Max Havey Hello, and welcome to the Security Visionaries Podcast, a show where we invite cybersecurity leaders from across domains and industries to come and talk to us about interesting stuff. I'm your host, Max Havey, and today we're diving into the world of Zero Trust and national security with our guest, Chase Cunningham, better known as Dr. Zero Trust. I'll give a quick intro to Chase for those who don't already know him or perhaps didn't catch him parading around RSA dressed as Macho Man Randy Savage. Chase started his career as a Navy cryptologist and has 20 years experience in cyber forensics and analytic operations. Over the years, he's held roles as a technology market analyst, a CISO, and a strategic advisor. He's also published numerous books and runs his own podcast, also called Dr. Zero Trust. Welcome, Chase.
Chase Cunningham Hey, thanks for having me on. I appreciate you bringing up the Macho Man thing too. [laughter]
Max Havey Absolutely. That was a highlight of my RSA experience, for sure.
Chase Cunningham I'm trying to get over the trauma of doing that, but hey, when you lose a bet, you lose a bet.
Max Havey There are much worse ways to go about that. And also joining us today is my co-host, Emily Wearmouth, who I can see is eagerly brandishing a very long list of things she wants to talk to Chase about.
Emily Wearmouth Hi, Max. Good to have you on, meet you. Who's on whose podcast here? I'm not quite sure. [laughter]
Max Havey So Emily, do you wanna jump in with some questions for Chase here to start off?
Emily Wearmouth I would love to, if I can start. Brilliant. Well, Chase, we had John Kindervag on the podcast a couple of weeks back, and I don't wanna start any fights, but he happily goes by the name of the Godfather of Zero Trust. And obviously you're Dr. Zero Trust. I wondered if you could give us your side of the origin story of Zero Trust. Where were you when it came into existence? What was your involvement? And what was the initial reaction from the world?
Chase Cunningham Yeah. So John definitely deserves the "Godfather" 'cause this was his conceptual approach to things. And if you're talking about a security visionary, John's the one. I'm just a, I guess, you'd call like a "stepchild" in that whole framework. But for me, when I got to Forrester, John actually recruited me to Forrester. When I got there, John kind of said, "Look, you're probably gonna take over the Zero Trust thing." And to be perfectly honest, I was pretty irritated about it because I was like, "Look, I wanna start my own approach to the market. I don't wanna follow up on anybody's coattails." And then the more I looked at it from the perspective of "because I'd been on the offensive side of cyber in the national intelligence community," I looked at it and said, "You know what? This actually is pretty dang solid. And it would make a heck of a difference from the perspective of 'If Zero Trust was in place, I would be unable to be operationally capable as a red team or as a bad guy.'" So that to me was where it was like, "Okay, cool. How do we take this to a different formalized approach?" Because I had not been too far removed from finishing my doctorate, so I was really into taking concepts and putting them into applied frameworks. So it just wasn't anything super amazing on my part. It was really more of like, "I just happened to be in the right place at the right time and saw an opportunity."
Emily Wearmouth Perfect. Who wouldn't embrace an opportunity like that? What I really want to get into with you today, though, we talked about an organizational implementation of Zero Trust with John. I would like to talk with you a little bit more about national government adoption of Zero Trust. And we have seen, particularly in the last six months or so, governments around the world really embrace the concept and put out advisory notices to organizations within their territory, but also start to look at how they use Zero Trust to inform the way they build their national cybersecurity defense strategies. I wondered if you had any initial thoughts about, what does that mean when you're running Zero Trust into a national situation rather than an organizational? Are there any major differences between those two scenarios?
Chase Cunningham Well, the biggest one is that you have the heft of a federal government that can come behind something and actually say, "You have to do this." And that's what you're seeing in the US federal government, where they've allocated a couple of billion dollars. There's laws that are in draft stages. It is a really big thing for the US DoD. Fast forward, and Australia used to have this thing... Well, they still have it. It was called the "Essential Eight," and myself and a really awesome lady at Forrester named Jinan Budge wrote up a paper about adapting the Australian Essential Eight to ZT. And then now they've come up with a whole of government move towards Zero Trust. I think the UK government is doing that to a degree as well. But the reality of it is when you have these large mega organizations with lots and lots of money behind it and they're saying, "This is how we're going to do it all the way up in the US to the president of the United States," it's substantial and it's... John talks about changing the incentive structure. That's really what we're seeing here. We're moving away from all time stick to sort of carrot-and-stick, which is better. And we'll continue to get there.
Chase Cunningham And at the national level, really, what I think that folks have to remember is, this is about if you accept the digital living, if you will, is a kind of a human right now for most people on planet Earth, you have a right to also operate in a safe and secure manner as well. And how we do that is going to be via these strategic initiatives that will make the difference. So I think that it is a categorical shift in the approach overall. And it's really good to see that there are governments aligning on this as well. Because security is the only space that I've been able to find where industry follows government; usually it's the other way around, and we're seeing that in real time.
Emily Wearmouth On that point of who's following who and where you start, if you're looking at this from a national perspective, where do you start with Zero Trust? We talked about on an organizational level what you might select as your order in which you approach things. How do you order things on a national level? Where do you start?
Chase Cunningham Well, the first thing really at the national level is to have a directive that comes out from someone in the food chain that has teeth, right? That was the executive order from the president of the United States that said, "Thou shalt do ZT." I believe the US government has until September 30th of this year to show that they've actually formalized the process and put it in place. Doesn't mean they're done with Zero Trust. It just means they had 180 days to say, "This is what we're doing, how we're doing it, we have a plan and etc, etc." So that's the first thing that has to happen. The second thing that I really think has to happen is, you have to have some of these follow-on tactical capabilities to go off and actually ensure that what has been mandated is being done.
Chase Cunningham 'Cause that's been the biggest problem that we've had in cyber at the national level, is we've got lots of compliance initiatives and we got a lot of requirements, but they're not usually taken very seriously. It's a pencil whipping exercise. People figure out ways around it. Self-certification is one of the dumbest things I've ever heard of in the history of dumb. And, [chuckle] you know, we're just not pushing it forward enough. So that's where this is starting to go, is that it has to happen that way. You have strategy that's guided and led and required by leadership, and then you have tactical execution to do the things to make sure that that's actually in place.
Max Havey Do you have any thoughts on the evolving cyber attack or national cyber defense landscape? Are there any threats that are sort of a lead in that realm?
Chase Cunningham Well, we're... As a nation, the US is constantly... And the UK, too. We're like, we're constantly under attack from a variety of organizations. And I always think it's worth people understanding, too. There's no Geneva Convention in cyber. There is no agreement of terms. This is a space where every country on the planet is literally competing to get a leg up on the competition. So the US is doing things, the French are doing things, the Israelis. It doesn't really matter who you are. This is a space where you can gain competitive advantage. And the other interesting part of it, too, is cyber warfare has become the bridge between espionage and kinetic conflict. And that's what you're looking at, is you're seeing nation states that are trying to cause changes at the national level. And they don't have to do it anymore by putting boots on the ground. You can do this via social media, you can do it via electronic systems, you can take down critical infrastructure. That is the future of what it looks like to be a player in the digital space. And China and Russia a