NSA Headquarters at Night (Trevor Paglen)

NSA Headquarters at Night (Trevor Paglen)

WASHINGTON: The National Security Agency wants those who administer “National Security Systems, Department of Defense networks, and Defense Industrial Base systems” to use a zero-trust security model.

The NSA guidance follows a Feb. 23 Senate Intelligence Committee hearing on the so-called SolarWinds hack, named after the Texas-based IT company SolarWinds Inc. originally breached and first disclosed publicly in December by security company FireEye, who was also breached. NSA’s guidance also follows last week’s news that the National Aeronautics and Space Association and Federal Aviation Administration have been added to the list of organizations breached as part of the wide-ranging hack.

Government officials, industry executives, and security experts have characterized the SolarWinds hack as one of the largest known cyber campaigns ever waged against the U.S. public and private sectors. FireEye CEO Kevin Mandia and Microsoft President Brad Smith told senators they believe Russian intelligence conducted the hack and that the primary motive was cyberespionage. The U.S. government has not yet formally attributed the attack to Russia. The hack is still being investigated and its consequences assessed by the FBI, government agencies, and companies.

Zero trust is “a security model, a set of system design principles, and a coordinated cybersecurity and system management strategy,” NSA’s guidance notes. It’s a “data-center centric” approach to security, which assumes the worst, that an organization is already breached or will be breached. Based on “assumed breach,” zero-trust models apply the security principle of “least privilege” to every user and node in a network, enforced with risk-based access control, security monitoring, and security automation.

NSA’s guidance provides three model cases for how zero-trust works, in contrast to older security models. The “compromised supply chain” appears to clearly, though not directly, refer to the SolarWinds hack. “In this example,” the guidance reads, “a malicious actor embeds malicious code in a popular enterprise network device or application. The device or application is maintained and regularly updated on the organization’s network in accordance with best practices.”

The scenario alludes to how threat actors compromised SolarWinds Inc.’s Orion Platform, used by nearly 33,000 customers to monitor and manage IT infrastructure according to company Securities and Exchange Commission filings, by stealthily inserting malicious code into a legitimate software update. The hidden code gave the attackers a backdoor into any organization that installed the compromised software update. So far, nine federal organizations and at least 100 companies have said they were breached.

Smith testified that a team of internal Microsoft security experts investigating the breach at the company estimated that the SolarWinds hack involved the work of “at least 1,000 engineers,” the sort of scale that would require a government’s commitment of people and money.

The zero-trust model is not a recent development in the security community. The concept predates the term, which was first used a decade ago. But as IT resources have migrated from organizational premises – both into the cloud and with increasingly mobile (and largely remote, since the pandemic) employees – the traditional network perimeter approach to security has been viewed by experts as increasingly inadequate and ineffective. Zero trust is increasingly seen as the best alternative model to perimeter security.

At the Senate Intelligence Committee hearing a remarkable exchange occurred, illustrating the different mindsets behind traditional perimeter-focused security and the newer zero-trust model. Sen. Ron Wyden questioned Mandia, Smith, SolarWinds CEO Sudhakar Ramakrishna, and CrowdStrike CEO George Kurtz on the role of “properly configured firewalls,” which have historically been a key component in perimeter security strategies. Referencing formerly issued NSA and National Institute of Standards and Technology guidance, Wyden pressed the witnesses for a “yes/no answer” on whether they agree firewalls are “Security 101” and effective in thwarting threat actors.

To which, Mandia replied, “I’m going to give you the ‘it depends.’ The bottom line is this: We do over 600 red teams a year. Firewalls never stopped one of them. …In theory, it’s a solid thing, but it’s academic. In practice, it is operationally cumbersome –” at which point Wyden cut off Mandia.

Ramakrishna agreed.

Smith replied, “I’m squarely in the ‘it depends’ camp for the same reasons that Kevin is.”

Kurtz replied, “Firewalls help, but are insufficient,” agreeing with Mandia’s and Smith’s assessments. “There isn’t a breach we’ve investigated that the company didn’t have a firewall and even legacy antivirus. So, when you look at the capabilities of a firewall, they’re needed, but certainly they’re not the be-all, end-all. And, generally, they’re a speedbump on the information superhighway for the bad guys.”

Since firewalls and other traditional network security appliances, thought by most casual observers to be a fundamental barrier to attack, clearly aren’t enough, the move to the more holistic zero-trust model becomes easily explicable.

It’s a better-suited strategy to today’s more geographically dispersed enterprise IT environments and threat actors capable of bypassing traditional network perimeter safeguards.