It Takes Shifting Culture to Institute Zero Trust in Government

Successful implementation of zero-trust cybersecurity strategies in government requires a significant cultural and systemic shift.

“[It’s like] an immune infrastructure, kind of like the way the human body works, understanding those networks, keeping the adversary out once they get in … and then operate to compromise,” Lawrence Livermore National Laboratory (LLNL) Principal Associated Director for Global Security Huban Gowadia said at the RSA Conference in May. “All that begins with a sound cybersecurity culture.”

Former Federal CISO and Deputy National Cyber Director Chris DeRusha said that agencies will struggle without implementing zero trust, especially as teams continue to develop vulnerable applications at a rapid pace.

“You’re just going to keep being victim and you have too many holes—too many ways in,” he said.

Building a workforce that is comfortable with zero-trust, identity management and other critical cybersecurity concepts is a huge part of building a more secure culture at agencies, Gowadia said. That shift, she added, is already underway.

“In the National Laboratory system today, more than 50% of us have been in the system less than five years, which is an incredible generational shift,” Gowadia said. “I’d like to believe that a generational shift brings with it so much innate sense of cyber systems and cybersecurity. I’d like to believe that that we have a shot at building a whole new culture based on a whole workforce generation that’s coming in.”

Adopting a “trust nothing” approach addresses concerns, preventing vulnerabilities from being exposed by systematically reviewing and understanding the risks introduced to large environments. Culture and legacy systems make this hard to implement, according to DeRusha.

“It’s a complete re-architecture across all these different pillars, and it’s a completely different way of working,” he said. “It can be pretty scary to make that change because you’re going to potentially break some of your applications, which may be delivering critical services to hundreds of thousands of citizens.”

The White House’s plans for zero-trust implementation have made it so agencies need to think about cybersecurity in different and more immediate ways, Gowadia noted, and zero-trust implementation is a key part of the administration’s executive plans.

“I think we all felt that sense of urgency,” Gowadia said. “You see it reflected in the zero-trust strategy document. You see it in some of the timelines stipulated in the [White House Cybersecurity Executive Order] and the strategy document.”

According to DeRusha, the goal is not to flip a switch, but to set benchmarks for progress.

“A lot of it for us is getting people ready and having them do the activities that are necessary precursors to making progress anywhere,” he said. “We just try to knock over a bunch of barriers in the meantime with finally getting towards phishing-resistant multi-factor authentication everywhere and ensuring that we are getting to our high-value assets. But if you don’t have categorization of your high-value assets, your crown jewels, you can’t even do that.”