Zero Trust: Practice Makes Better

In this episode of Cybersecurity (Marketing) Unplugged, Scott also discusses:

  • How sacrificing security for interoperability got us to where we are today;
  • Pervasive problems with poor cyber hygiene;
  • The top legal issues facing software and cybersecurity companies. 

Tony Scott is the chairman of the TonyScottGroup and a senior advisor for cybersecurity and policy at Squire Patton Boggs, a prominent international law firm. Until January of 2017, he was serving as the CIO within the Obama administration. In addition, Scott is a board member of ColorTokens, a cybersecurity company that’s moving rapidly in the zero trust world. In prior roles, Scott was the CIO at VMware, the CIO at Microsoft, the CIO at the Walt Disney Company and the CTO at General Motors.

Drawing on his deep background in technology, government and legal Scott, delves into many pressing issues in cybersecurity today. In particular, when asked about how an incremental approach to zero trust can lead us closer to our desired state, Scott had this to say:

Nobody is going to be able to go fully implement a zero trust architecture overnight. … But to sit and twiddle your thumbs and ignore today’s problems with ransomware and all the other things that are going on, is naive at best, but could be negligent, in some worst cases. So I say get started, get on the journey.

Full Transcript

This episode has been automatically transcribed by AI, please excuse any typos or grammatical errors. 

Steve King: [00:13] 

Good day everyone, I’m Steve King, the managing director at CyberTheory. Today’s episode is going to focus on the movement toward a zero trust strategy in cybersecurity. And joining me today is Tony Scott, the CEO of the TonyScottGroup and a senior advisor for cybersecurity and policy at squire Patton Boggs, a prominent international law firm who has a broad general practice across a lot of different areas internationally. Until January of 2017. He was serving as the CIO within the Obama administration. I think that was the third one for the US government. And in that capacity, as we all recall, he created a government-wide response after the OPM hacking incident, including the cybersecurity sprint and implementation plan, which dramatically improved the information systems security posture of the federal government. In addition to that, Tony also is a board member of color tokens whose cybersecurity company that’s moving rapidly in the zero trust world. His numerous appearances before Congress providing CXO level public and private sector insight on matters such as digital workplace transformation, cybersecurity, governance, open data and workforce diversity, are widely recognized. In prior roles. Tony was the CIO at VMware, the CIO at Microsoft, the CIO at the Walt Disney Company, and the CIO at the General Motors information systems and services company. So I would think that Tony has knows a little something about information systems, Tony holds a Bachelor of Science degree from the University of San Francisco, in Information Systems Management and a Juris Doctor degree from the Santa Clara University. So welcome, Tony, I’m glad you could join me today.

Tony Scott 02:19
My pleasure, I just want to make one correction, CTO at General Motors, not CIO, my boss, Ralph would have would be offended by my thing, taking his job. But any rate, it was a great company to work for.

Steve King 02:33
Yeah, perhaps even more impressive from my point of view, but I’m an operational technology. So there you go. So zero trust, let’s start with negative media coverage and social media chatter overs versus just being a bumper sticker. It seems unclear to many that this is a strategy and not a product. How do you think we got here? Well, I

Tony Scott 02:54
think the origins of this, you know, go back to the beginning of computing, you know, we struggled in the first 20 years or so with interoperability issues, you know, every computer manufacturer kind of had their own spec, there were no standards for interoperability. And so the industry worked really hard. And I got to say, I think did a really good job over, you know, the next many years of creating great interoperability standards such that today, you know, anything you buy, can interact with and interoperate with practically everything else that you might buy, we don’t even think about doing the sort of long test and burn in cycles that we did when I started my career, at least, and all ads grade. And again, I think there’s, you know, a testimony to the power of standards and so on. But what we didn’t do, I was asked the next question, which is, if I can interoperate, should I, and what are the rules around that? So as the result of the lack of that we have, you know, kind of this open environment where it’s a free for all for bad guys who want to, you know, get into a network and, you know, or any kind of an array of information systems and do damage. And, you know, so we’ve responded to that as an industry by creating, you know, firewall technology and other things, but they just, in my view, don’t do the kind of job that needs to be done in this increasingly vast landscape of information systems and devices and in software elements and all of the other things that make up our, you know, the collective ecosystem today. So, I you know, zero trust is a notion says, you know, let’s go back to the beginning and let’s own connects to the things that are absolutely necessary within a given productive environment and sort of block everything else. And to me that makes total sense. So that, you know, even if the bad guys get in, you know, they’re limited in terms of you know, where they can go. So, you know, to me, that’s just basic common sense and shouldn’t be a lot of mystery around it as far as I’m concerned.

