Cybersecurity has become a trillion-dollar industry with spending rising each year. But according to one industry IT expert, throwing more money at this mounting problem is failing to make sufficient headway. Only a fundamental change in how we approach cybersecurity stands any chance of keeping would-be hackers from accessing online information.
Walt Szablowski, founder and executive chairman of Eracent, a company that delivers automated software and IT asset management solutions, asserts that only a Zero Trust network architecture, which assumes all network traffic is potentially malicious and requires every user to be verified and authenticated upon any attempt to access sensitive data or systems.
“We are not stopping anything that gets them (hackers) into the system,” said Szablowski in an interview with Design News. “We are not doing what we need to do.”
Mounting Cyber Attacks
Cybersecurity problems are pervasive everywhere but have become a particular concern for national security because of cyberattacks like the 2020 Federal data breach backed by the Russian government. Escalating cybersecurity issues forced President Biden to in 2021 issue an Executive Order mandating the design and implementation of Zero Trust architectures that would strictly regulate access to sensitive government data.
These Zero Trust principles are clearly spelled out in guidelines from the National Institute of Standards and Technology (NIST). The problem is, according to Szablowski, is that institutions have not following it. NIST does not have the power to enforce its guidelines and standards.
Biden’s Executive Order called for the Federal Government to implement secure cloud services and a zero-trust architecture, and mandates deployment of multifactor authentication and encryption within a specific time period.
The order also establishes baseline security standards for development of software sold to the government, including requiring developers to maintain greater visibility into their software and making security data publicly available.
The order also establishes a Cyber Safety Review Board, co-chaired by government and private sector leads, with the authority to convene following a significant cyber incident to analyze what happened and make concrete recommendations for improving cybersecurity. This board is modeled after the National Transportation Safety Board, which is used after airplane accidents and other incidents.
Given the fact the approach to tackling cybersecurity has largely been a patchwork of uncoordinated efforts, a month ago the Biden Administration released the 35-page National Cybersecurity Strategy that would, among other measures, improve the security of Internet of Things (IoT) devices and expanding IoT cybersecurity labels, invest in quantum-resisting systems, develop a stronger cyber workforce, evolve privacy-enhancing platforms, and adopt security practices that are aligned with the National Institute of Standards and Technology (NIST) framework.
Adopting to Change
Szablowski believes that only substantial measures such as those outlined in Biden’s 2021 Executive Order and the recently released Cybersecurity Strategy can start to overcome the inertia that has long characterized the nation’s approach to cybersecurity.
“The problem is no one wants to go through the steps of designing and implementing a Zero Trust process. You need to determine who gets access, limit uploading, and allow only selective downloading of information.”
Enforcement Will Be Key
While Biden’s Executive Order calls for Federal agencies to meet specific Zero Trust goals by the end of the 2024 fiscal year, Szablowski concedes that enforcing the mandate will be key. “The problem is no one wants to go through the process. You have to insist the process be followed and impose penalties for not complying.
An absence of consequences for failed cybersecurity procedures has further exacerbated the issue, Szablowski noted, as the industry views the shortage of skilled cybersecurity workers as one obstacle in solving cybersecurity issues.
“Cybersecurity people are in demand,” he added. “No one is getting fired.”
With the government appearing to take the lead in implementing cybersecurity measures, will private industry also step up their efforts to implement measures such as Zero Trust architectures? Szablowski is somewhat skeptical.
“This won’t happen in private industry. They know and account for the fact that hackers are on their networks.”
Spencer Chin is a Senior Editor for Design News covering the electronics beat. He has many years of experience covering developments in components, semiconductors, subsystems, power, and other facets of electronics from both a business/supply-chain and technology perspective. He can be reached at [email protected]