SolarWinds, Microsoft hacks prompt focus on zero-trust security

“We’ve got to run a new play, run a new defense, because they’re getting through to the end zone too many times here,” said John Sherman, the acting chief information officer for the Defense Department, at a virtual event held Thursday by Cyber Education Institute LLC’s Billington Cybersecurity unit, which organizes cybersecurity conferences.

Mr. Sherman said that so-called zero-trust models, which set up internal defenses that constantly verify whether a device, user or program should be able to do what it is asking to, should be more widely adopted by the public and private sectors. This is in contrast to the more reactive approach of traditional cybersecurity defenses, which seek to block hackers from entering a network.

Analysis of the breaches, which exploited vulnerabilities in software from SolarWinds Corp. and Microsoft Corp., from the Cybersecurity and Infrastructure Security Agency, the National Security Agency and the Federal Bureau of Investigation found that the hackers were often able to gain broad systems access. In many cases the hackers moved through networks unfettered to set up back doors and administrator accounts.

The concept of zero trust has been around since the turn of the century in various forms. However, misconceptions about what it involves have slowed adoption, said Chase Cunningham, chief strategy officer at cybersecurity firm Ericom Software Ltd.

For instance, he said, zero-trust frameworks don’t abolish firewalls and other tools that guard the borders of networks, known in the industry as the perimeter. Rather, they add a layer of defense.

“No one who actually understands zero trust says abandon the perimeter,” he said. “But the reality of it is that you need to understand your perimeter’s probably already compromised, especially when you’re in a remote space.”

The Pentagon is working toward establishing a zero-trust model, Mr. Sherman said. Though Wanda Jones-Heath, chief information security officer in the Office of the Secretary of the Air Force, said that putting zero trust in place takes time and research, while others warned that cybersecurity vendors often label their products as zero-trust, but that is misleading.

“Zero trust is not a technology, it’s not something you buy, it’s a strategy,” said Gregory Touhill, director of the computer emergency readiness team at Carnegie Mellon University’s Software Engineering Institute and former federal CISO in the Obama administration. “And we’ve got too many folks in industry that are trying to peddle themselves as zero-trust vendors selling the same stuff that wasn’t good enough the first time, really.”

At the Billington event, federal CISO Chris DeRusha advocated for the use of zero-trust models, but stressed the importance of information sharing between the public and private sectors in conjunction with enhancing defenses.

The response to the SolarWinds attack, which was discovered by cybersecurity firm FireEye Inc., spurred extraordinary cooperation, he said.

The FBI was eventually able to identify a list of about 100 companies and nine federal agencies that were victims of the attack. Investigators and officials have suspected that Russia was behind the hack since it was discovered, and the U.S. government formally blamed the country on April 15, issuing fresh sanctions over the cyberattack and other matters. Russia denies the allegations.

The joint investigative work between businesses and government officials, Mr. DeRusha said, had a direct effect on the speed of recovery, and should continue.

“What I want to think about is how we bottle lightning here and we move forward in our public-private partnerships,” he said.

This story has been published from a wire agency feed without modifications to the text.