Steve King 05:26
Yeah, sure, you and me both. And as you know, John, kinder bags, a member of our zero trust Council, and we’re big zero trust fans, though, you know, we don’t, we don’t see it as the Holy Grail. In terms of, you know, once we get to zero trust, we’re gonna solve all of our cyber security issues. As you and I have discussed, can you explain from your perspective, how an incremental approach towards zero trust leads us closer to our desired state?

Tony Scott 05:58
Well, nobody is going to be able to go fully implement a zero trust, architecture and implementation overnight. And like anything else, it takes practice, it takes, you know, curation, and all of those kinds of things I like to compare, you know, the journey is to similar to learning the violin, you know, you don’t end up at Carnegie Hall. The day after you pick up a violin, you got to practice, practice, practice, until maybe you get good enough at it to make it to Carnegie Hall. And all of us in and this is, I think, true of any technology, it’s not unique to zero trust, but I recommend to clients, you know, get started, pick an environment, start learning that, you know, various elements of the technology. And then as you develop skill and confidence, and all my clients that have done this, do they develop, you know, skill and they also develop confidence, then you can expand to larger environments, but to sit and twiddle your thumbs and ignore today’s problems with, you know, ransomware, and all the other things that are going on, I think, is not smart, and naive at best, but could be negligent, in some worst cases. So I say get started, get on the journey. You know, if you want to lose weight, start exercising. It’s just one of those common sense kinds of things.

Steve King 07:33
Yeah, there’s a significant absence of common sense and the way that we prosecute Service Security today, I think, and you and I both come from a, you know, it operational side of the business, if you will, you know, given there for maybe tribes in cybersecurity space, and one of them is technology centric. I think that casts a little different light on, on approaches to cybersecurity, can you sort of share your thoughts on how your background influences your perspective? Well, there’s

Tony Scott 08:08
a couple of things. I mean, clearly, what’s driving the conversation today is cybersecurity issues, you know, ransomware hackers, you know, you know, the whole array of folks out there that are trying to do bad things. But I also come at it from a operational standpoint in, I’ll just tell you a couple of quick things. So, as a CIO, the thing that you hate is that call that comes in the middle of the night, when something goes down, you know, then there’s a scramble, you know, for the next several hours to however long it takes to figure out what the heck happened, and why did it happen, and you know, what can be done ultimately, to prevent that thing from happening again. And there’s all kinds of turns out operationally, bad things that can happen from misconfigurations to what we call fat fingers, you know, people pressing the wrong keys accidentally, to confusion of people working in a test environment, inadvertently performing actions in the operational environment without knowing it. I mean, the list goes on and on. And aside from just a cybersecurity point of view, if you set up a micro segmented, sort of zero trust environment, you’re simultaneously decreasing the chances that some of these accidental things that happen all the time in a, in a daily environment, you know, will happen and a great example is the recent Facebook stuff that happened. These are just operational miscues that happen because of you know, privileged access and people in some cases doing things that shouldn’t happen. In a robust operational environment, I believe that there’s a lot of additional benefits on top of just better cybersecurity, the more you can isolate things into smaller clusters of work, think of it is operational microsecond, microsegmentation or something right? It just tends to work better let each thing do its own work, but protected from bad things that are going on in the environment around it is just a great idea.

Steve King 10:33
Yeah, sure. And I feel like I think now it feels like we have data, that empirical data that suggests that, you know, more than 95% of our problems are due to poor hygiene, that goes to patching. And as to your earlier point about configuration management as well. It also extends out to the front end on software development, where we don’t have a lot of rigor in that engineering process. You also, I presume, think that improved hygiene will improve our overall condition? Well, I do

Tony Scott 11:09
and so I’ve been responsible for large development teams, as well as operations teams, and, and you see are some organizations that really do practice, you know, what I would call best practices, but, and do a really good job of that. But you also see, in most organizations A, I’ll call it an uneven application of that. So you’ll have one team that does a pretty good job, and then you’ll have another team somewhere else in the organization that just doesn’t have the discipline, and so on. And, in my experience, the differences in cost and time and total cost of ownership of these things dramatically is different when you have a team doing the right things versus a team being a little sloppy around those things. And it shows up throughout the whole lifecycle of the software in terms of patches that need to be made updates that need to be made, it shows up at the help desk, in terms of things that don’t work the way they’re supposed to or other problems. I mean, you just end up paying for these things over and over and over and over again, when they’re not done right up at the beginning. And there’s I like to say to my teams, there’s no free lunch there. It pays to do it the right way. And I’ll go back to my days at General Motors, the whole auto industry had a problem with quality in the 90s. And you had companies like Toyota just killing us, as a US car industry because of these real, you know, quality sorts of issues. Once that reputation is there, it’s awfully hard to overcome. And we knew from a data standpoint that General Motors and all the other US manufacturers caught up to the Japanese in terms of quality in the 2000s, late 2000s kind of timeframe. But the public was soured on our products, and still haven’t caught up, frankly, in terms of public perception, even though the reality is they’re just as reliable and the quality is just as good. But you can’t convince the public of that. And I think in the software industry, we have the same issue potentially brewing where people are going to start to pay attention as software takes over. More and more things, people are going to start to notice, hey, you know, this thing works and is easy to use and is secure and safe. And this other thing over here is really disappointing from a quality, safety, security privacy standpoint, I’m not going to use it anymore. And I think we’re on the verge of that point. And it’s time for our beloved profession and industry to sort of wake up and pay attention.

