Government cybersecurity programs are not working as planned and a new approach is anticipated.
John Kindervag is vice president and principal analyst at Forrester Research.
The Office of Personnel Management data breach was one of the most significant breaches in our government’s history. Attackers stole background check data—including fingerprints—about individuals being considered for secret clearances. This breach put American citizens at severe risk.
In response to the OPM data breach, the House Oversight and Government Reform Committee investigated, reaching out to private-sector chief information officers to get cybersecurity recommendations to help ensure this would not happen again. Those enterprise CIOs told committee staff members about Forrester’s “zero-trust model of information security” and the promise it holds to significantly uplift cybersecurity for any entity and reduce the risk of future data breaches.
Zero trust is a data-centric architecture that focuses on defining protecting critical assets in a granular manner. Zero-trust networks create highly segmented networks designed to thwart off modern attacks and attackers. Today’s traditional networks rely on an extremely large perimeter that defines users and assets outside of that perimeter as “untrusted” and those inside the perimeter as “trusted.”
It is this trust model that fundamentally leads to all data breaches. By removing the concept of trust from the network, all traffic and packets are treated exactly the same and malicious users cannot exploit the trust model for nefarious gain. House oversight committee Chairman Jason Chaffetz, R-Utah, noted, “Zero trust would have profoundly limited the attacker’s ability to move within OPM’s network and access such sensitive data.”
The federal government suffered two very major, very public data breaches at important agencies in 2016. The ramifications of the OPM breach and the Internal Revenue Service breach of 700,000 taxpayers are still being felt, but it’s clear cybersecurity will be a key focus in the new administration. Government cybersecurity programs are not working as planned and a new approach is expected. The new president already has a reputation for disruption and therefore, government agencies should expect forced cybersecurity disruption as well.
Forrester anticipates a significant player in this disruption will be a fast-growing adoption of zero trust for government networks. Never before has a sitting member of the House of Representatives endorsed a particular security model. With Chaffetz’s reelection, insiders expect the House oversight committee to remain on the forefront of the cybersecurity agenda.
The committee report asked OPM to "provide guidance to agencies to promote a zero-trust IT security model." This is a strong recommendation coming from a respected legislator who chairs a powerful committee. Beltway insiders believe this strong endorsement will drive greater zero-trust adoption as federal CIOs move to combat data breaches so they don’t end up the next OPM or IRS.