5 Key Insights from Frank Konieczny on Implementing Zero Trust for Federal Agencies
As cyber threats evolve, federal agencies must adopt robust defense strategies. In an exclusive interview, Mike Peira, Chief Strategy Officer at vTech Solution, explores cybersecurity with Frank Konieczny, former Chief Technology Officer at the Air Force. Konieczny highlights the critical importance of Zero Trust Architecture (ZTA) and shares practical insights on the current cyber landscape. From the rise of ransomware to implementing ZTA, this conversation is essential for anyone concerned with federal cybersecurity.?
Welcome to Part 1 of our exciting interview series!? ? ?
Mike Pereira ra (MP): In our last conversation in 2022, we discussed the Federal mandate for agencies to implement Zero Trust Principles by 2024. Can you summarize the key points we covered in that interview, especially concerning the primary cybersecurity threats like ransomware and DDoS attacks?? ?
Frank Konieczny (FK): Yes, we discussed how the government shifted towards Zero Trust because of those attacks. There wasn't an easy way to block them, particularly ransomware, which remains a significant threat. Even though ransomware attacks were more prevalent two years ago, they are still widespread today—around 20% across the board. They’re increasingly targeting large organizations, like banks and hospitals, because they can extract higher ransom from them. Additionally, DDoS attacks, though a simpler form of disruption, have also been persistent. They are one of the easiest ways to disrupt operations. If a DDoS attack hits your site, nobody can access it, wiping out your online presence temporarily.?
MP: Right, and to your point, everyone’s Social Security number has been compromised at some point, hasn't it?? ?
FK: Exactly. Many systems have been breached through ransomware, leading to large data releases, including sensitive information like Social Security numbers.?
MP: You've emphasized the importance of Zero Trust Architecture (ZTA) in mitigating cybersecurity threats. Could you briefly explain what ZTA entails for our new listeners and why it's so critical in today's cybersecurity landscape?? ?
FK: Zero Trust is not a magic bullet, nor something you can buy off the shelf. Its philosophy is to manage cybersecurity through various tools, policies, and processes. The fundamental principle is to 'never trust, always verify.' The key to Zero Trust is verification at all levels—whether it's users or non-person entities (NPEs), like servers or backup devices. These can be potential threat vectors if not properly verified. If you don't know what device you're backing up data to, you could unknowingly send it to someone with malicious intent.
FK: Additionally, you need to ensure that all devices connected to the network, such as laptops, are secure and running the latest updates. Outdated devices are a frequent entry point for attackers. Networks should be encrypted across the board, which leads us to the concept of micro-segmentation.? ?
MP: Yes, I've heard you mention micro-segmentation before.? ?
FK: Micro-segmentation ensures that a user can only access the specific application they are supposed to. This reduces the risk of lateral movement if a breach occurs. By limiting access, agencies can prevent a cybercriminal from moving through the network and exploiting various systems. This focus on compartmentalization makes ZTA a compelling option for organizations looking to minimize damage during a breach.? ?
MP: Since our last discussion, how have the primary cyber threats evolved? Have you seen any new trends or tactics in ransomware and DDoS attacks?? ?
FK: Phishing has gotten worse, especially with AI being used to generate more sophisticated phishing attacks. Nowadays, attackers can create realistic videos showing someone you trust asking for sensitive information. It's becoming increasingly difficult to distinguish between legitimate requests and malicious ones. Phishing now includes emails, texts, phone calls, and even videos. Ransomware is still a significant problem, especially for large institutions like hospitals and banks that are more likely to pay a ransom. Though slightly less common than before, ransomware accounts for about 20% of cyberattacks.? ?
MP: That’s a great point. With AI-generated videos, it can seem like you're talking to a real person. How do we counter that? Do we need to pick up the phone and verify in real time?? ?
FK: Almost, yes. It’s similar to two-factor authentication—just like how banks now require both your password and a fingerprint or send you a text message for verification. It's challenging to detect fraudulent videos, but always look at the source, the URL, or even slight misspellings that might give it away.? ?
MP: You also mentioned the Internet of Things (IoT) as a growing attack vector. Can you elaborate?? ?
FK: Yes, IoT devices—like smart thermostats or security cameras—are often connected to home networks without much security. Many people don’t segment their home network, so if an IoT device is compromised, attackers can access everything else on the network. The HVAC system, for example, has been used in past attacks because it's often overlooked. Once they gain control of a device, they can move laterally across the network to gain access to sensitive data.? ?
MP: What would you recommend to the average family to protect themselves?? ?
FK: It's not easy, but one of the most effective ways is to place IoT devices on a separate network. It might be messy to set up, but in the long run, it's worth it to avoid potential security breaches.? ?
MP: And most people wouldn’t even think to do that. The average consumer might need professional help with that.? ?
FK: Exactly. It’s not something most people can manage on their own, but it's necessary to minimize risk. For those who aren’t tech-savvy, seeking professional help to set up secure home networks is a wise investment.? ?
MP: Let’s talk about advancements in Zero Trust Architecture (ZTA). What changes or developments have you observed in implementing ZTA over the past few years? Also, are there any new best practices that organizations should adopt?? ?
