Successful implementation of zero-trust architecture in the federal government will take “more than procuring new hardware and software” and require surmounting multiple budgetary, bureaucratic and cultural hurdles at different agencies, a national security think tank concluded in a report released Wednesday.
According to U.S. officials, civilian agencies have made a fair amount of early progress thus far meeting the Biden administration’s mandates around zero trust issued in executive order 14028 and other directives over the past two years. Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, has said that approximately 90% of the federal governments’ endpoints have been identified, while Executive Director Eric Goldstein said last month that endpoint detection and response technologies were being deployed at 26 agencies, with plans to begin work for at least 53 agencies — or half the federal civilian government — by the end of the fiscal year and multi-factor authentication protocols have been put in place at “every agency with the capacity to deploy” it.
This week, the Center for Strategic and International Studies released a report that takes a hard look at the implementation challenges surrounding this massive effort, which includes things like implementing encryption, multi-factor authentication and improved logging that should have been done years ago.
“The right time [to do this] was eight or 10 years ago, but the second-best time is now so I think we have to get started on this effort,” said Michael Daniel, former White House cyber coordinator during a panel event arranged by CSIS.
Good intentions don't fix poor execution
The research was led by three members with first-hand experience navigating the federal cyber bureaucracy: Suzanne Spaulding, who led CISA’s predecessor agency the National Programs and Protection Directorate; James Lewis, a former diplomat who helped lead U.S. negotiations for the Wassenaar Agreement and worked on technology and arms control issues; and Emily Harding, who worked as an analyst for the CIA and helped lead the Senate Select Committee on Intelligence’s investigation into Russian election interference and hack and leak operations during the 2016 elections.
Those experiences provide a sheen of legitimacy to some of the report’s conclusions, which is less concerned with the decision to implement zero trust in government as it is the numerous bureaucratic and legacy technology issues that will make real change so difficult.
“We are all former U.S. government officials, so we all know the intent can be very good, but then we get lost in the execution,” said Harding.
For example, cybersecurity executive order 14028 requires agencies to add new language to third-party contracts mandating the collection and preservation of cybersecurity data, namely on threat monitoring and incident response data gleaned from breaches. While both the federal government and its base of contractors are generally on the same page about the need for higher standards and better communication, vendors have traditionally been reluctant to hand over that kind of data to the government in the past.
“These data-sharing requirements are often unpopular within industry because they are viewed as burdensome and may reveal vulnerabilities that commercial companies do not want to share with the government or of which the companies themselves are often unaware,” the authors note. “These are necessary steps in moving toward [zero trust], but government needs to anticipate and create policies and legislation to further mitigate these concerns and incentivize sharing.”
Funding this transition, as well as the work of CISA, the Office of Management and Budget, the Office of the National Cyber Director and others to coordinate and oversee it, will not be cheap. The extra $400 million House appropriators are seeking to add to CISA’s $2.5 billion budget and other investments should serve as a down payment on those efforts.
Not surprisingly, the report finds that building a modern zero trust security architecture across the federal government will require a sustained effort to retire older technologies and software systems they’ve relied on for decades. Previous attempts to work with agencies to identify every device running vulnerable Windows 7 operating systems or even just doing asset inventory revealed some fairly fundamental gaps in agency visibility and awareness of their assets and their vulnerabilities.
Lewis put at least some of the blame on Congress, which has historically loved dragging agency chief information officers across the coals in oversight hearings for cybersecurity or modernization shortfalls, only to turn around and refuse to provide them with anything more than patchwork funding to fix their problems and replace legacy IT. More recently under the Biden administration, existing programs like the Technology Modernization Fund have received more robust funding and been increasingly targeted at cybersecurity and zero trust solutions. But the failure of previous Congresses to prioritize the issue and patchwork funding has resulted in the federal government getting lapped again in the technology space.
“We could have been able to get around this. It’s taken them so long to upgrade and modernize that we’re now at a completely different architecture, which is cloud architecture,” said Lewis.
Unified action, disparate authorities
Congress will also need to perform effective oversight to keep agencies on track to meet the administration’s 2024 timeline for completion in an environment where jurisdiction and authority over cybersecurity is spread out across 80-100 committees. The possibility that one or both houses might flip to Republican control next year could add further gridlock to the process.
“We have a tension here, because part of what we also need to do is make sure Congress really gets it that this is a multi-year effort and that they can’t be demanding [at the end of this year] ’Why haven’t you migrated completely to a zero-trust architecture yet?'” said Spaulding.
The federal government is notoriously slow-moving and generally abhors big changes and disruption. Even a successful shift to zero trust will be significantly disruptive. As SC Media reported earlier this year, each agency’s plan will probably look different as they navigate their own legacy technology environment and how quickly they can transition without significantly disrupting core mission delivery.
“There is no single federal government [and we’ve had long discussions] about where are the levers of control to get different agencies to actually do something because they’re not all gonna move at the same pace,” said Lewis.
Jeannette Manfra, who was assistant director for cybersecurity at CISA before leaving for a position at Google in 2019, said her experience on the ground floor leading the agency's efforts to began leveraging binding operational directives and other mandates to force cybersecurity changes at other agencies taught her that patience and avoiding the urge to bite off more than you can chew.
“It’s a lot of baby steps, one of the biggest risks is you launch something and it’s not ready,” said Manfra. “So just really starting quite small, identify … those populations of users that you’re going to test this with … and have a very sort of methodical approach to making sure that you’re identifying issues throughout the whole journey. Because you’re going to find things in a transition to any new sort of capability, you’re going to uncover things that you didn’t know existed.”
Of course, the federal government likely won’t be able to manage the transition if it doesn’t have enough cybersecurity talent on hand to do the ground level work. On this front, despite the myriad of statements and programs the federal government has rolled out in recent years, Lewis lamented that “we’re not serious about our workforce” and that the U.S. is “not going to get there using the traditional means.”
He pointed to efforts by the U.S. military during World War II to train an entire generation of pilots to compete with Germany, Japan and others for dominance of the skies. There is no similar effort on the part of policymakers to do something similar with cybersecurity, while shortages and competition with the private sector for qualified workers only continues to grow.
“You need to create a pipeline, you need to put untrained bodies at the front, and you need to have pilots come out the other end, and you need to do that at scale and we’re not doing that,” he said.