'You have to encrypt everything': Public sector security in the zero-trust age
Years of high-profile breaches have spurred movement – at least overseas
In an age of “when,” not “if,” for cyberattacks, we can’t outsource security and call it done. The work begins at home, says Richard Appleyard.
In May 2021, Russia's Darkside ransomware group attacked and shut down Colonial Pipeline, which transports nearly half of all fuel consumed on the US East Coast.
The fallout was immediate: queues formed at petrol stations and prices rose, requiring the federal government to step in.
The incident prompted an immediate policy response, as well as a physical one. The Biden administration released an executive order requiring federal agencies to develop a plan to move towards a zero-trust architecture, and the rollout began in January the following year.
The idea was that zero trust would trickle down from the federal level to the state, to the local level and then out to the private sector. It's working - but at a glacial pace.
Oregon's state-level public sector is rolling out its own zero-trust architecture now, which Richard Appleyard - who has worked at the City of Portland, Oregon Secretary of State and Oregon State Police - says is "one of the big things" the state is dealing with in terms of IT.
"I think we're really grappling with what zero trust means to the enterprise. And there are a number of different competing architectures out there...so, in my particular case, I'm just waiting for the enterprise to make a decision on some of that stuff, rather than go pick something and then have to have them pick something else."
Although Oregon was already moving to zero-trust, the MOVEit cyberattack this summer spurred the state to move faster. Millions were affected when the Oregon Department of Transportation and a health sector data management firm were caught up in the incident.
MOVEit was a supply chain attack, and could potentially have been mitigated or prevented with an appropriate trust-based approach.
"That [attack] demonstrated the problem where you shift out the responsibility to that third party. Who's checking on the third party to make sure they're securing their systems?"
In the modern age, where a security breach is more a case of "when" rather than "if," it's not only systems that need protecting. Your data also needs dedicated security. That starts at home, says Richard.
"You have to make sure that everything is encrypted, in transit and at rest.
"I think one of the challenges with the [MOVEit] breach that we had was, obviously the vendor was encrypting [data], but if the bad actors get a hold of the encryption keys, they can look at everything transiting.
"If we had just made sure we were encrypting the stuff that we were giving them, [the attackers] would have decrypted the transit and it still wouldn't make any sense."
Governments around the world, including in the UK, have been wary of encryption, afraid that it will allow criminals to operate undetected. There have even been efforts to legally compel companies to include backdoors past their encryption - which have been consistently defeated.
"If you put those in then you're just giving the hackers another attack surface to go after, right?"
At the end of the day, Richard believes that trust and encryption are equally important.
"I think the biggest problem with the cloud...is 'who holds the keys?' Technically you want a vendor who's hosting it, but it's not necessary for them to have access to all your systems - because they don't need to. They're just managing the bits and bytes; they don't need to see anything."