无忧传媒

National science and technology investments are invaluable enablers of tomorrow鈥檚 innovation. But U.S. federal research labs are often stuck with outdated cybersecurity methods that don鈥檛 work in our increasingly connected world and aren鈥檛 able to address emerging threats like聽. Elite hackers, meanwhile, are innovating. Now more than ever, federal leaders must reimagine and robustly resource cybersecurity solutions at research labs to meet looming challenges head on.

President Biden鈥檚 May 12 cybersecurity executive order is a聽major step in the right direction. It calls for a new approach to securing federal agencies based on 鈥渮ero trust.鈥� Zero trust is an overarching philosophy with profound implications on cybersecurity architectures, founded on core principles: assume a breach; never trust, always verify; and allow only least-privileged access based on contextual factors. Putting the directive into action will require significant funding from Congress and a steadfast commitment from leaders鈥攊ncluding those overseeing research organizations.聽

Research leaders and scientists need to understand the immense impact this will have on their lab operations鈥攁nd they must help shape the development of mission-driven, integrated solutions. A zero trust mindset is the opposite of how federal research labs are secured today (i.e., trust within an isolated lab network). Laboratory and research software and equipment is non-traditional IT, often small scale and hard to secure, so isolating it on its own network was the lowest-cost solution. But isolating scientific tech has never been a satisfying solution, often frustrating staff who can鈥檛 get their IT needs met quickly and vexing IT/cybersecurity staff who aren鈥檛 resourced to secure every new, unique piece of software or device that researchers require. And beyond custom software and large, connected devices (like mass spectrometers and sequencers), labs have unsupported/outdated/non-standard operating systems, massive datasets, and insufficient encryption, all of which create unique cybersecurity challenges.

Some scientists also face challenges obtaining IT support and shy away from addressing complex cybersecurity paperwork that seems to do nothing but hinder their research goals. Further, scientists have long-term goals and limited funding tied to producing results on deadline, which incentivizes labs to focus more on research goals and less on cybersecurity.聽

Scientific research increasingly relies heavily on collaboration, massive data sharing across networks and in the cloud, new sensors in the form of operational technology, and the continuing use of unique software (e.g., open-source software, custom research software). Isolation is no longer an option. Standard enterprise solutions don鈥檛 work either. For example, common endpoint detection methods can sometimes ruin ongoing experiments by interrupting critical data flows. Any new cybersecurity approach needs to enable鈥攏ot hamper鈥攖he use of necessary technology.聽聽Executives responsible for securing labs should recognize the need to transform the relationship between science and security into a collaborative venture.聽

Ultimately leaders must take action. Without a new approach to securing scientific environments with appropriate strategies, resources, and skillsets, research labs could either miss out on advancements due to a misplaced interest in keeping science isolated or increase risk by exposing assets and expanding the attack surface.聽

Here are 4 steps leaders need to take now:

• Embrace zero trust聽to strengthen cybersecurity at research labs, consistent with the executive order. This is not a vendor buy, but rather a mindset driven by core principles. At 无忧传媒, we are helping our clients examine their current cybersecurity strategies and develop a roadmap for incrementally moving toward a zero trust architecture.
  
• Involve scientists聽in decisions about designs for cybersecurity solutions at research labs. This may seem like common sense, but unfortunately the scientists often lack a seat at the table鈥攁nd that needs to change.
• Create a national testbed聽where cybersecurity solutions can be tested and evaluated in a research environment so that the uniqueness of scientific IT and the needs of scientists can be baked into solutions rather than solved ad hoc in each lab.
• Increase budgets聽for IT and cybersecurity at research organizations. Federal officials and Congress should collaborate to boost funding to implement zero trust for research labs.聽