Trust has always been a bit of a tricky proposition. It’s safe to say that all of us, at some time in our lives, have been let down after placing our faith in someone. History is replete with examples of even the smartest individuals suffering the ill-effects of being too trusting. Certainly, Caesar saw no potential harm when Brutus invited him to meet a few of his poker buddies, and I’m sure more than a few Bernie Madoff clients felt a little sheepish after saying, “20% annual return? Sign me up.” Apparently, you can now add the government’s National Security Agency to the long list of those forced to deal with the ramifications of, shall we say, misplaced trust after they recently issued guidance urging owners of networks related to national security and critical infrastructure to adopt “zero trust” policies.
For those of you who haven’t been paying attention, in recent years, a couple of our “frenemies” have made some unauthorized incursions into the nation’s data vaults. No one is wearing a white dress to the party when it comes to covert operations. However, when you use your role as an uninvited guest to make off with security clearance information on millions of this country’s citizens or insert malicious code into commercially available software to take a romp through nine government agencies and more than 100 companies, you’ve probably overstepped your boundaries. It’s kind of like when your mom used to say, “It’s all fun and games until someone loses an eye” — only on a geopolitical scale.
Since the savvy professionals who provide our national security don’t believe there’s any kind of statute of limitations on bad behavior, a consensus seems to be growing around taking our security measures up a few notches when it comes to hacking. Apparently, the majority of our sensitive data — you know, locations of nuclear weapons and the real amount of the national debt — is protected using a “castle and moat” approach where, once someone makes it through security obstacles like firewalls, proxy servers, and such, they are viewed as “safe” and are free to roam at will. Unfortunately, as we’ve seen, there are more than a few folks willing to take liberties with this type of trust-based environment, so the NSA’s recommended guidance, which probably falls within the “better late than never” category, is an idea that’s time has come.
A zero trust mode of operation, as the name implies, requires users to continue to pass security protocols for each area they wish to access. Security experts aren’t sure if having these measures in place could have prevented the cyberattacks from the nefarious state-sponsored hackers but likely would have limited their severity by giving us a better chance to detect their movements, so there’s that.
Like most seemingly simple solutions to complex problems, implementing a zero trust security architecture has a few difficulties to overcome. For example, in some instances, ripping out existing computer equipment and replacing it may be required. With the current projected rate of government spending, the cost of this type of network overhaul is no object, but like the Defense Department’s efforts to consolidate data centers has demonstrated, we’re not exactly sure where all the equipment needing to be replaced is actually located. Thus, it looks like we’ll have to begin implementing some type of hybrid approach, where zero trust schemes are added when possible and other cybersecurity efforts, such as data encryption, are used otherwise.
Perhaps we might see the prospect of having the nation’s power grid sabotaged by a group of underaged foreign computer weenies as opposed to ICBM-delivered nuclear obliteration as a form of progress, but, if you're honest, the prospect of either is less than inspiring. Etta James sang about trust back in the day — it went a little something like this:
“Why don't you trust in me in all you do?
Have the faith that I, I have in you
Oh, and love will see us through
If only you trust in me.”
Maybe someday Etta’s vision will be possible. But until then we’ve got to muddle through an untrustworthy world the best we can, and zero trust policies are a step in the right direction.