Event Summary: 

On Friday, December 4, the R Street Institute hosted a panel on zero trust networks, encryption and how to create a cyber secure America. R Street’s Cybersecurity and Emerging Threat Senior Managing Fellow, Tatyana Bolton, was joined by Ciaran Martin, CB, the former head of the U.K.’s National Cyber Security Centre, Chris Inglis, commissioner for the Cyberspace Solarium Commission, and Wendy Nather, head of Advisory CISOs, Duo Security at Cisco.

Martin started off the event defining the concept of zero trust networks before reminding that it is important to clarify what we mean when we talk about trust and security. “Semantics occasionally can be important. And there’s a difference between trust and trustworthiness,” he argued. “Trustworthy will mean things like the intent of an organization or company (…) for example, do you trust the board of directors, its adherence to the rule of law? Not quite the same thing in security architecture terms as trust.” Whereas discussion of issues like supply chain security center around “is this supplier trustworthy?” when it comes to network security, it is important to assume networks are “inherently vulnerable” and that any piece of equipment could fail. Due to this, systems will be more secure if everyone assumes you cannot trust anyone and requires authentication.

Inglis further elaborated on the vulnerabilities of these network systems. “We’ve learned, time and time again (…) the human being is a component of that system.” And the number of vulnerabilities in a network are only expanding as society embraces new technology like 5G and the exponential growth of IoT devices. He pointed out that it was important to look at how technology was changing in order to determine the necessary security strategies needed to insure we could “trust” the networks or devices. Nather mentioned that adoption of zero trust networks was slowly being adopted. According to her research, “39 percent of 4800 respondents globally {were} saying that they were going all in to zero trust and another approximately 39 percent said that they were starting on that journey.”

The panelists also discussed the important role encryption plays in zero trust networks. Nather mentioned encryption is increasingly important thanks to increased use of cloud infrastructure. She pointed out it is crucial to ensure encryption is being used and that companies have not always done a great job making sure data was properly encrypted in the past. “We’ve treated it as a black box and kind of assumed they were doing the right thing. When they weren’t.” Inglis discussed how a second version of the Cyberspace Solarium Commission might address encryption, pointing out that while, “aligning encryption’s benefits which are enormous and essential in the potential harm that accrues from the misuse of encryption,” would be an attractive proposition, “it’s not properly constituted at the moment to do that.” Instead, Inglis suggested that the commission needed a wider array of representation from various persons and organizations. Martin admitted there are “sometimes very dismissive tones about the damaging real world consequences for law enforcement and national security agencies of ubiquitous end to end encryption” but he also argued that the “balance has to align with better security.”

Nather mentioned that from her industry perspective, concern about security is growing. “Over time, we’ve seen a lot of basic security functions that are now being built in at the operating system level or at the application level.” She also argued that security could not lie solely in the hands of companies. “Technology is now in everyone’s hands. It is now democratized and therefore we need to democratize security.” The panelists agreed it was crucial for our society to empower people to be able to make their own security decisions. To do so, Martin concluded, “We’re going to have to change the way we do business while protecting the free and open market (…) it’s going to be hard, but not impossible.”

Image credit: vs148