BradEgeland.com
  • Welcome
  • Blog
  • Expertise
  • Resume
  • Software / Service Reviews
  • Contact
  • Videos
  • Books / White Papers
  • Mentoring Contact Form
  • Awards/Recognition
  • Templates & Downloads
  • Clients
  • Professional Services
  • Past Survey Results

Zero Trust as a Framework for Fighting Against Cyberwarfare

4/26/2022

0 Comments

 
Russia's ongoing and unfortunate invasion of Ukraine has captured headlines for its cyber dimension as well as its physical one. The breadth of cyber operations suggests attackers include both independent actors and state agencies. On 25 January, 2022, the U.K. Government released its Cyber Security Strategy, which attempts to outline how the U.K. would meet the growing panoply of cyber threats against its government agencies until 2030. As current events confirm, it is a timely and pertinent document. But it stops short of providing specific leadership on the architectures that can address the threat. This is in stark contrast to the recent U.S. presidential order, which mandated that all government agencies implement a zero trust architecture.

This dichotomy prompted me to consider where the leadership and demarcation of responsibility in this area should reside. In some respects, the U.K. strategy clarifies several pre-existing initiatives, such as the establishment of the NCSC. It suggests that whilst there is a differentiation between cyber protection for government and wider society, there are clear areas where the government should be involved to either protect key assets like energy or communication or to avoid threat contagion.

Strategies of this scale are inherently complex and therefore easy to criticise. To its credit, the U.K. strategy begins by acknowledging the breadth of challenges and attempting to address elements within its control. It must, however, be kept updated with the fast-changing technology landscape. Its globalised scope makes the challenge all the starker – the people, devices, data, companies, traffic, and cyber threats it advises on are increasingly global. That said, governments are limited by their spheres of influence.

Malicious actors have a broad range of motivations, from criminal gangs seeking financial rewards to states bent on using cyberwarfare to cripple enemy infrastructure. Whilst declarations of actual war garner the world's attention, cyber warfare is ongoing, borderless, invisible, and causes damage in ways kinetic weapons cannot. With that in mind, do our reference points for traditional warfare map well onto cyber weaponry? For example, there have been attempts to define the debate (if not the rules) for cyber warfare, like the Tallinn Manual or research from the United Nations Institute for Disarmament Research. But, as with many things in technology, the landscape is rarely static and frameworks must quickly evolve.

The other main difference is that the battlefield for cyberwarfare can extend to anywhere the internet touches, rather than some far-flung land seen only through the lens of news editors. It is shared by civilian and state actors, and indeed civilian computers may unwittingly contribute to an attack. The nature of this distributed threat means democratic governments do not control traffic, and therefore the onus for cybersecurity falls to many. It is sensible that governments play a role in defining minimum standards and policy frameworks, and should perhaps lead with best practices to protect public assets. National security and intelligence agencies also have a role in thwarting domestic cyber threats. Ultimately, the global nature of the threat requires intelligence sharing and the development of best practices among allies.

With incursions increasing in type and scale from DDoS to voter interference, attacks on critical infrastructure to data exfiltration, their ongoing adoption by state-backed actors is nearly guaranteed. As attacks grow in sophistication and size, there is evidence machine learning and AI will play an increasing role in both offensive and defensive operations. Companies can try to insure themselves against threats, but realistically this is fallible, reactive, and short-sighted. The arms race between adversaries has reached a point where it is prudent to collectively consider a different architecture to meet the threat. That architecture is known as zero trust.

Zero trust on the world stage​

Zero trust is not a silver bullet. Even if it was, it would take years for all companies, governments, users, and OT/IOT technology to overhaul their networks. While adopting new architecture is a good step forward, it must be combined with the removal of legacy technology. Otherwise, it’s merely adding complexity rather than improving security.

The point is that zero trust and its granular, identity-based brokered access are realistic aspirations and the tools exist today. It can be adopted for users, devices, and workloads in whatever environment they reside. It is no doubt a journey, but it’s one that improves security posture and reduces the scope of attacks as it is implemented. Just building perfect protection around users whilst neglecting OT, for example, no doubt ignores some attack vectors. But so long as your ultimate strategy is holistic, then each progression is an improvement. Rather than succumb to inertia, organisations should take the first step.

