Industry urges agencies to accelerate zero trust adoption after SolarWinds hack

Written by

Dave Nyczepir

The SolarWinds hack could prove the spark that gets agency holdouts to adopt zero-trust security and hastens additional guidance from government, cybersecurity experts say.

Pandemic considerations delayed the National Institute of Standards and Technology‘s work on zero-trust reference architectures that will help agencies know what security tools to deploy.

Cyber experts hope that work will accelerate in the wake of one of the most serious incidents of digital espionage in U.S. history and that agencies will consult the special publication on zero trust that NIST finalized in August for the time being.

“We can’t see federal agencies kick this thing down the road anymore,” Stephen Kovac, vice president of global government and compliance at Zscaler, told FedScoop.

Zero trust could not have stopped the SolarWinds hack, which occurred when Russian hacking group APT29, or Cozy Bear, added source code into the tech company’s Orion software build process in a supply-chain attack. SolarWinds’ updating system was then used to push out malware compromising at least eight agencies.

But zero trust could, and did, mitigate that malware’s ability to spread across networks, cyber experts say.

“If SolarWinds would have happened a year ago or two years ago, I think agencies would have had a lot more consternation about it,” said Sean Frazier, federal chief security officer at Okta, in an interview.

Many agencies have started work improving their identity and access management, a component of zero trust, Frazier said.

But zero trust is a collection of solutions including cloud workload protection, micro-segmentation and secure access service edge (SASE) capabilities that provide agencies with full visibility and allow them to enforce consistent security policies across their networks.

Agencies with a zero-trust capability like SASE could’ve prevented malware from sending information out via the internet, but many agencies stop at one or two such capabilities. About 18,000 organizations were infected, though not all of them have…