ARGUMENT: Overhauling cybersecurityThe U.S. Government Needs to Overhaul Cybersecurity. Here’s How.

After the 2015 hack of the U.S. Office of Personnel Management, the SolarWinds breach, and—just weeks after SolarWinds—the latest Microsoft breach, it is by now clear that the U.S. federal government is woefully unprepared in matters of cybersecurity. Following the SolarWinds intrusion, White House leaders have called for a comprehensive cybersecurity overhaul to better protect U.S. critical infrastructure and data, and the Biden administration plans to release a new executive order to this end.

What should this reinvestment in cybersecurity look like? Jonathan Reiber and Matt Glenn write in Lawfare that

Although the United States is the home of many top cybersecurity companies, the U.S. government is behind where it should be both in technology modernization and in mindset. Best-in-class cyberdefense technologies have been available on the market for years, yet the U.S. government has failed to adopt them, opting instead to treat cybersecurity like a counterintelligence problem and focusing most of its resources on detection. Yet the government’s massive perimeter detection technology, Einstein, failed to detect the SolarWinds intrusion—which lays bare the inadequacy of this approach.

The sophisticated nature of the SolarWinds supply chain attack shows that adversaries with the time, personnel, imagination, and resources to pursue novel methods of intrusion will succeed. It is not a question of if but when an intruder will break past the gates.

For this reason, it is time for a different model for cybersecurity. U.S. military bases have layers of walls, guards, badge readers, and authentication measures to control access. The United States needs the same mindset for its cybersecurity.

Agencies need to adopt an “assume breach” mindset and invest in the security controls required to stop intruders’ internal movements. To “assume breach” in cyberspace means to invest in a comprehensive defense-in-depth strategy to stop intruders from moving freely throughout a network once they’ve broken past the perimeter.

And then, adopting a zero trust strategy will change how the government views its networks for the better. Zero trust hinges on a policy of “default deny,” meaning that connections between assets are by default not allowed. This default deny policy essentially forms a wall that prevents servers from establishing unauthorized connections.

A new, validated zero trust architecture should include the following aspects in the security stack:

·  Anendpoint monitoring system (commonly known as endpoint detection and response, or next-generation anti-virus) that is always on and can provide a centralized analytic view to block malware.

·  A security segmentation capabilityto stop attacks from moving between endpoints and within the broader infrastructure.

·  A next-generation firewallto monitor and filter network traffic between large environments (zones) and agencies.

·  An automated testing platformaligned to the MITRE ATT&CK framework and robust cyber threat intelligence to validate the organization’s overall security program effectiveness.

Reiber and Glenn conclude:

The Biden administration can make meaningful progress in its first year by delivering a validated zero trust architecture for the missions and assets that matter most—not only investing in the defense capabilities required, but also ensuring that the security controls in place will work as intended when the adversary inevitably breaks through. It would be a signal achievement to go from the SolarWinds breach to a validated zero trust architecture. The government should set this as an aggressive but achievable strategic goal.