This is perhaps where governments can help. They can legislate baseline requirements for themselves, companies, and service providers in their sphere of control. There are also enough supra-national organisations to allow standards and co-operation on these frameworks. What we don’t need is more government incursion or backdoors, as these are inevitably used for perceived or actual nefarious means.

Governments also have the ability, remit, and funding to go on the offensive. They are as much, if not more so, a target for other states or criminals, but can also proactively or reactively respond to threats. Deception technologies are an interesting option here. Whilst they don’t overtly go on the offensive, they can entice and identify threat actors, then propagate the block to themselves (and others), thus mitigating that threat vector.

There’s a role for government agencies on national and international levels to protect the integrity of society and to provide the frameworks in which businesses and individuals can have confidence. Cybersecurity is, without doubt, a shared responsibility, and therefore it's logical to pursue foundational architectures like zero trust. The U.S. acted boldly on this and, in my opinion, the U.K. missed an opportunity. Zero trust architecture offers a proven framework for scalable, always-on security regardless of where the user, workload, or device is located.
​
After all, you can’t attack what you can’t see.


This blog was originally published by CXO REvolutionaries here.
Written by Howard Sherrington, Director of Transformation Strategy, Zscaler.
0 Comments



Leave a Reply.

    Author:

    Picture

    Brad Egeland


    Named the "#1 Provider of Project Management Content in the World," Brad Egeland has over 25 years of professional IT experience as a developer, manager, project manager, cybersecurity enthusiast, consultant and author.  He has written more than 8,000 expert online articles, eBooks, white papers and video articles for clients worldwide.  If you want Brad to write for your site, contact him. Want your content on this blog and promoted? Contact him. Looking for advice/menoring? Contact him.

    Picture
    Picture
    Picture
    Picture
    Picture
    Picture

    RSS Feed

    Archives

    December 2022
    November 2022
    October 2022
    September 2022
    August 2022
    July 2022
    June 2022
    May 2022
    April 2022
    March 2022
    February 2022
    January 2022
    December 2021
    November 2021
    October 2021
    September 2021
    August 2021
    July 2021
    June 2021
    May 2021
    April 2021
    March 2021
    February 2021
    January 2021
    December 2020
    November 2020
    October 2020
    September 2020
    August 2020
    July 2020
    June 2020
    May 2020
    April 2020
    March 2020
    February 2020
    January 2020
    December 2019
    November 2019
    October 2019
    September 2019
    August 2019
    July 2019
    June 2019
    May 2019
    April 2019
    March 2019
    February 2019
    January 2019
    December 2018
    November 2018
    October 2018
    September 2018
    August 2018
    July 2018
    June 2018
    May 2018
    April 2018
    March 2018
    February 2018
    January 2018
    December 2017
    November 2017
    October 2017
    September 2017
    August 2017
    July 2017
    June 2017
    May 2017
    April 2017
    March 2017
    February 2017
    January 2017
    December 2016
    November 2016
    October 2016
    September 2016
    August 2016
    July 2016
    June 2016
    May 2016
    April 2016
    March 2016
    February 2016
    January 2016
    December 2015
    November 2015
    October 2015
    September 2015
    August 2015
    July 2015
    June 2015
    May 2015
    April 2015
    March 2015
    February 2015
    January 2015
    December 2014
    November 2014
    October 2014
    September 2014
    August 2014
    July 2014
    June 2014
    May 2014
    April 2014
    March 2014
    February 2014
    January 2014
    December 2013
    November 2013
    October 2013
    September 2013
    August 2013
    July 2013
    June 2013
    May 2013
    April 2013
    March 2013
    February 2013
    January 2013
    December 2012
    November 2012
    October 2012
    September 2012
    August 2012
    July 2012
    June 2012
    May 2012
    April 2012
    March 2012
    February 2012
    January 2012
    December 2011
    November 2011
    October 2011
    September 2011
    August 2011
    July 2011
    June 2011
    May 2011
    March 2011
    January 2011
    December 2010
    November 2010
    October 2010
    September 2010
    August 2010
    June 2010
    May 2010
    April 2010
    March 2010
    November 2009

    RSS Feed

Powered by Create your own unique website with customizable templates.