Janie Slaven: LEFT TO MY OWN DEVICES: Trust me, the Defense Department will be secured

Janie Slaven, The Times-Tribune, Corbin, Ky.
·5 min read

Nov. 30—The topic of my weekly yammering is not one, on its face, that I enjoy discussing. In the cybersecurity realm it's entirely acceptable and I wholly grasp its importance and even its label. Still, what we call it is hard to type, say, or even think about. I am invoking the phrase-of-art known as the zero trust security model.

I hate to even conceive of zero trust. It's antithetical to my very persona, one that defaults to a position of trust and awaits another person's proving me wrong. Generally, only then will my distrust creep in. I start from a point such that I would like others to begin when first interacting with me: inherent trust. To approach any of life's problems—here, surrounding security and privacy threats—in the spirit of zero trust feels dystopian to be melodramatic, or cynical at least.

The zero trust model isn't new, especially in terms of technology's evolution. It was first used by a cybersecurity scholar who in the 1990s took all my sentimental gobbledygook (ethics and morals for example) out of the security factor of trust and drove it into a purely objective, mathematical view. Trust could not be proven nor presumed, which leaves us with zero of it to consider when deriving security solutions and mitigating risk otherwise.

During the past four to six years I've been treated to more frequent uses of the phrase "zero trust," especially in federal government agency security talks. The Department of Commerce produces cybersecurity solutions through its National Institute of Standards and Technology. There is a specific NIST publication from 2020 that envelops the concept and sets forth the Zero Trust Architecture that governmental systems should adhere to. In that arena and all its hyper-sensitive national security dealings, I can start to see a place for zero trust, though I still want to have trust in others.

I get it, though. During the Reagan presidency, we heard the Russian proverb "Trust, but verify" somewhat regularly. Others in governmental service, and elsewhere, have relied on the sage saying. To me, once the "but" comes in the trust is already being eroded. Then, there's another adage much more obviously in line with a zero trust approach: DTA ... don't trust anyone. I lament that as I do zero trust as they're pretty much one and the same. These, despite my lament, seem to be prudent when it comes to national security, or even your own personal privacy and security. How many people would you entrust your login credentials to? Might your own passwords fall under a zero trust model? If so, then certainly governmental systems should be architected with that level of control.

There are two main facets that amount to a zero trust approach. First, it means that every single user, no matter their level of authority, their operating within an organization or outside it, however much their reputation seems peerless, everyone must be authenticated before logging in. This is a continuous effort to validate users. There's no room for the, "Oh ... c'mon. We've been working together for years. You know me. Just this once let me check my Gmail on your machine since I left my access card in the car."

The other main component is to assume that the network has no bounds. With the limitless complexity of interconnected systems and networks, we must not take relief in something "only moving through our own network." Nope. Networks are in-house—and I mean in our homes, from the personal users' perspectives, or in-house as being a business's own network—but digital communications know no bounds. The cloud opens up strata of unknown locations for data. The portability of devices and the millions of internet hot spots compound the issue. The only surefire way to effectively understand where your ones and zeroes are, and where they go, is to assume they're everywhere all the time. I've seen hackers use light, magnetics, and other environmental ploys to access even disconnected hardware.

To approach a security solution and build it such that everyone all the time must be authenticated, and to design defenses that keep in mind that there are no edges to a network combine to form the building blocks of a zero trust system.

The Department of Defense and its highest levels of sensitive assets will soon (though late to some) enjoy the protection of zero trust modeled security. If you think that at that level, and in light of zero trust being a thing for decades now, it's surprising to see this only now go into effect then you're going to be taken aback that DOD's deadline to implement zero trust is 2027. In a five-year plan announced last week, that in fact is the timeline to roll zero trust out.

All the various defense agencies under DOD must develop, test, and perfect zero trust, continuously verifying cybersecurity systems. There are the lower hanging fruits, such as managing access credentials and those processes. Recall the first pillar of zero trust: user authentication at every point of access. Then, there's the more challenging solutions to build. Can a system under zero trust effectively alert administrators every single time an errant piece of data is somewhere it doesn't belong? We can assume there are artificial intelligence solutions, but how trustworthy are they? Their vendors? With 10,000 systems at issue, that third-party question looms large. Does DOD trust them?

The first couple months and years will really tell us whether zero trust is attainable. It must be, pursuant to the Pentagon's plan and directives. Analysts and coders all agree that, on paper, conceptually, zero trust is more than aspirational. Of course, with lucrative contracts available, U.S. private firms are eager to prove that, too. I trust it will develop, and look forward to the verification that it works.

Ed Zuger is a professor of cybersecurity, an attorney, and a trained ethicist. Reach him at edzugeresq@gmail.com.