Between the vulnerabilities caused by remote work during the pandemic and cyberattacks being more frequent than ever, an aggressive and innovative approach to addressing the cyber crisis is needed now. The White House's recent requirement for federal agencies to achieve a zero-trust architecture is a great first step, but zero trust can't stop there.
The zero-trust requirement, part of President Joe Biden's cyber plan, is directed at federal agencies. It can be easy, therefore, for local and state leaders to dismiss it as irrelevant. That couldn't be further from the truth. Government leaders at all levels must implement their own form of zero trust to better protect us all.
At the same time, there are critical steps the White House needs to take before zero trust has any hope of moving beyond the federal level on a larger scale.
1. Define Zero Trust and Why It Matters
It needs to be made clear to local and state officials what zero trust is and why they should care. This is especially true for those not in an information technology role. Zero trust isn't a program to install, but rather an approach where no user, device, or application operating in or out of a security perimeter is trusted. It requires verifying everything attempting to establish access and minimizing access to what is needed through a combination of technology and policies. For example, zero trust would treat access requests from devices on known and unknown networks the same, subjecting both to the same security requirements. This is in contrast to a traditional security approach, where a firewall establishes a perimeter but gives broad access to everything inside it.
The pandemic highlighted the need for zero trust because of the shift to remote work, where employees left the perceived safety of an internal network infrastructure for computers at home. Meanwhile, the number and severity of cyber incidents have continued to rise among local and state governments, which makes it imperative for efforts to not stop at the federal level. Zero trust might not fully solve either issue, but it would be a step in the right direction.
2. Clarify the Zero-Trust Implementation Process
The federal government must clarify the steps required to implement zero trust. Multiple examples of best practices exist, including those from the Department of Defense and the National Institute of Standards and Technology. The White House's requirement follows the Cybersecurity and Infrastructure Agency (CISA) model. Without clear guidance, how are local leaders supposed to know which guidelines and best practices work best for them and where to begin? The administration needs to choose an agency to lead in this space — likely CISA — and make consistent recommendations.
Many entities already have elements of zero trust in place, such as authentication and access limitations, but they should seek to expand zero trust and ensure they have a plan for doing so. Rather than aiming for the ideal architecture in the short term, something is better than nothing. For example, the use of multifactor authentication alone can block more than 99.9% of account compromise attacks, according to Microsoft.
3. Address the Skills Gap
Gaps in technical expertise and funding at the local and state level need to be addressed. Some have already questioned whether the federal government can achieve the zero-trust goal by the end of fiscal year 2024. If it's a challenge at the federal level, there will be an even heavier burden on state and local entities, where cybersecurity preparedness varies greatly from jurisdiction to jurisdiction and the pandemic has impacted budgets. The federal government needs to provide accessible and ready-to-implement zero-trust resources, similar to CISA's guide for governors and cyber-essentials starter kit. This would complement CISA's push for local leaders to take action and the new $1 billion cybersecurity grant program.
Zero trust will not be as easy to implement for local and state governments as it will be for the private sector and federal government, but this does not mean that they should avoid it. Local and state governments should move toward zero trust now, but the federal government needs to act to drive progress.