The Department of Education is notching swift progress on the Biden administration’s cybersecurity executive order (EO) imperatives, with a particular focus on the identity aspect of zero trust, according to Chief Information Security Officer (CISO) Steven Hernandez.
The cybersecurity EO – coupled with the Office of Management and Budget’s (OMB) memorandum 22-09 (M-22-09) focused on zero trust – challenges agencies to make phishing-resistant authentication available when it comes to identity verification.
Hernandez explained at an August 15 Nextgov/FCW event that this typically means there is “some type of a certificate-based token in the mix,” such as a Fast IDentity Online (FIDO)2 key.
“If a citizen wants to bring that level of strength to their engagement with the government, we need to make that happen,” the CISO said. “If a citizen wants to bring a FIDO2 key to the mix … Great. We’ve been challenged to put that out front and center and make sure that whatever authentication services we’re providing can meet that.”
“So, as we look into the future, I think what we’re going to see is an increased focus on making sure that one, even if we have multiple identity providers in our mix, that they’re consistently and available across the board and they’re interoperable,” he added.
For example, Hernandez said if a citizen has identities with multiple cloud providers, they could use one primary identity to authenticate the others.
This is similar to how major service providers allow you to log into your account with your typical username and password, or they allow you to log in with your Facebook or Google account, he explained.
“We want that same type of interaction to consolidate it down, because when we look at the latest ransomware trends and how people are attacking us, phishing used to reign supreme, but it’s interesting those latest numbers have shifted,” Hernandez said. “Now, vulnerabilities are the number one attack vector for ransomware, and then the second most common is credential abuse.”
“And where does most credential abuse come from? They don’t steal the primary identity for the service they’re attacking. They go attack a weaker website where the user may have used a similar identity or they’ve used a shared identity,” he continued. “And that’s a problem because that site will get knocked over and that identity will get stolen.”
Looking ahead, Hernandez said his agency is looking to ensure that identities are shareable and interoperable across the Federal ecosystem, “and that we’re able to leverage those strong authenticators all the way up to phishing-resistant as we go forward into the future.”