Alyza Sebenius and Kartikay Mehrotra (Bloomberg) -- Researcher John Kindervag published a paper about a decade ago that argued administrators of sensitive computer networks shouldn’t trust anyone on their networks, regardless of their title.
It’s not good enough simply to try to keep bad guys out of your network, he argued. You also have to put strict limits on the people already inside, thus the shorthand for the security model: “zero trust.”
“People told me I was crazy,” Kindervag said of the 2010 report. But the cybersecurity approach has slowly gained followers over the years, as government agencies and private businesses have been continually pummeled by computer hacks.
Now, in the wake of two massive cyber-attacks that exposed glaring deficiencies in U.S. defenses, government officials and cybersecurity practitioners are saying zero trust may be the way to stop the cyber mayhem. In February, the National Security Agency issued guidance urging the owners of networks related to national security and critical infrastructure to adopt zero trust.
In many existing computer networks, once an individual has logged into the system, they can move freely and access information without further verification. It’s what some cybersecurity experts describe as a “castle and moat” approach, protecting perimeter security by investing in firewalls, proxy servers and other intrusion prevention tools and assuming activity inside the castle walls is mostly safe.
Zero trust takes a different approach, assuming that anyone that logs on is suspicious and preventing them from moving freely through the system -- such as accessing the other devices and networks connected to it -- without authenticating their credentials for each additional connection.
In other words, zero trust “reduces or prevents lateral movement and privilege escalation,” said George Kurtz, the chief executive officer of the cybersecurity firm Crowdstrike Holdings Inc., speaking at a February Congressional hearing.
The embrace of zero trust has occurred in part because of U.S. failures to prevent major breaches linked to Russia and China. For example, following the 2015 revelation that Chinese hackers had breached the U.S. Office of Personnel Management, stealing sensitive security clearance data on millions of Americans, a congressional report called for adding the zero trust model to government networks. But so far, more than a half a decade later, zero trust remains an aspirational goal across much of the U.S. government.
But calls for zero trust accelerated in recent months after suspected Russian hackers compromised popular software from Texas-based firm SolarWinds Corp. In that highly sophisticated attack, which was disclosed in December, the hackers inserted malicious code into updates for SolarWinds software, which was received by as many as 18,000 of its customers. At least nine government agencies and 100 private companies were targeted by the hackers for further infiltration.
The other major cyber-attack, disclosed this month and linked to China, exploited vulnerabilities in Microsoft Corp.’s software for email. Hackers used flaws in the code of Microsoft Exchange to break into tens of thousands of organizations, according to cybersecurity experts.
Zero trust may not have blocked the hacks, experts said, but they likely would have limited the damage. At the very least, the security measure would have have given the U.S. a better chance to detect the attackers’ movements, keeping them from traveling as freely across government and private sector networks.
At a March 18 hearing on the SolarWinds attack, U.S. Chief Information Security Officer Christopher DeRusha said he is working with U.S. government agencies to implement zero trust because it “prevents adversaries from the kind of privilege escalation that was demonstrated in the SolarWinds incident.” In addition, Microsoft, which has advocated for zero trust, found that targeted victims in the SolarWinds attack whose systems had embraced the model were more resilient following the attack, according to the company’s director of identity security, Alex Weinert.
Idan Plotnik, co-founder and chief executive officer of the Israeli cybersecurity startup Apiiro, recommends that organizations extend zero trust to their entire digital supply chain. Apiiro gives cyber defenders visibility inside the systems used by engineers to compile their software, called build systems. This is where suspected Russian hackers managed to embed malware inside SolarWinds’s Orion update system.
He suggests government agencies should do the same, requiring suppliers to establish persistent visibility inside these critical portions of their network -- like the build system -- as a way to head off hackers attempting to gain a foothold in the software supply chain before spreading malware.
But adopting a zero trust model can be costly and time consuming. In extreme instances, it may require organizations to rip out existing computer equipment and replace it -- to make certain there isn’t any malware hidden deep inside the network.
“If U.S. government investigators can’t pinpoint each agency’s exposure to the malware, it may be forced to assume that most every department within the federal government has been compromised. This scenario would produce the daunting, perhaps impossible task of purging all malware from federal networks,” said John Bambenek, a cybersecurity investigator. “Eradicating the Russian malware would require agencies to rip and replace their network infrastructure.”
But given the persistent threats from adversaries, the U.S. government may not have years to find a fix. As a result, a more likely outcome for its networks may be some sort of compromise, adding zero trust where possible and relying on less drastic cybersecurity fixes elsewhere, including encrypting data, fully staffing cyber positions and ensuring that only a small number of individuals have access to highly sensitive information.
“Zero trust is the buzzword du jour,” said James Lewis, who serves senior vice president and director of the strategic technologies program at the Center for Strategic and International Studies. But he added that ripping out and replacing networks seems impractical. “We haven’t done the basics. So, why immediately go to the nuclear option?”
Since publishing his paper, Kindervag, who now works at the cybersecurity company On2it, which describes itself as “zero trust innovators,” has continued to promote his approach across the public and private sector. But he, too, recommends a gradual approach.
“You don’t secure a road by ripping out a road and putting a new road in. You figure out how to put stoplights in, or you figure out how to change the exit ramps,” he said. “We need to do the same thing with networks and not do things that will never happen--but do things that we can accomplish using the people and technologies we have today.”