National science and technology investments are invaluable enablers of tomorrow’s innovation. But U.S. federal research labs are often stuck with outdated cybersecurity methods that don’t work in our increasingly connected world and aren’t able to address emerging threats like SolarWinds. Elite hackers, meanwhile, are innovating. Now more than ever, federal leaders must reimagine and robustly resource cybersecurity solutions at research labs to meet looming challenges head on.
President Biden’s May 12 cybersecurity executive order is a major step in the right direction. It calls for a new approach to securing federal agencies based on “zero trust.” Zero trust is an overarching philosophy with profound implications on cybersecurity architectures, founded on core principles: assume a breach; never trust, always verify; and allow only least-privileged access based on contextual factors. Putting the directive into action will require significant funding from Congress and a steadfast commitment from leaders—including those overseeing research organizations.
Research leaders and scientists need to understand the immense impact this will have on their lab operations—and they must help shape the development of mission-driven, integrated solutions. A zero trust mindset is the opposite of how federal research labs are secured today (i.e., trust within an isolated lab network). Laboratory and research software and equipment is non-traditional IT, often small scale and hard to secure, so isolating it on its own network was the lowest-cost solution. But isolating scientific tech has never been a satisfying solution, often frustrating staff who can’t get their IT needs met quickly and vexing IT/cybersecurity staff who aren’t resourced to secure every new, unique piece of software or device that researchers require. And beyond custom software and large, connected devices (like mass spectrometers and sequencers), labs have unsupported/outdated/non-standard operating systems, massive datasets, and insufficient encryption, all of which create unique cybersecurity challenges.
Some scientists also face challenges obtaining IT support and shy away from addressing complex cybersecurity paperwork that seems to do nothing but hinder their research goals. Further, scientists have long-term goals and limited funding tied to producing results on deadline, which incentivizes labs to focus more on research goals and less on cybersecurity.