Researcher John Kindervag published a paper about a decade ago that argued administrators of sensitive computer networks should not trust anyone on their networks, regardless of their title.
It is not good enough simply to try to keep bad guys out of your network, he said.
You also have to put strict limits on the people already inside, thus the shorthand for the security model: “zero trust,” he added.
“People told me I was crazy,” Kindervag said of the 2010 report.
However, the cybersecurity approach has slowly gained followers over the years, as government agencies and private businesses have been continually pummeled by computer hacks.
Now, in the wake of two massive cyberattacks that exposed glaring deficiencies in US defenses, government officials and cybersecurity practitioners are saying zero trust might be the way to stop the cybermayhem.
Last month, the US National Security Agency issued guidance urging the owners of networks related to national security and critical infrastructure to adopt zero trust.
In many existing computer networks, once an individual has logged into the system, they can move freely and access information without further verification. It is what some cybersecurity experts describe as a “castle-and-moat” approach, protecting perimeter security by investing in firewalls, proxy servers, and other intrusion prevention tools and assuming activity inside the castle walls is mostly safe.
SOLARWINDS HACK
Zero trust takes a different approach, assuming that anyone that logs on is suspicious and preventing them from moving freely through the system — such as accessing the other devices and networks connected to it — without authenticating their credentials for each additional connection.
In other words, zero trust “reduces or prevents lateral movement and privilege escalation,” said George Kurtz, CEO of the cybersecurity firm Crowdstrike Holdings Inc, speaking at a Congressional hearing last month.
The embrace of zero trust has occurred in part because of US failures to prevent major breaches linked to Russia and China. For example, following the 2015 revelation that Chinese hackers had breached the US Office of Personnel Management, stealing sensitive security clearance data on millions of Americans, a congressional report called for adding the zero trust model to government networks. More than a half a decade later, zero trust remains an aspirational goal across much of the US government.
However, calls for zero trust accelerated in the past few months after suspected Russian hackers compromised popular software from Texas-based firm SolarWinds Corp.
In that highly sophisticated attack, which was disclosed in December, the hackers inserted malicious code into updates for SolarWinds software, which was received by as many as 18,000 of its customers. At least nine government agencies and 100 private companies were targeted by the hackers for further infiltration.
The other major cyberattack, disclosed this month and linked to China, exploited vulnerabilities in Microsoft Corp’s software for e-mail. Hackers used flaws in the code of Microsoft Exchange to break into tens of thousands of organizations, cybersecurity experts said.
Zero trust may not have blocked the hacks, but they likely would have limited the damage, experts said. At the very least, the security measure would have given the US a better chance to detect the attackers’ movements, keeping them from traveling as freely across government and private sector networks.
PERSISTENT VISIBILITY
At a March 18 hearing on the SolarWinds attack, US Chief Information Security Officer Christopher DeRusha said he is working with US government agencies to implement zero trust because it “prevents adversaries from the kind of privilege escalation that was demonstrated in the SolarWinds incident.”
In addition, Microsoft, which has advocated for zero trust, found that targeted victims in the SolarWinds attack whose systems had embraced the model were more resilient following the attack, the company’s director of identity security Alex Weinert said.
Idan Plotnik, cofounder and CEO of the Israeli cybersecurity start-up Apiiro, recommends that organizations extend zero trust to their entire digital supply chain.
Apiiro gives cyberdefenders visibility inside the systems used by engineers to compile their software, called build systems. This is where suspected Russian hackers managed to embed malware inside SolarWinds’ Orion update system.
He suggested that government agencies should do the same, requiring suppliers to establish persistent visibility inside these critical portions of their network — like the build system — as a way to head off hackers attempting to gain a foothold in the software supply chain before spreading malware.
However, adopting a zero trust model can be costly and time consuming. In extreme instances, it might require organizations to rip out existing computer equipment and replace it — to make certain there is not any malware hidden deep inside the network.
“If US government investigators can’t pinpoint each agency’s exposure to the malware, it may be forced to assume that most every department within the federal government has been compromised. This scenario would produce the daunting, perhaps impossible task of purging all malware from federal networks,” cybersecurity investigator John Bambenek said. “Eradicating the Russian malware would require agencies to rip and replace their network infrastructure.”
However, given the persistent threats from adversaries, the US government might not have years to find a fix. As a result, a more likely outcome for its networks might be some sort of compromise, adding zero trust where possible and relying on less drastic cybersecurity fixes elsewhere, including encrypting data, fully staffing cyberpositions and ensuring that only a small number of individuals have access to highly sensitive information.
“Zero trust is the buzzword du jour,” said James Lewis, senior vice president and director of the strategic technologies program at the Center for Strategic and International Studies.
However, ripping out and replacing networks seems impractical, he added.
“We haven’t done the basics. So, why immediately go to the nuclear option?” he said.
Since publishing his paper, Kindervag, who now works at the cybersecurity company On2it, which describes itself as “zero trust innovators,” has continued to promote his approach across the public and private sector.
He, too, recommends a gradual approach.
“You don’t secure a road by ripping out a road and putting a new road in. You figure out how to put stoplights in, or you figure out how to change the exit ramps,” he said. “We need to do the same thing with networks and not do things that will never happen — but do things that we can accomplish using the people and technologies we have today.”
The United States Agency for International Development (USAID) has long been a cornerstone of US foreign policy, advancing not only humanitarian aid but also the US’ strategic interests worldwide. The abrupt dismantling of USAID under US President Donald Trump ‘s administration represents a profound miscalculation with dire consequences for global influence, particularly in the Indo-Pacific. By withdrawing USAID’s presence, Washington is creating a vacuum that China is eager to fill, a shift that will directly weaken Taiwan’s international position while emboldening Beijing’s efforts to isolate Taipei. USAID has been a crucial player in countering China’s global expansion, particularly in regions where
US President Donald Trump has gotten off to a head-spinning start in his foreign policy. He has pressured Denmark to cede Greenland to the United States, threatened to take over the Panama Canal, urged Canada to become the 51st US state, unilaterally renamed the Gulf of Mexico to “the Gulf of America” and announced plans for the United States to annex and administer Gaza. He has imposed and then suspended 25 percent tariffs on Canada and Mexico for their roles in the flow of fentanyl into the United States, while at the same time increasing tariffs on China by 10
With the manipulations of the Chinese Nationalist Party (KMT) and the Taiwan People’s Party (TPP), it is no surprise that this year’s budget plan would make government operations difficult. The KMT and the TPP passing malicious legislation in the past year has caused public ire to accumulate, with the pressure about to erupt like a volcano. Civic groups have successively backed recall petition drives and public consensus has reached a fever-pitch, with no let up during the long Lunar New Year holiday. The ire has even breached the mindsets of former staunch KMT and TPP supporters. Most Taiwanese have vowed to use
Despite the steady modernization of the Chinese People’s Liberation Army (PLA), the international community is skeptical of its warfare capabilities. Late last month, US think tank RAND Corp published two reports revealing the PLA’s two greatest hurdles: personnel challenges and structural difficulties. The first RAND report, by Jennie W. Wenger, titled Factors Shaping the Future of China’s Military, analyzes the PLA’s obstacles with recruitment, stating that China has long been committed to attracting young talent from top universities to augment the PLA’s modernization needs. However, the plan has two major constraints: demographic changes and the adaptability of the PLA’s military culture.