Steve King 14:12
Yeah, as a lawyer and in your advisory role with squire Patton Boggs, hugely influential law firm that deals in lots of different practice areas in addition to intellectual property data privacy and cybersecurity, what are the top legal issues keeping you challenged right now, you mentioned in passing a few minutes ago, negligence and the attendant liability as I extend that to C suite and board members, it would seem to me that we’re just now sort of coming to grips from a legal point of view as to the exercise as a requirement to pay attention to the exercise of fiduciary responsibility among those kinds of folks. You

Tony Scott 15:00
I think, you know, it’s an interesting time for years, the software industry, and even those that made hardware have sort of gotten by by saying, we don’t have any product liability for anything that, you know, this hardware does this compute hardware or the software that runs on it, you know, we have no liability, you sign a license agreement, you sign a, you know, various things that sort of waive all liability. It’s only when there’s been public pressure to do something that the industry has really been held responsible. I was working as a consultant, I was with Price Waterhouse, when the whole Pentium crisis happened, watched Intel, you know, within a couple of weeks decide to recall all of the Pentium processors, when that error was discovered. And it was a very costly endeavor for Intel, but is a great example, I think of a company recognizing the existential threat to them, if they just poopoo this and didn’t, you know, respond in some way, but there was no legal requirement that they do that, that there was something that they decided to do just for PR and credibility and marketing purposes. And it cost them a ton of money, obviously. But we’ve seen precious few other examples of that, in the industry, when there’s been a, you know, pretty significant bug or defect or whatever. You know, this was a early case of a company saying, you know, hey, we screwed up, and we’re going to fix it. I can’t think of many other examples, frankly, I think that that, you know, of companies that have done that, but I think we need more of that in order to ultimately have the kind of trust and confidence in our business that we need. But I think it’s coming, I do think that there’s mounting pressure for product liability to apply to these things that, you know, are, frankly, running our lives, you know, with digital twins, and, you know, software, doing everything, you know, managing many aspects of our lives, our health, our safety, and so on. It’s more than just shopping, Amazon, that I think it’s inevitable that there’ll be some, you know, product liability sorts of issues that are going to be part of our existence going forward.

Steve King 17:33
Yeah, people keep screaming for it. But Congress doesn’t seem to be able to understand or be aware, at the level of actionable legislation to do anything about it. You know, just from outside the lines here.

Tony Scott 17:50
First of all, you didn’t have historically that many people in Congress, and I’m talking about House and Senate here, who even understood technology, it’s even elemental levels, you do start to have now and I interact with a bunch of them. A growing number of people, both in the House and in the Senate, who actually do get it and, you know, are concerned about some of these issues. And so I think it’s like everything, it just takes time, much longer than anybody would like, but I do think there is some momentum and some, you know, growing awareness here, that’s only good. Yeah.

Steve King 18:35
I’m encouraged. That’s good news. And, you know, we’ve seen a lot of recent activity, of course, with the Biden administration’s executive orders around cybersecurity, which is, you know, as long overdue, it’s a good thing and no question about it. What’s your prognosis, though, having spent many years in the federal, at the federal level and right in the heart of the beast, if you will, in our ability to pull off what needs to be done?

