America, the Corporate World, and every one of us is at risk. This may sound ominous, but it’s true. Not too long ago, you may recall the complete stoppage of all flights throughout the United States. This was due to a corruption of the Notice to Air Missions system, or NOTAM. Not only did it affect the US, but it also affected the rest of the world (for international incoming and outgoing flights). While some viewed this event as a minor inconvenience that had ripple effects for a few days, believe me, this is a BIG DEAL and should have us all worried.
Why did this happen? It was announced that a single file got corrupted in the NOTAM system, which caused it to crash, and it took a few hours to restore the system to normal. So what? Sometimes “stuff” happens, and we deal with it. Not so fast. The rumor mill has stated that while the FAA announcement was true, it was only partially true. So how did the file get corrupted? There is suspicion that the NOTAM system may have been hacked by ransomware; thus, the file got corrupted before it was caught. It is likely that if it was ransomware, the malicious code was introduced through “human error,” i.e., It’s possible someone clicked an email link promising to show something innocuous (the cutest picture of a cat you’ve ever seen). You may recall the SolarWinds hackers targeting NASA and the FAA.
How does this affect me?” you may ask. Besides interrupting your or your company’s travel plans, what other part of the infrastructure had this issue? The electric grid? The municipal water system? The hospital system? This problem affects us all in more ways than we can imagine. What do we do about it? This brings me to the concept of “Zero Trust.”
Zero Trust can be broken down into four words: Never Trust, Always Verify. This means no person, computing device, network, or application is assumed to be good to go. Nothing is trusted until it is validated.
Isn’t Zero Trust just another technology the government or corporation deploys and, like magic, protects everything? No. Think of Zero Trust as a philosophy. The government and our corporations have hundreds of tools. Each of these tools does something specific for cybersecurity. They are also very siloed and are independent of each other. For example, your antivirus protects against software viruses; policy gateways ensure the right employees have access to the right applications, etc. What is missing is a policy that oversees the entire organization’s cyber security risk, considering ALL the security solutions they have deployed.
This is where Zero Trust comes into play. The organization needs to implement a Cybersecurity framework based on roles. Each role assigned specific key performance metrics for controls, policies, practices, ownership, transparency, and audit. This allows all owners to take on areas specific to them and assign further ownership to subordinate items.
Let’s make an analogy everyone can understand. I have a restaurant, “Diesel’s Best Coffee and Snacks.” I have a head chef (whose name happens to be Michael). He’s responsible for ensuring that the food prepared in the restaurant is safe and that only the proper cooks and servers are allowed into the kitchen. In the old days, the chef just had a lock on the back door, and everyone in the kitchen was assumed to be authorized to be there. This is like how traditional network security works. You have a firewall, and everyone and everything in the firewall is assumed to be authorized to be there.
Now let’s add Zero Trust to the kitchen. Chef Michael would now have many security processes in place to ensure the food is safe. The staff must wear gloves, hair nets, and face masks. They must not be sick. Michael would also be constantly verifying that everyone in or coming into the kitchen is supposed to be there. Maybe Michael instructs everyone to use a FOB to open the doors. Chef Michael would also be constantly looking for unusual behavior. Is someone bringing in food or ingredients he didn’t verify he ordered? This is similar to Zero Trust processes in a network where you are constantly verifying that people, devices, and applications are properly authorized to be on the network.
What is Chef Michael’s overall process? There are many details and independent procedures for Chef Michael to track. Each staff member may not know what the other member is doing as they may be operating independently of each other. He is taking all these disparate people, materials, processes, and procedures in his kitchen and bringing them together from a top-down management perspective to have a complete view of the overall risk position within his kitchen. This is the very definition of Zero Trust Resource Planning (ZTRP).
If our government had this philosophy implemented, they would have seen that there was a single point of failure in the NOTAM and would have implemented controls to ensure that if files get corrupted, the system could seamlessly switch over to the backup in real-time with no interruption. This is called a high availability architecture.
I hope the NOTAM failure is a lesson learned for the US and the World. If we don’t adopt this approach to cybersecurity, the next event could be catastrophic.
William Choppa is the CEO of Eracent, and member of the Board of Directors. William is leading the organization, recruiting, and developing strong leaders in various functional roles, and communicating Eracent’s vision to co-workers, current and future customers, and the larger Cybersecurity and ITAM communities. Since joining the company in 2004, he has been passionate about the evolution and refinement of Eracent’s solutions, based on lessons learned from working with customers and partners.
Prior to joining Eracent, William was President of MCSI, a management consulting practice offering deployment, and customization services. He has held positions with IBM and several technology companies, as well as the National Aeronautics and Space Administration. William holds a BS in Aerospace Engineering from Embry Riddle Aeronautical University.