The Repercussions of Zero Trust Adoption in Federal Agencies

Any functional relationship is built on trust. As cybercriminals level up with better tools and technology, defenders need to close ranks, share information, and build better partnerships together. After all, we’re all on the same side.

One inhibitor of these close-working relationships is varying degrees of security. Supply chain threats are abundant, and companies are applying greater scrutiny to the organizations they partner with downstream. This is all for the greater good, and zero trust is one of the most effective ways that organizations can be choosy and still get the teams and the services they want. In government, this dynamic is no different. 

Making zero trust the norm in federal agencies will facilitate more trust and greater collaboration. However, it might also make environments so strong that attackers will have no choice but to double down on other methods of compromise. This is to be expected no matter the tactic, and the fact remains — an increased focus on zero trust architecture is still likely to benefit both the private and public sectors more than it ever will threat actors.

We sat down with Fortra’s John Grancarich, Chief Strategy Officer, to get his thoughts on zero trust in federal agencies and what adoption bodes for the future of cybersecurity.

Zero Trust Adoption Means More Governments Will Be Working Together

Critical infrastructure around the world is under siege by cyberattacks and the knowledge that can be gleaned from these attempts is invaluable in preventing the next one. However, right now a lot of countries, agencies, and departments are stymied because of the inherent risks in sharing information across borders.

This is because agencies have problems of their own when it comes to cybersecurity, and it is likely that agencies in other countries do, too. Two years after CISA introduced its Known Exploited Vulnerabilities (KEV) catalog, CISA Executive Assistant Director for Cybersecurity Eric Goldstein shared how federal civilian agencies had already remediated over 7 million KEV findings in the past twelve months. This is wonderful news, and also pulls back the curtain on just how many latent vulnerabilities are out there in the public sector. Knowing this, it’s no wonder that communication and knowledge sharing between international entities would be strained, even if they are fighting on the same side of a global cyber war. As Grancarich was quick to point out in another article for Tech Native, "Zero trust is a cybersecurity strategy and framework built around the notion that security risks don’t only concern outside threats, but that significant danger is posed by those already within.” 

He notes that a broader adoption of zero trust would likely increase collaboration among various countries in a coordinated effort to protect critical infrastructure. He states, “There is already some strong collaboration that happens across law enforcement agencies with respect to sharing threat intelligence — I could see how various global agencies would partner together to develop and share their zero trust frameworks, strategies, and approaches to implementation and ongoing monitoring.” 

A Public Sector Domino Effect  

When asked if this broader adoption will inspire adoption in other areas, Grancarich says, “The short answer is yes, if we are using history as a guide.” He notes how comprehensive adoption of zero trust across the public sector will likely set off a domino effect as other entities follow suit. First, the private sector, which often uses federal security standards as a pace car (think NIST), then eventually the private sector security vendors, which feed the public sector as well. 

“As we’ve seen with other technology shifts that the public sector has either directly funded or otherwise advanced, they often set a standard for others to follow.” Grancarich affirms. He suggests that “With zero trust we’ll likely see adoption not only by other governments around the world, but by the private sector as well,” concluding that, “once private sector security teams get on board, then the security tech vendors will have to follow.” 

Any Unforeseen Implications? 

The only downside — and an unavoidable one at that — is the fact that as we get better at locking the doors, threat actors will get better at trying the windows. 

Grancarich pointed out that the increase in zero trust principles will have its intended effect of raising the level of cybersecurity for both the public and the private sector alike. Critical infrastructure systems will be harder to access through the network and undermine with malware. More exploits will get caught on arrival (or before), and the door handles that once were loose will be tightened.  

However, this is hardly enough to get cybercriminals to pack up and go home. Grancarich suggests that what we’ll see on the horizon in this case is a widespread shift in tactics. He notes, “Concurrent with the increased adoption of zero trust principles is certainly an increase in security researchers — both well-intentioned and not — looking for ways to circumvent these controls.” 

So which windows will they try? The answer might be obvious. “No matter how sophisticated a security control may be, it can be circumvented and often is in a tried-and-true way,” Grancarich explains; “With social engineering.”

Conclusion

The fight for global zero trust adoption among federal and government agencies is worth winning, no matter the repercussions. Attackers will always change tactics (when they have to) and forcing them to do so is better than turning a blind eye to the myriads of access points they have now through undiscovered vulnerabilities and other security mishaps. 

But for now, the answer might be to take things slow and steady. As Grancarich concludes, “When it comes to zero trust, it’s all about compound gains.” Doing too much too soon could rock the boat in favor of attackers or our own human error.

The only way to achieve the kind of lasting cybersecurity change that critical infrastructure and government agencies will need in the year ahead is to adopt zero trust one sure step at a time — and the rest will follow.