Zero Trust State
The U.S Constitution (was designed) as a security architecture
The accumulation of all powers, legislative, executive, and judiciary, in the same hands, whether of one, a few, or many, and whether hereditary, selfappointed, or elective, may justly be pronounced the very definition of tyranny.
Alexander Hamilton, Federalist 47, 1788
…they must eliminate the idea of a trusted network (usually the internal network) and an untrusted network (external networks). In Zero Trust, all network traffic is untrusted.
John Kindervag, 2010
Increasingly, Americans should stop thinking about their Constitution as a totem or a statement of American values, and recognize it instead as a paranoiac mousetrap set by security obsessed 18th century hackers.
The U.S. Constitution is a wary document, designed to solve an ancient paradox: Governments require authority and power to safeguard civil society, but inevitably they use that power to oppress civil society. History, littered with despots and despotism, from Nero to the St. Bartholemew’s day massacre, is unrelentingly bleak on this point. Is it possible to reconcile the practical value of a civil government with either the “overgrown and all-grasping prerogative of an hereditary magistrate” or the “impetuous vortex” of a legislature?1
The authors of the U.S Constitution thought it was. And they architected a clever solution. Eliminate the perimeter. Eliminate trust. They proposed a Zero Trust model for operating a government.
“Zero Trust” is a relatively new network security theory that rejects a perimeter-based approach to trust. As computing networks became more complex, geographically distant, and had increasing numbers of components, users, and ways to access them, older perimeter based models left what John Kindervag called “chewy centers”.2 This meant that trusted users had too many privileges within the system to do immense damage. The architectural shift towards Zero Trust instead proposes that no network traffic was inherently “trusted”. Any computer accessing network resources—whether it was internal or external to the network—required identify verification. Networks were segmented. Breach was assumed.
Hamilton and Madison seem to agree. In order to convince skeptical New Yorkers to ratify the new Constitution, they felt compelled to explain how security controls in their framework would manage the risk of giving officials access to power. In the Federalist Papers, they lay out an approach that should look as familiar to middle schooler civics teachers as to cybersecurity professionals.
Federal government powers would be enumerated. Federal government powers would be separated between branches. Branches would have various controls over one another, and the entire system would subject to regular public audit in the form of elections.
The security principles of Saltzer and Schroeder—first laid out in 1975 as part of a lengthier paper on securing computer-stored information from unauthorized access—still serve as a rubric for security design and threat modeling.3 And they look remarkably similar to the system of the Constitution. Like Madison and Hamilton, Saltzer and Schroeder understood that “the usefulness of a set of protection mechanisms depends upon the ability of a system to prevent security violations,” and that “Sophisticated users of most systems are aware of at least one way to crash the system.”4 As Hamilton or Madison put it, “If angels were to govern men, neither external nor internal controls…would be necessary.”5
Saltzer and Schroeder’s paper is most famous for the eight security principles it lists:
Economy of mechanism: Keep the design as simple and small as possible.
Fail-safe defaults: The default situation is lack of access.
Complete mediation: Every access to every object must be checked for authority.
Open design: The design should not be secret. The mechanisms should not depend on the ignorance of potential attackers.
Separation of privilege: Access should require more than one piece of information.
Least privilege: Every program and every user of the system should operate using the least set of privileges necessary to complete the job.
Least common mechanism: The protection mechanism should be shared as little as possible between users.
Psychological acceptability: The protection mechanism should be easy to use.
The security controls of the Constitution are visible here. Enumeration of powers exists to ensure the principle of least privilege, and fail safe default. Least common mechanism looks like separation of powers. Etc.
The U.S Constitution doesn’t say much about what particular things the Federal government should do, but is preoccupied with the integrity of the system, and rules for its users. The distinguishing marks of are not, in the main, the functions of government it describes. Legislative, Executive and Judicial branches pre-date the American experiment. Taxation, treaties and lawmaking are unremarkable functions.
If an American value is discernable in the Constitution, it is surely self-policing distrust of its own users. This is the real innovation of American government. But nothing is unhackable.
How well have we tended to the security controls built into the Constitution? When Aeschylus admonishes his readers to “guard well and reverence that form of government which will eschew alike license and slavery,” he prefigured the unromantic necessity of a security audit. So, how has the integrity of this suspicious system fared since 1788?
Apart from elections, the United States is overdue for a security audit—assessing the architectural integrity of the Zero Trust state. Given their distrust, even of the security measures they established, the lack of a Constitutional requirement for such an audit is surprising—an omission worthy of an amendment.
But the list of signals demanding a compliance audit of the Constitutional security architecture is long.
The Executive branch has, arguably, relied on Executive Orders to bypass the “Write” permissions reserved for the Legislature in Article I. Meanwhile, the Legislative branch often finds itself in a state of “denial of service” due to complex procedural rules regarding Quorums and Cloture, which can allow a minority to halt the entire system’s operations. Even the Judiciary, intended to be the “weakest” branch, with neither “force nor will,” is now being scrutinized for whether it is exercising WILL instead of JUDGMENT, effectively escalating its own privileges to rewrite the rules of the system.
Perhaps most pressingly is the impact political parties have had on the structural effect of Constitutional power protections. Codified Roles in Congress now formally recognize the roles of “Majority Leader” and “Minority Leader“ (Rule XLI)—elevating political parties as permission arbiters for exercising legislative powers.6 Similarly, Committee membership is no longer based solely on individual expertise but is strictly partitioned to “accord to the majority party a majority of the membership” (Rule XXV)—establishing permission ratios based on parties.7 Gated Debate limits access to the floor and the ability to propose amendments, which is often managed through leadership “designees.” This created a centralized policy enforcement simply not found in the original Article I design.
Both voters and legislators must relearn to think about government with the same threat modeling, systematic worry that the American founders did. If we demand a compliance audit—what findings should we expect? How would we resolve them?
James Madison, Federalist No. 48, 1788.
Kindervag, John, S. Balaouras, K. Mak, and J. Blackborow. "No more chewy centers: The zero trust model of information security." Forrester Research 23 (2016). https://media.paloaltonetworks.com/documents/Forrester-No-More-Chewy-Centers.pdf
Saltzer, Jerome H., and Michael D. Schroeder. "The protection of information in computer systems." Proceedings of the IEEE 63, no. 9 (1975): 1278-1308.
Ibid.
Madison or Hamilton, Federalist No. 51, 1788.
Great piece