Tony Scott 19:02
Well, I’d say two things. One, we talked about technical debt a lot in the IT industry. And you know, that’s the failure to keep up and keep, you know, whatever. We’re doing modernized in a sort of respectable way. And I think of cybersecurity debt, as well as an element of that. And so I’d say, objectively, I think we’re pretty far behind on that. There’s a lot of cybersecurity and technical debt, that we’re paying a lot of money to keep a lot of really old, sort of bad stuff going and it’s risky. So I’m, I’m very, let’s say, concerned about that. But having said that, in recent years, because of the growing awareness and the stakes, I think we’re starting to make good progress. And I’ll just give you a couple of small examples. One of the things that we started at the end of the Obama administration was the requirement that every big federal agency risk rate its critical applications on three dimensions. One was cybersecurity risk. One was cost, you know, or is this critical system overly costly or cost burdensome. And the third dimension was its suitability for business purpose. And so every year when it comes to budget time, agencies have to look at their critical systems, rate them on those three dimensions, and then define what it would take from a cost and resource perspective to address those issues. And the point of doing that was to make sure that there was explicit transparency, in terms of the budget process, meaning Congress, in particular of the size of the problem, the nature of the problem, and what it was going to take to fix it. And to force Congress in particular to say, No, we see the problem, we know how big it is, we know how dangerous it is, but we’re deliberately deciding not to do anything about it. Or, you know, hopefully, on the other hand, say, Oh, that’s a problem. Maybe we better allocate some money or some resources to go fix that. And the result of that effort now, going on its fifth year has been kind of what I talked about before a growing awareness in Congress in terms of the set of problems that we’re facing, and better funding for fixing those things. So our technology modernization fund, as an example is well over a billion dollars now that agencies can use to apply for to for funding to get some things fixed in while far too short of the total amount of money needed, which is in the 10s of billions of dollars. It’s better than the zero that was there, you know, five years ago, and I’m hopeful that that fund will continue to get, you know, support in Congress, just as one example. Secondly, the policy, you know, you’ve seen the Biden administration, and Gartner and Forrester and some of the other analyst, companies all come out and support zero trust as a principal and as a architecture to support going forward. And that’s unusual in my book, I don’t think I’ve seen any consensus on any topic, any technical topic like that in my lifetime, where simultaneously you have all the analysts, firms, governments, say, you know, pay attention to this particular thing. It’s just unusual, but I think it says something about how important this really is. So I’d make those two points and say, I’m optimistic that we can make progress. We won’t solve the problem overnight, for sure. But we can begin to make some progress.

Steve King 23:09
Yeah, I’m optimistic as well, because you’re right. I have not seen this happen. Ever Before the ascension to this needs to be some actionable items that I’ve yet to see. But to your point where, you know, it’s it’s very, it’s very positive move. I think, as we’re closing in on the half hour here, I wanted to ask you a final question, you know, over China, Russia, North Korea, Iran, what do we have to do? And how are we going to win this war against this current sort of syndication of it adversaries in cyberspace?

Tony Scott 23:46
Well, I think it represents a broader challenge that, frankly, I don’t have the complete answer to or I probably wouldn’t be sitting here if I if I thought I did. But it is. Isolation is digital, ISO is isolation in all kinds of different ways. And the ability of people, governments, institutions, whatever to, you know, decide that they’re going to go a different way and, and either do something restrictive or harmful, or maybe even dangerous to the rest of the world that they exist in. And you see it in all kinds of different ways showing up, you know, the political separation that we have now is one example of this. But so I don’t know the complete answer. To be honest, I think that, you know, the best solution I know of is just to foster, you know, global dialogue and some of these important topics when I was at Microsoft, I was the Microsoft senior executive for the city of Beijing and a couple of big Petro China and some of the other big government run Institute. Asians in China and I show up a couple times a year. And, you know, for the first year or two, we get played dialogue, but non meaningful discussion. And then I noticed in about the third or fourth year, we actually started having constructive conversation, and might. So my advice is we got to play for the long haul, we’ve got to engage in conversation, and hopefully that turns into dialogue and meaningful, you know, action over some long period of time. And I think the mistake that we make sometimes is, we always play the short game and try to look for today’s win, or, you know, the immediate victory. And that doesn’t play well on the world stage. It’s, in my view more about, you know, long term relationships and forging alliances and seeing different points of view and so on. And I don’t say that to be pollyannish. I think it’s comes from practical experience dealing with, you know, different cultures and different, you know, viewpoints around the world. So, that would be my solve is, you know, play for the long game and keep your eye on the short game but play for the long one.

Steve King 26:19
I agree the sanction response clearly isn’t working here. There is no turn around your sanction right here you sanction China, you get a big fat cyber attack in return. And so it’s kind of a demonstration UL, okay, fine. So a sanctions that is, let me demonstrate our cybersecurity scene superiority to you with while we blow up your, you know, your gas delivery network on the northeast. So a we’re, you know, you and I could talk for hours here we are out of time. I do want to thank Tony Scott for taking time out of his I’m sure crazy schedule. Join me in what was a, I think, an interesting exchange, and we’ll do more of this going forward. So thank you, Tony, for taking the time. I pleasure. Good to speak with you. And thank you to our listeners for joining us in another one of cyber theories unplugged reviews of the complex and intriguing world of cybersecurity technology in our new digital reality. And till next time, I’m Steve King, your host signing out