Trust but verify is not good enough: What else is needed to secure government systems?

In the dynamic and supply chain dependent landscape of modern digital infrastructure, the principal cybersecurity adage of “trust but verify” is no longer sufficient. 

For public sector agencies who are increasingly reliant on commercial software and a myriad of vendors, a more rigorous, non-negotiable approach is essential to secure sensitive systems from modern attack vectors.  

While perimeter-based risk scorecards and vendor security assessment questionnaires (SAQs) serve as necessary first steps, BeyondTrust’s Chief Security Officer, Morey Haber, warns that they fail to address the sophisticated techniques used by today’s threat actors. 

Bluntly put, attacking the perimeter is old school and while it may be successful, targeting supply chains, identities, and third-party integrations poses the real risk to organisations. 

Modern threat actors, especially those backed by nation-states, consistently bypass perimeter defenses by exploiting underlying flaws in supply chains. The most common attack vectors include stolen secrets, compromised open-source code, misconfigurations, or man-in-the-middle attacks, making these vital first steps not good enough. 

The reality is that supply chain attacks are now more sophisticated, run for longer with the dwell time stretching into months, and this demands a continuous approach to indepth security and not just internet facing assets. 

Haber shares some key takeaways from his presentation titled Supply Chain Attacks: Trust but Verify Is Not Good Enough at the GovWare event on October 21, a part of the Singapore International Cyber Week (SICW) 2025.

The non-negotiable zero-trust mandate for everyone 

To build a resilient public sector, agencies must apply a strict and detailed application of Zero Trust Architecture (ZTA) as a foundational principle for all solutions and workflows. 

ZTAs extend beyond traditional security controls and offer a holistic security strategy that encompasses identities, accounts, assets, resources, authentication, behavior, and data. 

In practice, this means moving past a quick security check (single factor authentication as an example) and treating every single vendor and contractor interaction, from remote access to the delivery of code, as untrusted until it can be continuously verified and deemed appropriate. 

By measuring every step of a workflow using the tenets of zero trust, it is easier to isolate indicators of compromise and raise awareness to the faults in a supply chain.  

This therefore requires that ZTA mandate must also be extended directly into the procurement process and software delivery. Governments must ensure that any software or code they receive is exactly what was ordered and is properly digitally signed, Haber adds. There should be no exceptions. 

This process must also correlate with payment systems to match purchase orders, preventing financial threats like business email compromises (BEC) or deepfake attacks that lead to misdirecting funds based on faux invoices or inappropriate requests to wire transfer funds. 

After all, payment for services is a part of the supply chain and zero trust principles should be applied as well when applicable. 

This is where identity security steps in and not just as a critical technology for managing risks. By managing privileged credentials, providing complete visibility into who is accessing what system and mandating the session is recorded to prove that the access was appropriate are all fundamental traits of zero trust. 

Often these can be solved with privileged access management (PAM) solutons but if you consider today’s threat landscape, these use cases need to be applied to all identities that can perform these functions, and not just privileged accounts. 

To subscribe to the GovInsider bulletin, click here.

Mandating auditability and accountability 

For government chief information officers (CIOs) and procurement officers, the most powerful leverage to ensure cyber resilience exists not in fulfilling the score cards, but in the procurement contract itself, Haber adds. 

This is why measurable objectives and assurances that go beyond general certifications must become non-negotiable clauses in government contracts. 

Specifically, governments should have the right to audit and ask sensitive questions that assess the geopolitical risk and technical hygiene of their vendors much deeper than standard questionnaires and perimeter based vulnerability scans. 

These questions may include source code provenance (origins of the vendor’s open-source code) and whether their supply chain or product development is tied to specific foreign nation-states. This can even include the nationality of employees or contractors that are developing the software. 

Beyond auditability, vendor accountability must be enforced through indemnification clauses. If a government suffers a breach because of a vendor’s security failure, the contract should require the vendor to pay restitution for the cost of remediation.

Of course, this will have a legal limit for financial claims but the risk should be shared with the vendor and not lie solely with the agency. 

This is a powerful mechanism because it directly impacts the vendor’s reputation and business, transforming security from a voluntary compliance exercise into a fundamental business risk that will be internally funded in lieu of being held accountable for a payout after a breach. 

Preparing for a quantum future 

The rise of quantum computing presents an existential challenge, enabling the scenario of “harvest now, decrypt later,” where adversaries steal today’s encrypted data and decrypt it once more powerful quantum computers (or new decryption algorithms) become available. 

Government agencies cannot afford to wait, and planning must start now to understand how to engineer quantum-resistant encryption (QRE) today especially to defend against future supply chain attacks. 

Therefore, agencies should see quantum-safe encryption as a key enabler for future digital government projects, such as enabling secure digital identities, such that weak encryption in the supply chain does not become a future liability. 

To meet these evolving threats, the government's cybersecurity philosophy itself must shift.  

Public sector leaders must move from being the CISO who says, “No, that’s a risk, I don’t accept it,” to one who says, “Yes, I can, and this is how we’ll make it safe.” 

This philosophy embeds security into digital transformation initiatives from day one and embraces concepts like secure by design. Additionally, the focus must shift from buying the next new technology to ensuring the maturity of existing solutions includes security for the remainder of its lifecycle. 

The worst outcome is purchasing a technology only to have it become obsolete before it is fully operationalised or its own security becoming an unacceptable risk. This requires a commitment to continuously assess solutions, vendors, and implementations for unmitigable risks. 

In the fast-moving world of government technology, security is a continuous, iterative process that must be constantly improved to avoid being left behind. 

When the supply chain is involved, and the development and payment for services and technology is out of your control, trust but verify may simply not be enough.

Building additional security controls into your workflows, embracing frameworks and architectures like zero trust, will help strengthen government agencies from within verses only assessing the perimeter of the castle and trusting only the written word of others.