Recently, for the SSE Forum, I had the pleasure to talk to Dr. Zero Trust aka Chase Cunningham on how he started his journey in IT and security and his advice to others getting started. When asked how he got started Chase explained that the short answer was just that he got extremely lucky and that people had helped him out along the way and that there was a calamity of errors that he managed to capitalise on.
He went on to say that the turning moment involved him in the US Navy commanding a laptop he wasn't supposed to have, reconfiguring a piece of equipment he shouldn't have touched, and being found out for something that was essentially illegal and instead of sending him to Leavenworth they figured he might have some value and put him into the triple logic services. So a calamity of errors he capitalised on and a group of people that thought they might get some use from him at some point in his life.
Chase started off as a diesel mechanic and a firefighter. He had nothing to do with IT at all and when he got found out doing what he shouldn't have done he called his mum and explained to her that he may be going to Leavenworth. He was 23 years old and very serious! He explained that luckily they saw an opportunity and converted him from being an engineman to being a cryptologic technician. They moved him to Florida and put him through two years of schooling in five months. He said this was typical in the Navy. Drink from a firehouse whilst underwater.
I asked Chase if the incident with the laptop was the first time he had used a computer and he explained that it wasn't. He explained that when he was in high school in a farming town in the middle of nowhere Texas they had a computer lab and the lady that was his typing teacher was told she had to set up the lab. However, she needed help so with two other kids he read the manuals and set up the computer lab for her. This was his exposure to computers. Some very basic networking and connectivity stuff.
I then asked Chase if he intended to get into IT when he obtained the laptop or if he was just a ‘naughty boy’ and after laughing he explained that like everyone else his intention was to make his life easier. He explained that the piece of gear he was using had been configured by a bunch of contractors and as an operator, he felt they had set everything wrong and that as an operator he knew it better. He said he knew what the system was supposed to do and it kept erroring out and he was the one that had to wake up and go and manually fix the system. He knew it was configured wrong, that they screwed it up, and he went and changed it, and according to the regulations, this was illegal and wrong. However it worked, it worked like a champ.
When Chase left the navy he teamed up with John Kindervag who he was already friends with on hackers vs executives as the hacker. He commented that this was around 2013 and John was already talking about zero trust at this point but he wasn't getting any faithful looks at it. People just felt it was the next new thing, so what.
I explained to Chase that I felt I had made the issue we see today bigger given I had spent almost all of my career joining networks together! I have literally increased the attack surface for ransomware because zero trust isn't something that was talked about in the UK. I explained that it's only really been in the last few years that we have started to hear people talking about this ‘strategy’ in the UK and it's only just starting to be an approach people are starting to use.
When asked if this was what he was seeing in the industry Chase explained that this did seem to be the norm outside of the US but that things are changing fast now. He commented that he had just that day read a report that adoption in APAC which tends to lag behind the rest of the world in cyber is up 27% year on year on the adoption of zero trust. This means that 1 out of 4 organisations are working towards zero trust.
Chase felt the watershed moment in the US was earlier this year when the Biden Executive Order 14028 came out and said to the federal government Thou shalt adopt Zero Trust. He felt that the reason this matters is that whether we realise it or not everyone subscribes to how the federal government deals with cyber security, for a variety of reasons. The federal government is the one who is actively engaged in conflict in cyberspace and is being targeted a million times a day so if they are doing something everyone will move to this model as they prove that it makes sense. Then comes the trickle-down effect as the government does it, the big enterprise does it, and then over time medium and small companies move into space.
Chase also felt that the last thing driving this is the move to remote work during the pandemic because we had to survive the initial onslaught of the covid stuff and create a model that worked which we have now proven works and is better than having to sit in traffic making yourself miserable to go to an office but now we need a security strategy that aligns to enable it to work collectively.
When Chase looks at ZT he never looks at it as an enterprise defender as he always thought defense was comical as a red teamer. He has never found an enterprise whose perfect defense was really that perfect. When he looks at it from a red teamer's perspective he would always think ‘if they did these things my life would really suck’ and that's when he really saw the value proposition of zero trust. It's not about perfect defense, it's about removing what the adversary needs to be successful.
I explained that I felt things had changed in cyber as things have changed with stealing cars. You used to be able to steal a car with a paperclip, so the manufacturers made it harder, which means thieves then broke into houses to steal the keys and then steal the cars. We created firewalls, they did their jobs, so people just created ways to get into business either physically or with ransomware. Large global networks made this even easier.
Next, I asked Chase where he felt was best for people to start their zero trust journey. John Kindervag had been very clear when asked the question and had said ‘ it doesn't matter where you start, it matters that you start’. Chase explained that the zero trust strategy should fit your requirements. You have to do things for yourself within the limitations you have. You need to understand where your risks lie, your real risks, not the ones that you think. You have to understand what has value to the adversary and not necessarily the value to you as this is not about you, it's about what they want and then you need to apply controls around that paradigm.
He went on to comment that he believes the easiest thimble to boil is identity and access management. He believes this to be counter to what most people think but when you look at the data and statistics the biggest things out there are password reuse, compromised assets, and logins, and lack of MFA. Those are the things he feels people can put in place today that will make things easier for the next steps. If you have bad IM the whole system is flawed.
I explained that I felt it was essential for us to train the younger generation as they are growing up in a world where technology is all around them and they don't see the risks that we do. Everyone is on social media, they watch streaming services, and literally, everything they own is now somehow connected. Chase agreed that it is essential that we educate the younger generation.
All the younger people entering the workforce have never had a day without wifi or within connectivity. They categorically are not really into technology but the use of technology. Having them understand what to do and why it's important to them is critical. However, as the people are slightly ahead of them in the career curve, we should be making it where security and security operations are built into the experience.
Chase felt that we need to get away from the practice of everyone having to be a security engineer. The kids coming in get the value proposition of the security solution if it's an integrated experience and it solves and it's a problem they understand. Many of them already know how to use MFA on games they play so we need to ensure we continue to add these levels of security to the tools they use and explain why they need them.
I then asked Chase if he thought by fixing the easy things in companies first we are actually guiding people to the best place to attack. His comment was that moving your company to ZT is very good for your company, but now that companies have many connections to other companies that now their dirty laundry is in your hamper. So you have to also push these controls to areas where you can manage what's going on and make sure you can limit your exposure.. It's unlikely you will ever get to zero but you should get close to what could be called manageable trust. He explained that the best approach is to make your organisation more difficult to compromise than others.
A rising tide lifts all ships and if you decide not to get on that tide then it's going to be a bad day for you and you will be that low-hanging fruit. He commented that companies that are taking on zero trust initiatives are not the ones you are hearing about on the news. They are not the ones dealing with mega breaches whereas all the little folks who didn't think anyone would care about them are being ripped to shreds by things like ransomware and fishing. The proof is in the pudding. Any weakness in the supply chain and you are all potentially in trouble.