Last Wednesday, the White House announced a new cybersecurity strategy to reorient the federal government's digital infrastructure around a zero trust model.
Under said model, devices and users both on and off the network require continuous authorization to use its resources. No one operating outside of the confines of the network's security protocols is to be trusted, hence the name "zero-trust."
The approach has become all the more necessary given the growing sophistication of cyber attacks said the White House in a release, adding that the federal government "can no longer depend on conventional perimeter-based defenses," such as localized security measures to protect the government's digital assets.
Indeed, a zero-trust approach has become increasingly necessary in the private sector as well, as remote work comes to the fore and network access points, and therefore vulnerabilities, increase.
The strategy was published as an official memo from the Office of Management and Budget and addressed to leadership at all executive agencies, who are tasked with naming an implementation lead in the next 30 days and submitting a formal plan within the next 60.
Agency heads are also tasked with bolstering identity and access controls, primarily through multi-factor authentication via hardware and taking an inventory of and monitoring every network authorized device according to rules set by the Cybersecurity and Infrastructure Security Agency (CISA), among other things.
"In the face of increasingly sophisticated cyber threats, the Administration is taking decisive action to bolster the Federal Government's cyber defenses," said OMB director Shalanda Young in a statement. "This zero-trust strategy is about ensuring the Federal Government leads by example, and it marks another key milestone in our efforts to repel attacks from those who would do the United States harm."
In its release, one such "increasingly sophisticated" cyber threat mentioned by the White House was the Log4j security exploit discovered back in December. The vulnerability allows would-be attackers to trigger malicious code by having their victims' computers log particular messages.
The exploit was first thought to be confined to Minecraft: Java Edition; however, it's since been found that nearly any program that makes use of a Java library is potentially at risk, including programs like iCloud
At the time, CISA director, Jen Easterly, dubbed the matter "critical" and called on both private and public sector partners to update software and patch the vulnerability.
She told reporters early last month that no US federal agencies had been compromised due to the exploit but added that she expected it to be "used in intrusions well into the future."
"Zero trust is a key element of this effort to modernize and strengthen our defenses. CISA will continue to provide technical support and operational expertise to agencies as we strive to achieve a shared baseline of maturity," said Easterly in last Wednesday's release.
The strategy finalized last Wednesday was first announced back in September and was amended according to insights from cybersecurity professionals, non-profit organizations, and private industry, said the White House.
- 1.https://www.whitehouse.gov/omb/briefing-room/2022/01/26/office-of-management-and-budget-releases-federal-strategy-to-move-the-u-s-government-towards-a-zero-trust-architecture/
- 2.https://www.theverge.com/2022/1/26/22902630/white-house-instructs-agencies-cybersecurity-strategy-memo-cisa
- 3.https://www.cisa.gov/news/2021/12/11/statement-cisa-director-easterly-log4j-vulnerability
- 4.https://www.lawfareblog.com/whats-deal-log4shell-security-nightmare
- 5.https://www.cnet.com/tech/services-and-software/cisa-director-well-be-dealing-with-log4j-for-a-long-time/
