Having a zero trust architecture in place is critical to defending against advanced cyber adversaries – particularly in highly contested environments, a senior State Department cybersecurity official said during a GDIT webinar on Aug. 12.
Gharun Lacy, deputy assistant secretary and assistant director of the Diplomatic Security Service for Cyber & Technology Security at the Department of State, urged organizations to approach zero trust through a holistic lens – tailoring it to their unique environments and ensuring interoperability among systems.
That effort, he said, must begin with a clear understanding of network assets, vulnerabilities, and the need for infrastructure modernization.
“Zero trust is designed for those environments,” Lacy said, referencing challenges such as unreliable connectivity and legacy systems. “When you become network agnostic, you’re better prepared for those things,” he said.
Ultimately, he said, zero trust’s effectiveness depends not only on its technical foundation but also on how well its value is communicated and adopted across both operational and administrative levels.
“We have to have an architecture that is built to go against those adversaries,” Lacy said. “And that’s what zero trust offers us the promise to be.”
That is especially important within the context of the State Department’s global footprint and the threat landscape that the agency operates in daily, Lacy explained. With over 270 locations in 150 countries, the State Department faces an array of persistent threats from sophisticated nation-state actors.
“Zero trust for us presents that natural, always-assumed breach segment off your [systems] to minimize any type of lateral movement from an actor,” Lacy said. “It inherently gives us the ability to know if a breach is here. This is where the breach only should be.”
With the State Department’s far-flung operations, Lacy emphasized that the widely dispersed nature of foreign policy work demands a security model that can detect and contain breaches quickly, even in remote or under-resourced environments.
Citing “the Big Four” nation-state threat actors – Russia, North Korea, China, and Iran – as the world’s top cyber adversaries, Lacy emphasized that talent and response capabilities alone are not enough.
“It’s not good enough for us to have dedicated people [or] great response. We have to have an architecture that is built to go against those adversaries,” he said.
Still, implementing zero trust at scale remains a complex challenge, Lacy noted. Despite years of discussion and development, misunderstandings about the concept persist.
“It’s hard to administer a properly developed zero trust network,” he said. “It is a comprehensive concept. It’s not one tool; it’s not one principle. It’s a collection of principles. And in this particular space, we all tend to view a problem set through the lens of our specialty.”