How the Federal CISO Views Zero Trust

Amid a swarm of industry offerings that employ the cybersecurity buzzword, Federal Chief Information Security Officer Chris DeRusha described the essential components of what he considers zero trust. 

“I really believe it's rooted in three core principles: verifying every user, validating every device, and then within that, limiting access intelligently,” he said. “This is obviously a shift away from the prior trust model that assumed if a user is behind a firewall, then you know they can be trusted. Obviously, this isn't bearing out anymore.” 

DeRusha headlined the Billington Cybersecurity Defense Summit Thursday where current and former federal officials stressed that the term “zero trust” refers to a plan of action or policy, not something any one product can claim they provide, and advocated smart budgeting.

“Zero trust is not a technology. It's not something you buy. It's a strategy,” said former federal CISO Gregory Touhill. “We've got too many folks that you know, in industry, that are trying to peddle themselves as zero trust vendors selling the same stuff that wasn't good enough the first time.”

The definitive government document on the zero-trust concept is the National Institute of Standards and Technology’s Special Publication 800-207, a final version of which was published last year after multiple rounds of public comment. Speaking at the conference, NIST’s zero-trust lead Alper Kerman said it was the result of consultation with members of the industry who coined the term and other early adopters.

“Government's been working towards this framework of zero trust for a while,” DeRusha said. “In earnest, in the past few years, agencies are building out really strong foundations around identity and credential access management. We're also moving closer and closer to doing continuous monitoring [and] dynamic management.” 

This all goes toward switching from a trust mindset that adversaries have been exploiting, as showcased in recent breaches, said Tonya Ugoretz, deputy assistant director for the FBI’s cyber division.

Ugoretz also echoed comments DeRusha made about the need for the government to make funding decisions in a more comprehensive manner.

“We've got to do a better job in my view of explaining the [return on investment] and what this is buying down … there's some good stuff starting to emerge out there and best practices in the space but you know it is hard to do, but I think we've, we've got to focus on that and help each other and share lessons on when we're really figuring out how to be compelling,” DeRusha said. “That's the type of sharing I'd really like to see more, not just technical sharing but getting into this key budget ask sharing as well.”

He noted some success already in Congress providing what he said was significant funding after the administration asked for $10 billion to go toward modernization, a number he said they frankly consider a downpayment.

But more doesn’t always equal better, Ugoretz said, noting the importance of taking time to assess where resources are most needed in the shifting cybersecurity landscape.

“As a government, when we take actions we tend to add on rather than take the time to look at what already exists, and to streamline that and then see where the gaps are, and also, what we can stop doing in order to free up resources whether that's humans, you know, time and attention, or dollars in order to be able to devote to something that's become a higher priority,” she said. “That takes time and when you look at the scale of an issue like this I think it takes a lot of expertise and manpower to try to do that but, as mentioned, we want to do that smartly. It's really essential.”

Ugoretz said funding so far has been uneven across agencies and that the government should approach cyber budgeting in a more collaborative way.

“I think we would benefit as a government, from trying to move away from the current approach we have, which is larger than the cyber community of each agency kind of forming its own budget requests in a silo, kind of, in secret, and then you know going directly to advocate for its needs,” she said. “The nature of cyber, as you've heard described here today requires so much interoperability and collaboration between just the federal agencies to start with, let alone, private sector and foreign government partners that we should be looking at those needs as a whole.”

One individual who may perform a key role advising the administration on cybersecurity spending in consultation with Congress is Chris Inglis, President Joe Biden’s nominee to be the first national cyber director. Speaking at the conference, Inglis mentioned a joint collaborative environment proposed by the Cyberspace Solarium Commission in identifying his most immediate priority, saying it would act as a foundation for disparate entities, including those in the private sector, to work together.

“To make immediate impacts I would say the investments that are required to create more integrated, more collaborative relationships, I think will pay immediate benefits,” he said. “The joint collaborative environment, but more importantly the collaboration and integration takes place on top of that I think is essential, and we need to move on with that. I think we have discovered that we are not—particularly in this society, with its diversity of capabilities, authorities and sometimes of kind of willingness—that we're not going to align all of those by subordinating one to the other. We're going to take advantage of those by properly integrating and arraying those in a collaborative environment. So in the near term, I think that's a very important investment.”