Australia and New Zealand shouldn't rush to follow White House zero-trust cybersecurity strategy
Australia and New Zealand shouldn't rush to follow the White House's new zero-trust cybersecurity strategy, says Nozomi Networks.
Nozomi Networks says that while it welcomes the White House’s announcement finalising its zero-trust cybersecurity strategy to improve U.S. Government agencies’ security posture, it cautioned its ambitiousness and advised other governments – including New Zealand and Australia – to take a wait-and-see approach.
Nozomi senior director Gary Kinghorn says they should let either industry bodies, such as the NZSA and ACSC, or commercial companies sort out their requirements first, and indicated we could be better served if organisations were given tax incentives to spend on enhanced security for critical infrastructure, without specifying a particular technology or security model, a different approach to the US.
“The near-term deadlines – including the creation of reliable asset inventories built out some general best practices and all seen fairly reasonable," says Kinghorn.
"Going deeper, four years to zero trust is a very ambitious goal – and a strategy that will no doubt continue to evolve as government agencies dig in," he says.
"The strategy published today rightly acknowledges that moving toward a zero-trust model is a significant disruption to existing network policies and will require lots of changes," Kinghorn says.
"Since most infrastructure used today was designed under the old ‘castle-and-moat’ security model, there’s no easy way to just bolt on zero trust. It will take a lot of work, and funding to get there and expect to see hidden roadblocks and re-directs along the way."
Kinghorn says, "This bigger question may be: ‘can we expect to see the Government apply this same model and requirements to energy, electric utilities, transportation and other US critical infrastructure?’
"From that perspective, while today’s memo outlines reasonable guidelines to use as a starting point, different applications and industries will undoubtedly have to tweak the requirements to best fit their needs, budgets and timelines," he says.
"I believe other governments should take a wait-and-see approach and let either industry bodies, such as the New Zealand Security Association (NZSA) and Australian Cyber Security Centre (ACSC), or commercial companies sort out their requirements," Kinghorn says.
"The government specifications in the U.S. are not well-tuned for a diverse set of applications and environments and may prove more costly than the benefit warrants. Zero trust is a costly undertaking and -it has not been widely adopted, let alone universally adopted, throughout the commercial sector, so it may be too early to mandate for various A/NZ government and government-regulated sectors.
"Could organisations be better served if they were given tax incentives to spend on enhanced security for critical infrastructure, without specifying a particular technology or security model, letting those organisations sort it out for themselves?”