Cybersecurity doesn't exist
The Need for Zero Trust Protection
FAA Outage 2023 signals the need for a Zero Trust approach
On 11 January 2023, for the first time since 9/11, the U.S. Federal Aviation Administration (FAA) was obliged to stop all flight departures across the nation for safety reasons.
The next day, CNN reported that after recognizing a computer “issue”, air traffic control officials decided “to reboot the system when it would least disrupt air travel.” But that plan ultimately failed.
When the system came back online, “it wasn’t completely pushing out the pertinent information that it needed for safe flight, and it appeared that it was taking longer to do that,” CNN quoted its source, who also blamed old tech infrastructure that had not been replaced due to budget constraints.
During the outage, which lasted 11 hours and 50 minutes, a total of 10,563 flights were delayed, and more than 1,300 flights were canceled, as reported by FlightAware.
One corrupt file was found in the main NOTAM system (Notice to Air Missions), and a second corrupt file was found in the backup system.
The FAA eventually confirmed that the outage was caused by a damaged data file related to the NOTAM system – the file had been unintentionally damaged by a contractor who failed to follow procedures.
Although not caused by a cybersecurity breach, the event understandably triggered panic across the country, and continues to raise plenty of safety and security questions.
Walt Szablowski is the Founder and Executive Chair of Eracent, a company that helps other companies reduce their IT security risks through managing IT network assets, software licenses, and cybersecurity. We asked Walt how the latest and more sophisticated technologies protect systems against cybersecurity breaches. Short answer? “They don’t,” he readily admits. In fact, the business model of the Cybersecurity Industry “is based on developing new tools and selling new tools.”
He explains that new tools replace the old tools, because the old tools don’t work. As new tools are presented, organizations buy, and continue to buy.
Newer tools are continually being added in the hope that they will be more effective, however, it’s “obvious to everyone at this point that the present cybersecurity tools and processes are not working,” says Szablowski.
He points to the fact that “we still talk about cybersecurity because the tools did not give us cyber security.”
Today’s organizations need to evolve remote access from traditional VPNs to a zero-trust access solution.
According to Eracent, President Biden’s Executive Order 1408, issued on 12 May 2021, was intended to improve the nation’s cyber security. “The President gave the proper guidance on designing a Cybersecurity process that will work, and government agencies are trying to comply, but they are having fundamental issues.
“A lot of the effort is being delayed because the Presidential guidance forces a redo of what agencies have been doing for years,” notes Szablowski. “They really need to go back to basics and revamp their programs and work efforts.” He recognizes that such change is complicated and “requires a different approach” to the issue of cyber security.
“The FAA debacle ostensibly resulted from a keystroke error. The fact that it was only one file that was corrupted, and it managed to ground all the flights in the nation, and there was no readily accessible backup in place, is a huge issue.”
Grounding aircraft across the U.S. was an extreme measure, but required for public safety. What solutions must be implemented to prevent human error incidents such as this, as well as targeted, potentially tragic, attacks?
With Executive Order 1408, major U.S. government agencies currently have a mandate to change their approach to cybersecurity. “The mandate imposes the requirement for a zero-trust architecture,” says Szablowski, noting that Zero Trust defines a very secure type of computer network architecture.
Known as Zero Trust (Access, Security, Architecture, Authentication or Network), Kitchener-based Blackberry defines it as a cybersecurity framework that requires users prove who they are, that their access is authorized, and that they’re not acting maliciously before they can access an organization’s digital assets and network.
Not surprisingly, Zero Trust has risen in prominence as a means to protect an organization’s data and people – especially as remote work and cloud-based services become the norm.
Eracent’s Szablowski says that major U.S. government agencies can’t comply because their present tools and processes do not support Zero Trust. Companies such as Eracent can provide the process and tools to implement a Zero Trust architecture but, in order to be effective the organizations must different operating methods. “It should be easy because they realize that what they are doing is not working.”
To accomplish the highest level of cybersecurity efforts, “specific activities need to be defined and managed,” asserts Szablowski. “Technology must be applied, the whole effort must be continuous, measured, and undergo constant improvement. Eracent supplies the required management tools and processes to make the effort to achieve the desired outcome.”
The January incident raised questions about the security of a government agency’s software system – not only how to implement measures to prevent human error but also to how to guard against targeted cyber attacks.
Former ultra-secure phone system developer, Blackberry is now focused on IT security. The company notes that Zero Trust Security isn’t a single product or service but a methodology backed by an ecosystem that revolves around how identity is articulated in an organization.
Blackberry notes that implementation involves three broad stages:
- Visualization. Most organizations have a good idea of the resources available inside its traditional network perimeter. But Zero Trust requires understanding all resources, their access points, and the associated risks involved. An inventory of available resources should include all the services employees use, both on and off premises.
- Mitigation. Once the full range of resources used has been mapped, the next step is to detect and stop associated threats, or mitigate the impact of a breach, from each of them. Mitigation involves setting comprehensive policies.
- Optimization. The final stage of implementation extends protection to every aspect of IT infrastructure and every resource, whatever its location or the locations of the user accessing them.
This last stage is intended to enhance the experience of end users and administrative teams and to make the Zero Trust Security as seamless as possible and as close to the Zero Touch ideal as possible: “Never Trust. Always Verify”.
Basic challenges may be changing the culture to embrace implementing Zero Trust, as Eracent explained for us. It also involves, as Blackberry highlights, the IT challenge of technology integration. Owned and third-party platforms and can easily derail a Zero Trust implementation.
Furthermore, the rapidly evolving threat landscape can potentially lead to challenges with technologies that are limited in deployment modality and usage tracking. Deployment is the mechanism through which applications, modules, updates, and patches are delivered from developers to users. The methods used by developers to build, test and deploy new code will impact how fast a product can respond to changes in customer preferences or requirements.
Szablowski recognizes the necessity of the right processes and the importance of discovering the data, defining the network, and putting them in the processes. To implement Zero Trust and for it to be effective, it is important to choose a company that has all the systems one needs to effectively put these processes in place, he concludes.
K. Angus is a freelance writer whose primary focus is on public safety and cyber security.