Federal Zero Trust Leaders Shift Focus From ‘Attack Surface’ to ‘Protect Surface’

True federal zero trust adoption demands a fundamental willingness to disrupt legacy systems and a strategic move to protecting what matters most, officials said Tuesday during GovCIO Media & Research’s Federal Zero Trust Forum in Arlington, Virginia.

“What you’re doing is trying to manage and direct that disruption in the right place, so that you’re directing away from your critical operations and missions and to the spaces that you have direct control over,” Homeland Security Science and Technology Directorate Cybersecurity Science Advisor Donald Coulter said.

Attack Surface vs. Protect Surface

During the panel former National Security Cyber Division Director at DHS Don Yeske said that there is a “gaping hole” in how agencies approach their defensive strategy. He noted that traditional government cybersecurity frameworks focus too heavily on the “attack surface” — a concept that is fundamentally unmanageable because it encompasses every potential vulnerability in an ever-expanding digital ecosystem.

“The attack surface is like the universe. It is ever evolving. It is constantly growing and changing. You cannot know the entire universe,” Yeske said. “Protecting the attack surface is a never-ending job. We can get better at it, but we can’t ever get that done.”

Yeske proposed inverting the problem by focusing instead on the “protect surface.” He said that agencies need to identify the specific assets, data and missions that are mission-critical, instead of trying to protect the “universe.” Rather than trying to secure every endpoint with equal vigor, agencies should determine exactly what must survive a breach, Yeske said.

“The protect surface is what you can’t afford to lose,” he added.

Coulter agreed, noting that this shift in perspective is essential for research and development. When agencies can clearly identify what they cannot afford to lose, it clarifies the technical roadmap.

“That protect surface, as a concept, allows us to focus and concentrate our efforts and allows us to focus our research and our tech integration and strategy” Coulter explained.

SBOMs and Supply Chain Security

GovCIO Defense Services Group Cybersecurity Senior Director Brian Wilson said the opacity of the cybersecurity supply chain poses a major challenge for government. As IT leaders modernize legacy systems, they often must secure applications whose internal components remain largely unknown. Wilson said this lack of visibility represents a primary vulnerability.

“This really gets into handling legacy applications … there’s a ton of software and hardware out there that we don’t actually know,” Wilson said.

To counter this, Wilson advocated for the rigorous implementation of Software Bill of Materials (SBOMs) and logging systems. He said that SBOMs function as a detailed inventory, breaking down an application into its individual components so that each can be scanned for vulnerabilities dynamically and statically.

“[SBOMs] allow us to have a catalog of what’s actually in the application, and that’ll help us create a better protect surface,” Wilson added.

The Future of Zero Trust Transformation

As agencies eye upcoming zero-trust implementation deadlines, the evolving nature of threats, Wilson said, will force systems to evolve to track and deter more complicated threats.

“I think that there has to be a strategy for continuous iteration. You’re going to assume that we’re going to develop these capabilities,” Wilson said. “They give you the observability.”

Coulter said that the philosophy of cyber defense will evolve over the next decade. He suggested that as zero trust matures, the goal will shift from simply withstanding attacks to actively altering the risk calculus for attackers.

“At some point we’re going to start talking about imposing even more costs,” Coulter said. “We’re going to start penalizing people for even trying to get in. We’re not just going to build stronger fences. It’s going to be electric fences.”