With the White House implementing a “zero trust” architecture strategy to improve the US government’s cyber security protocols, cyber security analysts Gary Kinghorn and Brian Hay explore whether Australia should follow the US’ lead.
In late January, the White House published the final version of its zero-trust architecture strategy, which is intended to substantially improve the cyber security of US government agency systems by the end of FY 2024.
The final plan comes after the US Office of Management and Budget last September published a draft zero trust document that identified top cyber security priorities, including the consolidation of agency identity systems and treating all internal networks as untrusted. The latest plan moves agencies further towards fulfilling the requirement included in the cyber security executive order issued last May by President Biden.
Key aspects of the first-of-its-kind move include a new enhanced focus on multi-factor authentication, a requirement that all government agencies move towards encrypting all DNS requests and HTTP traffic, and a commencement of agencies segmenting their network perimeters into separate, isolated environments.
Oftentimes the US leads, and the rest of the world follows. So, why has the US gone down this route and what should Australia do now that it’s put this cyber stake in the ground?
Why zero trust is important
Social engineering is based upon the premise of garnering trust, and despite all the advancements in cyber crime and cyber crime prevention, earning people’s trust has remained a cyber criminal’s greatest weapon.
Tactics such as email phishing remain alarmingly successful and increasing sophistication has meant cyber criminals can better impersonate customers, superiors, partners or whoever they need to masquerade to earn – and break – that trust. The issue has been further exacerbated with more staff working remotely, making it more difficult to get a quick sanity check on whether an email looks suspicious.
So, moving towards zero trust, which designs IT systems to require all internal and external users to be authenticated, authorised and continuously validated, does have the potential to change organisational cyber security culture, thereby bolstering “human resilience” to this threat.
The US is making ambitious strides to make this work – there are a series of near-term deadlines for agencies to meet, and four years to “zero trust” is an uphill battle as it will require significant disruption to existing network policies that will require many changes. Most infrastructure is designed under the old “castle-and-moat” security model, so overhauling that to zero trust will take a lot of work, and a lot of funding.
Subscribe to the Defence Connect daily newsletter.
Be the first to hear the latest developments in the defence industry.
Australia would face similar hurdles in moving to zero trust. At this early stage, the specifications outlined by the White House are not well tuned for a diverse set of applications and environments and may yet prove more costly than the benefit warrants.
So, there is logic in the Australian government in a wait-and-see approach to see how the benefits stack up against the costs, as well as the realities of what can be achieved. It can also see if, and how, the US government will apply this same model and requirements to energy, electric utilities, transportation and other critical infrastructure. These types of industries carry the same, and in some cases, higher risk of major disruption if taken down.
Australia could also seek local guidance before making any commitments – the Australian Cyber Security Centre (ACSC) has yet to analyse and provide recommendations on a zero-trust approach, and we’re yet to see that approach be widely adopted in the commercial sector.
To that end, commercial and government critical infrastructure providers could also be offered incentives to spend on enhanced security for critical infrastructure, without specifying a particular technology or security model. This would enable the market to bring forward the best solutions to keeping our most valued assets secure.
On the other hand, too much time in wait-and-see mode against an adversary (cyber criminals) who are well versed, constantly evolving and aware of how best to compromise our most important assets, carries risks.
Cyber security defence has by nature been reactive – plugging holes as they’re identified – rather than proactive, and we could argue the US government is making a play to take a new direction in cyber security. The Australian government also has a lot to finalise in its own cyber priorities – the Cyber Security Strategy 2020, streamlining (or updating) the Essential Eight, and the Security of Critical Infrastructure (SOCI) Amendment Bill.
Given these priorities, it’s unlikely that the government will mandate a drastic change of course to now centre on zero trust. But it doesn’t mean they shouldn’t be keeping a close eye at what’s happening across the ocean. The White House would not have made this decision lightly and would not have done so without extensive expert consultation and consideration of enormous volumes of cyber crime intelligence.
The change management required for agencies and organisations supplying those agencies will be a huge burden to overcome – but you can’t improve if you don’t change, and change is an absolute necessity in the face of an overwhelmingly effective adversary.
Gary Kinghorn is senior director for industrial cyber security and operational technology company Nozomi Networks, and Brian Hay is executive director for cyber security culture consulting firm Cultural Cyber Security.