Since I left government at the tail end of 2019, there has been a world of change I could not have anticipated.
COVID literally re-wrote how business was conducted. As individuals moved from offices to homes or other places, endpoints proliferated, expanding the attack surface.
Russia’s recent invasion of Ukraine catapulted cybersecurity to the forefront of public and private agendas. And the attack objective has changed from extortion and espionage to destruction. The invasion exposed the cybersecurity threat raising the stakes to ensure the security of networks and critical infrastructure.
There are examples demonstrating how those who wish our nation harm are significantly ramping up their willingness and capability to launch cyber attacks. The increased intensity and sophistication of attacks against some of the U.S.’s largest financial institutions demonstrate that cyberspace has blurred the lines between instruments of national power.
The coordinated cyberattacks executed by Russia as part of its strategy in invading Ukraine prove the readiness of adversarial state actors to engage in cyber warfare against any target deemed even potentially threatening. A sense of urgency ensuring that steps are taken to protect networks, including Operational Technology, is paramount. That should be top of any CIO’s and CISO’s ‘To Do’ list.
Consequently, the U.S. government’s focus on cybersecurity has ramped up. In a March 2022 executive statement, President Joe Biden warned of the potential for Russia to conduct malicious cyber activity against the U.S. and encouraged the private sector to harden their cyber defenses.
The Biden Administration has taken deliberate action to confront these growing threats, including a focus on securing the electric, oil/pipeline and water sectors. The Cybersecurity and Infrastructure Security Agency launched the ‘Shields Up’ initiative, offering recommendations for corporate leaders to thwart ransomware.
CISA’s Binding Operational Directive 22-01 provides a catalogue of vulnerabilities that are being actively exploited in the wild. Further, the fiscal 2022 National Defense Authorization Act tasked the Department of Defense with establishing implementable baseline cybersecurity requirements for OT, highlighting the need to harden these devices against cyberattacks.
While I was at DoD and DHS, I viewed Comply-to-Connect and Continuous Diagnostics and Mitigation as a path to enforce Zero Trust principles. Protecting access to data resources was a perpetual concern. What compelled me to think that way was the emphasis in the C2C policy to assess an endpoint’s security posture before granting any access to resources on the network and then to continuously monitor the security of the endpoint. C2C is a foundational building block of Zero Trust ensuring secure access to data.
The C2C and CDM programs offer an opportunity to move out quickly by maximizing existing resources. For instance, DISA’s funded C2C program offers the ability to discover, identify, and categorize all six categories of endpoints defined by Cyber Command. This includes platform information technology such as ICS, SCAD and medical devices. By leveraging C2C, the cyber readiness of networks and OT devices are improved and objectives in the FY22 NDAA can be met.
On the civilian side, leveraging existing tools acquired through CDM can assist agencies in meeting the goals outlined in the Zero Trust Executive Order.
The cyber domain will continue to be dynamic. Leveraging existing, off-the-shelf tools can make a difference more quickly and provide the confidence to operational commanders and leaders in government that networks and OT are protected. After all, availability of relevant information is key to mission success.
Don’t assume trust. Don’t fall prey to rogue devices. Getting quickly to a Zero Trust architecture is more important than ever. Implementing C2C is a means available now to continuously identify and control access for all endpoints connecting to the network, making a comprehensive Zero Trust architecture achievable.
John Zangardi is CEO of Redhorse Corporation and a former CIO of the Department of Homeland Security and Department of the Navy, and a former acting CIO of the Department of Defense.