White House Instructs U.S Agencies To Adopt “Zero Trust” Cybersecurity

Cyber-attacks continue to be a threat that is aimed daily at not only multinational firms but also aimed at government agencies and many other vulnerable entities. In a bid to curb these attacks, the United States White House has released a new cybersecurity strategy for all government infrastructures and entities. In a statement by The White House, it said that the “growing threat of sophisticated cyber-attacks has underscored that the Federal Government can no longer depend on conventional perimeter-based defences to protect critical systems and data.”

 The new strategy discusses the administration’s vision for seeing all government agencies embrace a “zero trust” architecture. The “zero trust” cybersecurity model has been identified as a system that accommodates and grant users or devices access to the specific network resources necessary for the task at hand. What this means is that permissions and authentication will not run as usual but will only be granted on a case-by-case basis. The new cybersecurity document was published in a memorandum by the administration’s policy arm of the Office of Management and Budget (OMB), all heads of executive departments and agencies were addressed in it.

The memorandum highlighted that for a shift towards zero trust architecture to take effect, implementation of stronger enterprise identity and access controls is required as well as the use of multi-factor authentication. Authentication is expected to be carried out specifically through a hardware-based authentication token like access cards, instead of through SMS push notifications. The new strategy requires federal officials to use several layers of security when they sign on to agency networks, and it requires agencies to boost internal network protection through various methods, such as inviting independent experts to assess levels of security. According to the Cybersecurity and Infrastructure Security Agency (CISA), guidelines have been laid down for US Agencies and executive departments to complete an inventory of every device authorized and operated for official business for monitoring and compliance with the new strategies.

Acting OMB Director Shalanda Young in a statement said “In the face of increasingly sophisticated cyber threats, the Administration is taking decisive action to bolster the Federal Government’s cyber defences,” He added that “This zero-trust strategy is about ensuring the Federal Government leads by example, and it marks another key milestone in our efforts to repel attacks from those who would do the United States harm.”

Log4j security vulnerability a bug in a widely used piece of computer code was last year cited by The White House as “the latest evidence” adversaries have explored to get their foot in the door. The vulnerability which is considered one of the most serious cybersecurity threats to have hit in recent times first began to be exploited in December 2021. At the time, CISA instructed government agencies to patch vulnerable assets immediately or apply other mitigation measures. The FTC also subsequently warned private companies to remediate the vulnerability to avoid potential legal action for putting consumers at risk.

CISA director Jen Easterly disclosed that “As our adversaries continue to pursue innovative ways to breach our infrastructure, we must continue to fundamentally transform our approach to federal cybersecurity.” He added that “Zero trust is a key element of this effort to modernize and strengthen our defences.” He also touched on CISA efforts to always get ahead of these adversaries, he said “CISA will continue to provide technical support and operational expertise to agencies as we strive to achieve a shared baseline of maturity.” The new strategy reiterates one thing and that is, as adversaries continue to explore vulnerable ways to breach security in cyberspace, it’s expedient for organizations to never rest when it comes to boosting their defences in order not to prey on the hands of cybercriminals.

An initial draft of cybersecurity strategy was released in September 2021 to the public for comments and opinion, these inputs have since then been shaped by the cybersecurity industry as well as other fields of the public and private sector. With the final strategy reached and now released to government agencies and organizations involved, the OMB has issued a 30 days ultimatum for agencies to designate a strategy implementation lead and another 60 days ultimatum for each organization to submit an implementation plan to the OMB. Agencies were given until the end of the fiscal year 2024 to meet the goals.

According to the National Cyber Director Christopher Inglis, he said that “This strategy is a major step in our efforts to build a defensible and coherent approach to our federal cyber defences.” He added “We are not waiting to respond to the next cyber breach. Rather, this administration is continuing to reduce the risk to our nation by taking proactive steps towards a more resilient society.”

Last year, a number of high-profile cyber-attacks were launched against private organizations, this includes attacks against the world’s largest beef supplier and a major fuel supplier, which slowed critical U.S. supply chains. The White House has warned that private companies boost their defences.