Ever since I left the government at the end of 2019, there has been a change in the world that I could not have expected.
COVID literally rewrote how the business was run. As people move from offices to homes or other places, the endpoints multiply, expanding the surface of the attack.
Russia’s recent invasion of Ukraine has catapulted cybersecurity to the forefront of public and private programs. And the purpose of the attack changed from extortion and espionage to destruction. The invasion has exposed the threat to cybersecurity, raising stakes to ensure the security of networks and critical infrastructure.
There are examples of how those who want to harm our nation significantly increase their readiness and ability to launch cyber attacks. The increased intensity and complexity of attacks on some of the largest financial institutions in the United States show that cyberspace has blurred the boundaries between the tools of national power.
Coordinated cyberattacks by Russia as part of its strategy to invade Ukraine demonstrate the willingness of hostile government actors to engage in cyber warfare against any target considered even potentially threatening. A sense of urgency to ensure that steps are taken to protect networks, including operational technologies, is paramount. This should be at the top of each CIO and CISO’s to-do list.
As a result, the US government’s focus on cybersecurity has intensified. IN Statement of March 2022President Joe Biden warned of Russia’s potential for malicious cyber activity against the United States and encouraged the private sector to strengthen its cyber defenses.
The Biden administration has taken deliberate action to counter these growing threats, including a focus on securing the electricity, oil / pipeline and water sectors. The Agency for Cyber Security and Infrastructure Security has launched the Shields Up initiative, offering recommendations for corporate leaders to thwart ransom software.
CISA’s binding operational directive 22-01 provides a catalog of vulnerabilities that are actively exploited in the wild. In addition, the Fiscal National Defense Authorization Act of 2022 instructed the Ministry of Defense to establish applicable basic cybersecurity requirements for OT, emphasizing the need to harden these devices against cyber attacks.
While at DoD and DHS, I looked at Comply-to-Connect and continuous diagnostics and mitigation as a way to enforce the principles of zero trust. Protecting access to data resources has been a constant concern. What made me think this way was the focus of C2C’s endpoint security position assessment policy before providing any access to network resources and then continuously monitoring endpoint security. C2C is a key building block of the Zero Trust, providing secure data access.
The C2C and CDM programs offer the ability to exit quickly by maximizing existing resources. For example, the DISA C2C-funded program offers the ability to detect, identify, and categorize all six endpoint categories defined by Cyber Command. This includes information technology on the platform such as ICS, SCAD and medical devices. By using C2C cyber, the readiness of networks and OT devices is improved and the NDAA’s goals for fiscal year 22 can be achieved.
On the civic side, the use of existing instruments acquired through the CDM can help agencies achieve the goals set out in the Zero Trust Executive Order.
The cyber domain will continue to be dynamic. Using existing, ready-made tools can make the difference faster and provide assurance to operational commanders and government leaders that networks and OTs are secure. Ultimately, having the right information is the key to mission success.
Don’t assume trust. Don’t fall prey to fraudulent devices. Getting to zero trust architecture faster is more important than ever. The implementation of C2C is now available as a means of continuously identifying and controlling access to all endpoints connecting to the network, making a complete zero-confidence architecture achievable.
John Zangardi is the CEO of Redhorse Corporation and a former CIO of the Department of Homeland Security and the Department of the Navy, as well as a former acting CIO of the Department of Defense.