How effective is a state-of-the-art home security system if there’s still a key under the welcome mat? Not very. And yet, critical government agencies are leaving their doors unlocked when it comes to cybersecurity. Earlier this year, the FAA found themselves scrambling to explain how a minor computer glitch grounded thousands of planes. And a few weeks after that, the Department of Defense had some explaining to do when an OIG report revealed they had open cybersecurity issues dating as far back as 2012. The government is now taking steps to fortify its cyber defenses with zero trust architecture.
The FAA Fumble
Thousands of flights were delayed or canceled on the morning of January 11, 2023, when the FAA issued a ground stop that lasted nearly two hours, preventing the departures and arrivals of all domestic aircraft nationwide. Tensions were high as worst-case scenarios were under consideration by the media. The last time something like this happened was on 9/11, so a possible terror attack was among the hypothetical events suggested that day. When the FAA concluded its investigation, it announced that the ground stop was triggered by an outage in the Notice to Air Missions (NOTAM) system, which provides critical safety data to prevent air disasters. During routine maintenance, one file was replaced with another, causing a breakdown in the NOTAM system. And while there was a shared sigh of relief that it was not an act of terror or cyberattack, a glitch capable of taking down an entire computer network responsible for maintaining the safety and integrity of international air travel was not very reassuring.
The DoD on Defense
The Department of Defense (DoD) is the nation’s largest government agency. They are tasked with protecting the safety, welfare, and defense of the 336 million people currently living in the United States. According to the U.S. Government Accountability Office (GAO), the DoD has had over 12,000 cyber incidents since 2015. An IBM report revealed that 822 government agencies experienced data breaches between 2014 and 2022, affecting nearly 175 million records, at the cost of approximately $26 billion, although the actual cost is likely much higher.
Three weeks after the FAA NOTAM system outage, the DoD Office of Inspector General (OIG), an independent government agency that provides operational oversight of the DoD, publicly released its Summary of Reports and Testimonies Regarding DoD Cybersecurity from July 1, 2020, to June 30, 2022. The OIG report summarized its audit of DoD cybersecurity trends based on the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity, which all federal agencies are required to use to manage their cybersecurity risk.
The NIST Cybersecurity Framework contains five pillars — Identify, Protect, Detect, Respond, and Recover — all of which must be implemented for high-level measures as a comprehensive risk management strategy. The OIG Summary observed that although the DoD OIG, GAO, and other oversight entities have steadily increased their cybersecurity-related oversight over the past six years, they focused primarily on “Identify and Protect,” neglecting “Detect, Respond, and Recover.” According to the report, the DoD still has 478 open security issues dating as far back as 2012 out of the 895 cybersecurity-related recommendations in both current and past summary reports.
Zero Trust Architecture
The White House issued Executive Order 14028: Improving the Nation’s Cyber Security in May 2021. The EO mandates that federal agencies step up their cybersecurity measures and ensure software supply chain integrity by implementing zero trust architecture, including a directive to utilize multifactor authentication encryption. Zero trust amplifies the detection and identification of cyber threats on federal networks by adopting a government-wide endpoint detection and response system. Implementing cybersecurity event log requirements aims to foster better communication between federal government agencies.
As its name implies, zero trust architecture is built on a foundation of mistrust of every component along the cybersecurity supply chain. The zero trust security model exercises justifiable paranoia that nothing can be trusted until it has been verified to be trustworthy, and that everything is susceptible to internal and external threats.
In April 2023, the Cybersecurity and Infrastructure Security Agency (CISA) released an update to their Zero Trust Maturity Model (version 2) to further the federal government’s progress toward a zero trust approach to cybersecurity in support of the National Cybersecurity Strategy. The new model takes a gradient approach to the implementation of its five pillars — Identity, Devices, Network, Data, and Applications and Workloads — allowing agencies to make smaller advancements over time on their way toward zero trust architecture optimization.
Building Zero Trust
Although primarily designed for federal agencies, all organizations can benefit from CISA’s Zero Trust Maturity Model guidelines on the road to establishing their own zero trust architecture. Successful implementation compels every organization to finally take a closer look at its network and identify its unique requirements by:
- Defining the network that is being defended, including all endpoints, applications and users.
- Designing an organization-specific process and a system that protects the network. This system may be comprised of multiple tools, but they need work in concert and with the context of a structured plan to provide effective and actionable information.
- Establishing policies, procedures and accountable ownership for tasks.
- Maintaining, modifying, and monitoring the system to ensure the process is working.
- Constantly reviewing the process and modifying it to address newly defined risks.
Zero trust isn’t just a switch that can be turned on, and voilà, it’s done. Zero trust requires a structured and auditable process with a prescribed set of guidelines. For maximum impact, this management process should be automated, continuous, and repeatable. When it comes to cybersecurity, never trust; always verify.
Walt Szablowski is the Founder and Executive Chairman of Eracent and serves as Chair of Eracent’s subsidiaries (Eracent SP ZOO, Warsaw, Poland; Eracent Private LTD in Bangalore, India, and Eracent Brazil LTDA). Eracent helps its customers meet the challenges of managing IT network assets, software licenses, and cybersecurity in today’s complex and evolving IT environments. Eracent’s enterprise clients save significantly on their annual software spend, reduce their audit and security risks, and establish more efficient asset management processes. Eracent’s client base includes some of the world’s largest corporate and government networks and IT environments. Dozens of Fortune 500 companies rely on Eracent solutions to manage and protect their networks. Visit https://eracent.com/