FK: We’ve seen improvements, but much of the progress has been about following guidelines provided by NIST or other institutions like the Department of Defense (DoD). While there are some advancements, particularly in authentication systems like two-factor authentication, we’re still in the process of evolving ZTA from theory to practical, foolproof solutions. One of the significant advances is in how biometric security systems are being adopted. For instance, the use of facial recognition and iris scans has become more common, but it’s not without its challenges.?
MP: That’s interesting, especially with how rapidly things are advancing. Could you give an example of how organizations are improving their security processes?? ?
FK: One example is Login.gov, which follows a similar approach to other multi-factor authentication systems. But we’re also seeing growth in authorization systems that manage access automatically based on user attributes. For example, if someone leaves an organization or gets demoted, their access is revoked immediately without the need for manual intervention. Historically, revoking access has been a major issue. Often, someone who left the organization two years ago still has access simply because nobody updated their permissions. With automated systems, we’re closing that gap.? ?
MP: Let’s talk about the shift to remote work. Recently, the Office of Personnel Management (OPM) mandated that federal employees return to the office for three days a week. While it's good to see employees coming back, once you open Pandora’s box, it's hard to close it again. Remote work has changed the landscape and continues to present cybersecurity challenges. How have organizations adapted their security strategies to address remote access and mobile device vulnerabilities?? ?
FK: Organizations have taken several approaches, though none are perfect. One of the primary tools for managing mobile device security is Mobile Device Management (MDM). MDM solutions can segment data and access control on the phone, separating company-related activities from personal use. For example, an employee can access company resources securely via MDM. Once they disconnect, the phone reverts to normal use without retaining any company data. This creates a clear separation between personal and professional information, reducing the risk of a breach.? ?
Another tool is Virtual Mobile Infrastructure (VMI). VMI allows data to be displayed on the device as a screen but not stored locally. So, if someone loses their phone, the sensitive information isn’t stored there—it was only displayed from a secure server elsewhere. However, this requires solid throughput and network connectivity, which can be challenging depending on the location.? ?
MP: It sounds like there are still difficulties with managing home devices when employees bring them back to the office. What happens when remote employees bring their iPads or home computers back into the office and try to connect them to internal networks??
FK: That’s a real risk, and organizations need to enforce strict policies that prevent personal devices from connecting to the internal network. As employees return to the office, we’ll see more of these challenges. Network monitoring solutions that provide awareness of which devices are trying to connect can help mitigate this risk. If an unknown device attempts to connect, it can be automatically disconnected to prevent potential security breaches.?
MP: You’ve previously emphasized the significance of supply chain and insider threats. How are organizations currently addressing these challenges, and what improvements have you seen in this area??
FK: Supply chain management has indeed improved significantly. Organizations are now taking meticulous steps to track everything in their inventory. One major issue we often observe is that many organizations don’t fully understand their inventory’s status. While they may have a high-level overview, they often lack details like the version numbers of the software or hardware they possess.
MP: That’s true.? ?
FK: The first step is understanding your inventory—knowing exactly what you have. Once that’s in place, the next step is identifying any vulnerabilities associated with those items. For example, certain software versions might have known security issues that need addressing. This level of awareness is crucial for effective remediation.? ?
Another growing concern is when proprietary software includes open-source libraries. Even if a solution is proprietary, it might rely on open-source components, so it’s important to track and monitor these libraries for vulnerabilities. Today, there are tools that can analyze software to pinpoint these open-source libraries. If a vulnerability arises in one of these libraries, it needs to be remediated immediately.?
MP: That sounds like a complex process.?
FK: It can be. Hardware tracking presents a similar challenge. Organizations must know not only what assets they own but also where those assets originated—eventually, even down to the chip level. We’ve encountered situations where companies purchased equipment only to later discover that some components came from countries they weren’t expecting, which poses significant security risks. This knowledge allows organizations to make informed decisions about how to handle such issues.? ?
MP: Exactly. We’ve seen organizations conducting asset inventories just as you described, and they often face challenges, especially with version management. They also struggle with ticketing systems—sometimes, tickets remain unresolved for years due to these inventory and versioning issues. This is a significant problem, particularly for government agencies.? ?
FK: Yes, unresolved tickets are a major issue. Another common challenge is end-of-life (EOL) management. Organizations often find themselves with software that’s approaching or has already reached its EOL. At this point, they must decide what to do with these systems, especially when they rely heavily on them.? ?
MP: Right, and sunsetting those systems is easier said than done. Even when they know a piece of software is nearing its EOL, finding a replacement can be tough.?
FK Exactly. And to make matters worse, a critical piece of software nearing its EOL could also have an active vulnerability associated with it, flagged in a Common Vulnerabilities and Exposures (CVE) report. Organizations are then forced to decide whether to live with the risk temporarily or address it immediately. This decision requires a careful risk analysis.?
Ultimately, supply chain management is about understanding and mitigating risks. It’s evaluating whether the organization’s mission outweighs the associated security risks. For instance, you might live with a vulnerability for a few months while searching for a suitable replacement, but someone must make that decision and understand the risks involved.? ?
MP: Exactly. Someone has to be accountable for making those judgment calls.?
FK: Yes, someone must take ownership of the risks and ensure that the organization has policies and tools in place to navigate these complex decisions.?
Get the latest updates, exclusive insights, and fresh perspectives on the federal, SLED, and enterprise tech sectors.