Researcher John Kindervag published a paper about a decade ago that argued administrators of sensitive computer networks should not trust anyone on their networks, regardless of their title.
It is not good enough simply to try to keep bad guys out of your network, he said.
You also have to put strict limits on the people already inside, thus the shorthand for the security model: “zero trust,” he added.
“People told me I was crazy,” Kindervag said of the 2010 report.
However, the cybersecurity approach has slowly gained followers over the years, as government agencies and private businesses have been continually pummeled by computer hacks.
Now, in the wake of two massive cyberattacks that exposed glaring deficiencies in US defenses, government officials and cybersecurity practitioners are saying zero trust might be the way to stop the cybermayhem.
Last month, the US National Security Agency issued guidance urging the owners of networks related to national security and critical infrastructure to adopt zero trust.
In many existing computer networks, once an individual has logged into the system, they can move freely and access information without further verification. It is what some cybersecurity experts describe as a “castle-and-moat” approach, protecting perimeter security by investing in firewalls, proxy servers, and other intrusion prevention tools and assuming activity inside the castle walls is mostly safe.
SOLARWINDS HACK
Zero trust takes a different approach, assuming that anyone that logs on is suspicious and preventing them from moving freely through the system — such as accessing the other devices and networks connected to it — without authenticating their credentials for each additional connection.
In other words, zero trust “reduces or prevents lateral movement and privilege escalation,” said George Kurtz, CEO of the cybersecurity firm Crowdstrike Holdings Inc, speaking at a Congressional hearing last month.
The embrace of zero trust has occurred in part because of US failures to prevent major breaches linked to Russia and China. For example, following the 2015 revelation that Chinese hackers had breached the US Office of Personnel Management, stealing sensitive security clearance data on millions of Americans, a congressional report called for adding the zero trust model to government networks. More than a half a decade later, zero trust remains an aspirational goal across much of the US government.
However, calls for zero trust accelerated in the past few months after suspected Russian hackers compromised popular software from Texas-based firm SolarWinds Corp.
In that highly sophisticated attack, which was disclosed in December, the hackers inserted malicious code into updates for SolarWinds software, which was received by as many as 18,000 of its customers. At least nine government agencies and 100 private companies were targeted by the hackers for further infiltration.
The other major cyberattack, disclosed this month and linked to China, exploited vulnerabilities in Microsoft Corp’s software for e-mail. Hackers used flaws in the code of Microsoft Exchange to break into tens of thousands of organizations, cybersecurity experts said.
Zero trust may not have blocked the hacks, but they likely would have limited the damage, experts said. At the very least, the security measure would have given the US a better chance to detect the attackers’ movements, keeping them from traveling as freely across government and private sector networks.
PERSISTENT VISIBILITY
At a March 18 hearing on the SolarWinds attack, US Chief Information Security Officer Christopher DeRusha said he is working with US government agencies to implement zero trust because it “prevents adversaries from the kind of privilege escalation that was demonstrated in the SolarWinds incident.”
In addition, Microsoft, which has advocated for zero trust, found that targeted victims in the SolarWinds attack whose systems had embraced the model were more resilient following the attack, the company’s director of identity security Alex Weinert said.
Idan Plotnik, cofounder and CEO of the Israeli cybersecurity start-up Apiiro, recommends that organizations extend zero trust to their entire digital supply chain.
Apiiro gives cyberdefenders visibility inside the systems used by engineers to compile their software, called build systems. This is where suspected Russian hackers managed to embed malware inside SolarWinds’ Orion update system.
He suggested that government agencies should do the same, requiring suppliers to establish persistent visibility inside these critical portions of their network — like the build system — as a way to head off hackers attempting to gain a foothold in the software supply chain before spreading malware.
However, adopting a zero trust model can be costly and time consuming. In extreme instances, it might require organizations to rip out existing computer equipment and replace it — to make certain there is not any malware hidden deep inside the network.
“If US government investigators can’t pinpoint each agency’s exposure to the malware, it may be forced to assume that most every department within the federal government has been compromised. This scenario would produce the daunting, perhaps impossible task of purging all malware from federal networks,” cybersecurity investigator John Bambenek said. “Eradicating the Russian malware would require agencies to rip and replace their network infrastructure.”
However, given the persistent threats from adversaries, the US government might not have years to find a fix. As a result, a more likely outcome for its networks might be some sort of compromise, adding zero trust where possible and relying on less drastic cybersecurity fixes elsewhere, including encrypting data, fully staffing cyberpositions and ensuring that only a small number of individuals have access to highly sensitive information.
“Zero trust is the buzzword du jour,” said James Lewis, senior vice president and director of the strategic technologies program at the Center for Strategic and International Studies.
However, ripping out and replacing networks seems impractical, he added.
“We haven’t done the basics. So, why immediately go to the nuclear option?” he said.
Since publishing his paper, Kindervag, who now works at the cybersecurity company On2it, which describes itself as “zero trust innovators,” has continued to promote his approach across the public and private sector.
He, too, recommends a gradual approach.
“You don’t secure a road by ripping out a road and putting a new road in. You figure out how to put stoplights in, or you figure out how to change the exit ramps,” he said. “We need to do the same thing with networks and not do things that will never happen — but do things that we can accomplish using the people and technologies we have today.”
Why is Chinese President Xi Jinping (習近平) not a “happy camper” these days regarding Taiwan? Taiwanese have not become more “CCP friendly” in response to the Chinese Communist Party’s (CCP) use of spies and graft by the United Front Work Department, intimidation conducted by the People’s Liberation Army (PLA) and the Armed Police/Coast Guard, and endless subversive political warfare measures, including cyber-attacks, economic coercion, and diplomatic isolation. The percentage of Taiwanese that prefer the status quo or prefer moving towards independence continues to rise — 76 percent as of December last year. According to National Chengchi University (NCCU) polling, the Taiwanese
US President Donald Trump’s return to the White House has brought renewed scrutiny to the Taiwan-US semiconductor relationship with his claim that Taiwan “stole” the US chip business and threats of 100 percent tariffs on foreign-made processors. For Taiwanese and industry leaders, understanding those developments in their full context is crucial while maintaining a clear vision of Taiwan’s role in the global technology ecosystem. The assertion that Taiwan “stole” the US’ semiconductor industry fundamentally misunderstands the evolution of global technology manufacturing. Over the past four decades, Taiwan’s semiconductor industry, led by Taiwan Semiconductor Manufacturing Co (TSMC), has grown through legitimate means
Today is Feb. 28, a day that Taiwan associates with two tragic historical memories. The 228 Incident, which started on Feb. 28, 1947, began from protests sparked by a cigarette seizure that took place the day before in front of the Tianma Tea House in Taipei’s Datong District (大同). It turned into a mass movement that spread across Taiwan. Local gentry asked then-governor general Chen Yi (陳儀) to intervene, but he received contradictory orders. In early March, after Chiang Kai-shek (蔣介石) dispatched troops to Keelung, a nationwide massacre took place and lasted until May 16, during which many important intellectuals
It would be absurd to claim to see a silver lining behind every US President Donald Trump cloud. Those clouds are too many, too dark and too dangerous. All the same, viewed from a domestic political perspective, there is a clear emerging UK upside to Trump’s efforts at crashing the post-Cold War order. It might even get a boost from Thursday’s Washington visit by British Prime Minister Keir Starmer. In July last year, when Starmer became prime minister, the Labour Party was rigidly on the defensive about Europe. Brexit was seen as an electorally unstable issue for a party whose priority
RSS