Rethinking Cybersecurity at Research Labs

National science and technology investments are invaluable enablers of tomorrow’s innovation. But U.S. federal research labs are often stuck with outdated cybersecurity methods that don’t work in our increasingly connected world and aren’t able to address emerging threats like SolarWinds. Elite hackers, meanwhile, are innovating. Now more than ever, federal leaders must reimagine and robustly resource cybersecurity solutions at research labs to meet looming challenges head on.

President Biden’s May 12 cybersecurity executive order is a major step in the right direction. It calls for a new approach to securing federal agencies based on “zero trust.” Zero trust is an overarching philosophy with profound implications on cybersecurity architectures, founded on core principles: assume a breach; never trust, always verify; and allow only least-privileged access based on contextual factors. Putting the directive into action will require significant funding from Congress and a steadfast commitment from leaders—including those overseeing research organizations. 

Research leaders and scientists need to understand the immense impact this will have on their lab operations—and they must help shape the development of mission-driven, integrated solutions. A zero trust mindset is the opposite of how federal research labs are secured today (i.e., trust within an isolated lab network). Laboratory and research software and equipment is non-traditional IT, often small scale and hard to secure, so isolating it on its own network was the lowest-cost solution. But isolating scientific tech has never been a satisfying solution, often frustrating staff who can’t get their IT needs met quickly and vexing IT/cybersecurity staff who aren’t resourced to secure every new, unique piece of software or device that researchers require. And beyond custom software and large, connected devices (like mass spectrometers and sequencers), labs have unsupported/outdated/non-standard operating systems, massive datasets, and insufficient encryption, all of which create unique cybersecurity challenges.

Some scientists also face challenges obtaining IT support and shy away from addressing complex cybersecurity paperwork that seems to do nothing but hinder their research goals. Further, scientists have long-term goals and limited funding tied to producing results on deadline, which incentivizes labs to focus more on research goals and less on cybersecurity. 

Scientific research increasingly relies heavily on collaboration, massive data sharing across networks and in the cloud, new sensors in the form of operational technology, and the continuing use of unique software (e.g., open-source software, custom research software). Isolation is no longer an option. Standard enterprise solutions don’t work either. For example, common endpoint detection methods can sometimes ruin ongoing experiments by interrupting critical data flows. Any new cybersecurity approach needs to enable—not hamper—the use of necessary technology.  Executives responsible for securing labs should recognize the need to transform the relationship between science and security into a collaborative venture. 

Ultimately leaders must take action. Without a new approach to securing scientific environments with appropriate strategies, resources, and skillsets, research labs could either miss out on advancements due to a misplaced interest in keeping science isolated or increase risk by exposing assets and expanding the attack surface. 

Here are 4 steps leaders need to take now:

• Embrace zero trust to strengthen cybersecurity at research labs, consistent with the executive order. This is not a vendor buy, but rather a mindset driven by core principles. At Booz Allen, we are helping our clients examine their current cybersecurity strategies and develop a roadmap for incrementally moving toward a zero trust architecture.
  
• Involve scientists in decisions about designs for cybersecurity solutions at research labs. This may seem like common sense, but unfortunately the scientists often lack a seat at the table—and that needs to change.
• Create a national testbed where cybersecurity solutions can be tested and evaluated in a research environment so that the uniqueness of scientific IT and the needs of scientists can be baked into solutions rather than solved ad hoc in each lab.
• Increase budgets for IT and cybersecurity at research organizations. Federal officials and Congress should collaborate to boost funding to implement zero trust for research labs.