Embracing ‘zero trust’ is the right answer to the Colonial pipeline hack

Over the past several years, entities ranging from small town police departments to business titans like FedEx have fallen prey to the computer virus scourge known as ransomware. In each case, hackers managed to plant malicious encryption software in a victim’s computer system, halting operations until the victim either paid an exorbitant fee to unlock its systems or rebuilt its computer operations from near scratch. Despite the fact that a new entity has been falling victim to ransomware nearly every 14 seconds, those attacks thankfully never managed to cause anything close to a wide-scale disruption of day-to-day life in the United States.

Or at least that was the case until that malware worked its way into the systems of Colonial Pipeline.

Due to that ransomware infection, allegedly launched by a group of Russian criminals, Colonial was forced to completely shut down over 5,500 miles of pipelines. Owing to the fact that those lines are responsible for moving nearly 50 percent of the gasoline up and down the East Coast, drivers in some areas were suddenly confronted with gas scarcity and price spikes reminiscent of the 1970s OPEC oil embargo.

Even considering that Colonial had to restrict the flow of gas for less than one week, it is decidedly unnerving that one of the most vital pieces of America’s infrastructure could be knocked completely offline by what some experts deemed “a relatively small player” in the hacking world.

Unsurprisingly, Washington has furiously reacted to the Colonial Pipeline incident. Numerous Congressional members have vowed to pour additional billions into federal cybersecurity programs that protect American energy systems and tighten the virtual regulatory screws on the energy sector. 

Increased resources for federal cybersecurity programs are, to be sure, a good idea. More funding and oversight power will be largely pointless, however, if it is expended with only the simple goal of preventing hackers from ever penetrating other Colonial-like systems.

Instead, the federal government should reset its expectations of private companies so that their cybersecurity programs are deemed successful when they either stop an incoming attack or dramatically limit the harm caused by hackers. Cybersecurity professionals have a name for such a strategy: “zero trust.”

Under a zero-trust strategy it is assumed that hackers will inevitably manage to penetrate cyber defenses, and so heavy investment must also be made in resources that hunt down and remove intruders as well as resilience mechanisms that minimize the harm any given hacker can do.

Some government leaders might reflexively reject that approach as a response to the Colonial hack, arguing that it is little more than another excuse for companies to underinvest in cybersecurity.

Those zero trust detractors will however have to answer this question: If zero-trust strategies are the gold standard for America’s top cyber defenders, why isn’t it okay for private companies?

Consider that earlier this year the National Security Agency issued guidance “strongly recommending” that U.S. defense and intelligence agencies and their government contracting partners embrace (their words) the adoption of zero-trust architectures. The NSA elected to promote that strategy based on the conclusion that it “better position(s)” cybersecurity professionals “to secure sensitive data, systems, and services.”

The NSA is, of course, no slouch when it comes to cybersecurity — in fact it is widely acknowledged to be the most advanced and best resourced cyber defense agency in the world. So, if the NSA is saying that it and its siblings in the defense community should assume that they will be breached, then there is simply no rational basis for holding private companies to a higher standard.

The Biden administration has spread the zero-trust gospel even further, specifically by issuing an Executive Order directing all federal agencies to similarly adopt that type of information security architecture.

The next few months will offer some stellar opportunities for the White House to promote the adoption of zero-trust models by the private sector. Transportation Secretary Pete Buttigeig, for instance, has stated that when and if an infrastructure bill is passed into law, it will be an “expectation” that projects it funds will have “robust cybersecurity resilience and planning written into” them.

Secretary Buttigieg would be well-served to center those expectations around zero trust. Had that been the overarching strategy for Colonial, the operational and economic fallout would almost certainly have been far less thanks to planning that would have anticipated the possibility of a successful ransomware penetration and developed plans to minimize its impact.

If nothing else, the Colonial pipeline experience serves as yet another reminder that cyberattacks are here to stay. Using a zero-trust strategy to confront them will put America on the path to ensuring that they rarely constitute more than a nuisance. President Biden and Congress now have the opportunity to shift us into that positive direction, and let’s all hope they do so.

Brian E. Finch is a partner at Pillsbury Winthrop Shaw Pittman LLP in Washington D.C.. Follow him on Twitter @BrianEFinch

Dave DeWalt is the former CEO of McAfee and FireEye.

Michael S. Rogers was the 17th director of the National Security Agency and 2nd Commander of U.S. Cyber Command. He is chairman of the Board of Advisors at Claroty.