Trust
Since I left government in late 2019, there has been a world of change that I could not have foreseen.
COVID literally rewrote how business was done. As individuals moved from offices to homes or other places, endpoints proliferated, widening the attack surface.
Russia’s recent invasion of Ukraine catapulted cybersecurity to the forefront of public and private agendas. And the target of the attack has shifted from extortion and espionage to destruction. The invasion exposed the threat of cybersecurity and increased the commitment to ensure the security of networks and critical infrastructure.
There are examples that show how those who want to harm our nation are significantly increasing their willingness and ability to launch cyberattacks. The increasing intensity and sophistication of attacks on some of the largest US financial institutions show that cyberspace has blurred the lines between national power instruments.
Coordinated cyberattacks carried out by Russia as part of its strategy to invade Ukraine demonstrate the readiness of opposing state actors to engage in a cyber war against any target that is considered even potentially threatening. A sense of urgency to ensure that measures are taken to protect networks, including operating technology, is paramount. This should be at the top of the “To Do” list of any CIO and CISO.
As a result, the US government’s focus on cybersecurity has increased. In a March 2022 executive statement, President Joe Biden warned of Russia’s potential to engage in malicious cyber activities against the United States and encouraged the private sector to tighten its cyber defenses.
The Biden Administration has taken deliberate action to address these growing threats, including a focus on securing the electricity, oil / oil and water sectors. The Cybersecurity and Infrastructure Security Agency launched the “Shields Up” initiative, which offers recommendations to corporate leaders to thwart ransomware.
CISA’s Binding Operational Directive 22-01 provides a catalog of vulnerabilities that are being actively exploited in nature. In addition, the National Defense Authorization Act of 2022 instructed the Department of Defense to establish basic cybersecurity requirements that can be implemented for OT, emphasizing the need to toughen these devices against cyberattacks.
While at DoD and DHS, I saw Comply-to-Connect and Continuous Diagnostics and Mitigation as a way to enforce the principles of Zero Trust. Protecting access to data resources was a perpetual concern. What compelled me to think this way was the emphasis on C2C policy to assess the security stance of an end point. before granting any access to network resources and then continuously monitoring endpoint security. C2C is a core element of Zero Trust that ensures secure access to data.
C2C and CDM programs offer an opportunity to get out quickly by maximizing existing resources. For example, the DISA-funded C2C program offers the ability to discover, identify, and categorize the six endpoint categories defined by Cyber Command. This includes platform information technology such as ICS, SCAD and medical devices. Leveraging C2C improves the cyber readiness of OT networks and devices, and the NDAA targets for fiscal year 22 can be achieved.
On the civilian side, leveraging existing tools acquired through CDM can help agencies achieve the goals outlined in the Zero Trust Executive Order.
The cyber domain will remain dynamic. Leveraging existing and marketed tools can make the difference more quickly and provide confidence to operational commanders and government leaders that networks and OTs are protected. After all, the availability of relevant information is key to the success of the mission.
Don’t assume confidence. Don’t fall prey to rogue gadgets. Reaching a zero-confidence architecture quickly is more important than ever. The implementation of C2C is a means available now to continuously identify and control access to all endpoints that connect to the network, enabling a complete zero-trust architecture.
John Zangardi is the CEO of Redhorse Corporation and a former CIO in the Department of Homeland Security and the Department of the Navy, and a former CIO in the Department of Defense.