Federal government agencies need to implement zero trust security architecture and work with private sector partners to improve supply chain security in the wake of the SolarWinds Orion hack that penetrated nine Federal networks and dozens more in the private sector, government and industry security experts said in a MeriTV interview.
The call to embrace zero trust and partner with the private sector came from Jeff Eisensmith, former chief information security officer for the Department of Homeland Security; Cameron Chehreh, Federal chief technology officer at Dell Technologies; and Alex Gounares, chief executive officer at Polyverse.
Embracing a New Way of Thinking
The current cybersecurity model needs to change to address evolving and increasingly sophisticated security threats that target supply chain and other vulnerabilities, Gounares said.
“The mental model the world has had for cybersecurity for last 20 years was one of perfection,” he said. “[But] fundamentally, the world is messy. There will be bugs, there will be errors, there will be supply chain attacks – our adversaries are quite sophisticated.”
As a result, he said, agencies need to take a zero trust approach to cybersecurity – one that assumes errors and attacks and helps agencies defend themselves accordingly.
“The bottom line is, the technologies exist today to defend our systems,” Gounares said. “We just have to take a different mindset of ‘let’s assume that there will be failures’ and deploy the intrinsic resilient technologies as opposed to reactive technologies.”
To carry out their missions, agencies must manage risk – not eliminate it, Chehreh agreed. “We need to know how to protect the information, we need to at least have good awareness of who and what is on the network, and then we do the best we can – from a risk management perspective – to protect the rest of the information assets. We’re going to see more of that strategy as we move forward.”
Partnering to Speed Cyber Intel
Public-private collaboration is essential to improving cyber defenses, Eisensmith said. In the classified arena, the process of identifying and communicating about threat vectors can be a lengthy one. The commercial sector, especially in financial services, is able to act much faster, he noted.
“I think that’s one of the main areas where the public and private sector need to mesh together a lot more closely,” he said.
Public-private partnership is gaining in importance, Chehreh said. “There has to be a better marriage” between the public and private sectors,” he said. “[Threat] information can move markets; it can change nation-state stability … I do commend our policymakers for the distinct focus they have today on public-private partnerships, but we still have a lot of work to do in that area.”
Shoring up the Software Supply Chain
The software supply chain is just as complex as any physical supply chain, whether agencies are using open source or proprietary code. But open source has some benefits for supply chain security, Gounares noted.
“Even though there are millions of contributors to open source … you have the ability to bring all of that in-house and have complete integrity of your systems and know literally every bit of software going into your solution,” he noted. “On top of that, if there are compromises, zero trust solutions provide a level of defense.”
Reducing supply chain and cyber risk in software development environments is one of the most difficult challenges agencies will ever face, Eisensmith observed. “It’s really not a fair fight if we individually have to vet, test, and certify that software is something that I can trust,” he said. “I’d like to see come out of legislation something along the lines of a certification lab [that would] tear apart software to a fine-grained level and identify that ‘Looking at this software in aggregate, we feel like it’s about 90 percent trustable, and these are the areas you need to spend more time on to get rid of bugs.’”
Making Wise Investments
At DHS, “the [cyber] kill chain – developed by Lockheed Martin years ago – gave me the ability to track and alert as compromises were beginning,” Eisensmith said. “I would track which links [in the chain] broke most often, and the ones that held the best. That helped me make investment decisions.”
For agencies or small organizations, however, “it’s not a fair fight to try to defend yourself in that type of environment,” he said. “You don’t have the personnel or the resources. The cloud-based environment being offered by CISA today for sharing expertise and tools … is going to get a lot of traction.”
Watch the full interview on MeriTV.