Reaction to DHS' Mayorkas Address and Cybersecurity Zero Trust Model

On March 31st, Alejandro Mayorkas, Secretary of Homeland Security, gave a virtual address hosted by the RSA Conference. In his remarks, Mayorkas outlined the Department's vision for the cybersecurity work that lies ahead for both the federal government and the private sector. It's a worthwhile read, with some clear directional implications for how his team plans to address growing cybersecurity threats, build public/private partnerships, and prioritize the work that lies ahead. It also, no surprise, leaves a few questions unanswered.
It wasn't all cyberpolicy and bluster. Mayorkas' intention to use "sprints" as the framework for the Department's execution of initiatives was refreshingly tactical. If you're familiar with software development vernacular, you'll recognize "sprints" as a cornerstone of the agile software project management framework. By co-opting the term, he’s signaling that he’s serious about getting things done. That’s encouraging, and his choice of ransomware for the first sprint is spot on. As Mayorkas noted, ransomware’s a particularly cruel attack.
Tackling ransomware is a moonshot that’ll up the country's overall security game in many ways. First, it has the potential to inspire cross-disciplinary solutions across the industry. A unified response would combine and focus disparate security technologies ranging from IAM to forensics to data access governance (and more, of course) on the problem. Cross-pollenation drives innovation and we’ll all benefit from it. Second, it's likely to extend the zero trust model more broadly across IT assets well beyond the network. Data access governance, for example, benefits from zero trust applied on a per-file basis, which reduces exposure to human error (end users make most access decisions for unstructured data) and makes it harder for cybercriminals to leverage compromised information for phishing, social engineering or direct compromises. Zero trust thinking is going to be a big part of any solution.
Down the road, the Secretary’s later focus on workforce, industrial control systems, transportation and election security will each have a different impact on the cybersecurity industry. I’m excited by his visionary focus on diversity as a source for cyber talent. We need expertise, and that expertise can (and should) come from all corners of our society. Mayorkas also specifically cited supply chain threats as a major concern for his department - but beyond highlighting the need for zero-trust architectures as one strategic response, he didn't provide much elaboration on plans for this specific threat. Supply chain threat reduction is an obvious nexus for public/private partnerships (or mandates should the feds choose to get more directive), and I'm keenly interested to see how CISA and the DHS will view their leadership role.
Somewhat surprisingly, Mayorkas did not share any plans for addressing growing concerns about data privacy. Perhaps that's because there's less of a good guy/bad guy adversarial dynamic in this space, which puts the topic more in the policy sphere than the technology sphere. Will there be a country-wide GDPR or CCPA? Mayorkas' silence on the question probably means the answer lies more with the lawmakers and not the CISA ponytails.
Which leads me to something else I'm wondering about. Mayorkas positions CISA as “the quarterback on [the government’s] cybersecurity team.” Five years from now, will CISA look more like the CDC (with a focus on expertise and guidance) or the FCC (with a more regulatory mission)? Seems a little clearer after the Secretary's talk that the agency’s going to tilt more towards expertise and execution than regulation as it establishes its footing. Perhaps that'll change if Congress gives the agency more substantial regulatory responsibilities (which could be in the cards in the privacy arena).
Finally, I have two different (but not necessarily mutually exclusive) projections about what public/private security partnerships will look like under Mayorkas' leadership. And one thought on a cybersecurity mission that only the government can legitimately play - and whether we ought to be concerned about it.
Private/public partnerships around ransomware are likely to feature a cooperative model, with DHS/CISA sponsorship of best practices, talent development, and perhaps standardization at critical technology intersections. You can expect CISA to work closely with state and local governments, as well as critical infrastructure providers like hospitals, to spread expertise and establish best practice defenses.
These same partnerships, when addressing supply chain threats, are likely to be far more proscriptive. The Solar Winds compromise exposed highly sensitive government assets and I expect CISA to put its foot down. New requirements for solutions purchased with federal dollars are likely and a more heavy-handed approach to technology acquisition will not be surprising. And just as California auto emissions laws effectively set standards across the country, a federal purchasing mandate to lower software supply chain risks will set the bar across the entire IT industry. It's critically important they get it right.
In parts of his address, Mayorkas used some notably bellicose language: "We must condemn [cybercriminals] for [their attacks] and remind them that any responsible government must take steps to prevent or stop such activity" and "We will do everything we can to prevent and respond to these horrendous acts" and "we will strengthen our capabilities to disrupt those who launch them and the marketplaces that enable them."
Are these signals of a more aggressive posture towards non-government cyber criminals? The power to wage offensive counterattacks rests with (and should rest with) an accountable government. Are the gloves are off? Will we see more aggressive targeting of actors beyond typical nation-state targets? Maybe even domestic miscreants? I'm loathe to admit it, but ransomware attacks trigger a knee-jerk desire for Tarantino-style revenge in me. But offensive countermeasure deployments need oversight, and I hope Mayorkas acknowledges that need in the coming months and years.
For Concentric, our focus on data access governance is a big part of the cybersecurity roadmap ahead. Ungoverned data access gives cybercriminals a foot in the door and we’re committed to doing our part to plug those gaps. Interested in learning more? Check out our Data Risk Report to see what we're seeing in the world of unstructured data.

Get the latest from Concentric!