The White House announced on Wednesday new measures to boost cybersecurity within federal agencies following increased cyberattacks on private and public U.S. infrastructure.
According to a memo released by Shalanda Young, the acting director for the Office of Management and Budget (OMB), agencies will be transitioning to a “zero trust” approach that assumes no actor, system or network operating outside the security perimeter is to be trusted.
“Instead, we must verify anything and everything attempting to establish access,” the memo reads, calling it a “dramatic paradigm shift in philosophy of how we secure our infrastructure, networks, and data.”
“This zero trust strategy is about ensuring the federal government leads by example, and it marks another key milestone in our efforts to repel attacks from those who would do the United States harm,” Young said in a statement.
The strategy is in line with President Biden’s executive order on improving the nation’s cybersecurity, which he signed in May after a major cyberattack crippled Colonial Pipeline, which transports nearly half of the fuel used by the East Coast. A Russian group known as DarkSide secured a $4.4 million ransom after shutting the company’s operating system down, but the Department of Justice later recouped most of the money.
Others major cyberattacks in the past year include the targeting of meat-packing processor JBS USA and the stock-trading platform Robinhood. Chinese hackers also gained sensitive information from U.S. defense and technology firms in November and December, according to the Center for Strategic and International Studies.
The OMB warned that a piece of software called Log4j is being exploited by hackers, creating “sophisticated” new threats to governments and companies. Log4j is commonly used in consumer services but can be exploited to take control of a system, the Cybersecurity and Infrastructure Security Agency says.
The zero trust strategy will give agencies an increased ability to detect and isolate threats, the OMB said. According to the memo, agencies will have 30 days from Wednesday to design a zero trust strategy initiative.
“This strategy is a major step in our efforts to build a defensible and coherent approach to our federal cyber defenses,” said National Cyber Director Chris Inglis in a statement.
Cybersecurity experts said the zero-trust initiative would improve security, but might present other challenges.
Randy Watkins, the chief technology officer at Critical Start, said the zero-trust strategy carried a risk with “improper implementation.”
“Zero trust is a very secure, but potentially disruptive, security model that assumes every user and asset is compromised, and every action is malicious. It’s extremely effective at preventing attacks but can also be effective at negatively impacting the organization,” he said in a statement to The Hill.
Craig Mueller, the vice president at cloud security firm iboss, warned the government about cloud services under the zero-trust model. He said services “that cannot make all applications and resources private, including those in the cloud, will fail to reduce cyber risk and deliver on the Zero Trust model.”
But Mueller told The Hill that “containerized cloud architecture,” which allows software to be packaged in isolation, would help increase agency security.
Google Cloud’s Chief Information Security Officer, Phil Venables, applauded the move.
“Google Cloud supports the U.S. Government’s move toward a zero trust architecture in its federal cybersecurity strategy released today,” Venables said in a statement.
“We’ve long advocated for the adoption of modern security approaches like zero trust and have applied these principles to most aspects of our operations like user access and production services.”
Updated: 5:15 p.m.