The Defense Department has finally laid out its plan for protecting its cyber networks after years of pledging to make it a commitment.
The Office of the Chief Information Officer released “The DoD Zero Trust Strategy” in November — which laid out metrics and deadlines for the department to achieve full zero trust adoption by 2027. Cybersecurity experts said the government and private sector should work together to leverage resources to successfully enter the new regime.
“Cyber physical threats to critical infrastructure really are one of our biggest national security challenges that we’re facing today, and that the landscape that we’re dealing with has gotten more complex,” Nitin Natarajan, deputy director at the Cybersecurity and Infrastructure Security Agency, said during a MeriTalk event in October.
Cyber attackers have more resources than they have in the past, and it’s less expensive to do a lot of damage to an unsecure system, he said. It’s not just lone wolf hackers, but nation states and cyber terrorists who can pose a threat.
For example, the 2019 SolarWinds cyber attack, which swept past the defenses of thousands of organizations, including the federal government, has been linked to Russia-backed operatives.
The new strategy’s basic tenet is that treating organizations’ security like a moat around a castle doesn’t keep out bad actors.
“Mission and system owners, as well as operators, increasingly embrace this view as fact. They also see the journey to [zero trust] as an opportunity to affect positively the mission by addressing technology modernizations, refining security processes and improving operational performance,” the document said.
Zero trust culture requires every person within a network to assume that it is already compromised and requires all users to prove their identities at all times.
The strategy lists technologies that can help cultivate a zero trust environment such as continuous multi-factor authentication, micro-segmentation, advanced encryption, endpoint security, analytics and robust auditing.
While these various technologies can be used to implement this basic premise, it essentially means that “users are granted access to only the data they need and when needed.”
The strategy revolves around four pillars: accepting the culture of zero trust, operationalizing zero trust practices, accelerating zero trust technology and department-wide integration. The strategy notes that while IT departments across the Pentagon may need to purchase products, there is no one capability that can solve all their problems.
“While the objectives prescribe ‘what’ shall be done in furtherance of the goal, they do not prescribe ‘how,’ as DoD Components may need to undertake objectives in differing ways,” the strategy read.
For the technology pillar, the Pentagon’s zero trust strategy calls for capabilities to be pushed out faster while reducing silos. Capabilities that promote simpler architecture and efficient data management are also important, according to the document.
While many methods can be used to authenticate users, the integration pillar calls for creating an acquisition plan for technologies that can be scaled department-wide by early fiscal year 2023.
One technology development already underway is the Thunderdome, a $6.8 million contract awarded to Booz Allen Hamilton earlier this year. The technology would protect access to the Secure Internet Protocol Router Network, the Pentagon’s classified information transmitter, according to a Defense Information Systems Agency press release.
It won’t be possible to completely retrofit every legacy platform with technology such as multi-factor authentication, the strategy points out. However, the services can implement safeguards for these less modern systems in the interim.
The securing information systems pillar will also require automating artificial intelligence operations and securing communications at all levels.
Automating systems is an important part of zero trust, said Andy Stewart, senior federal strategist at digital communications company Cisco Systems and a former director at Fleet Cyber Command/U.S. Tenth Fleet. If the processes behind zero trust don’t work well, people can struggle to use the technology and adopt the zero trust mindset.
“Zero trust is about raising the security, but it also means, ‘How do I operate more efficiently?’” he said. “The user experience should get a vote.”
While the strategy marks a turning point for the effort, the Pentagon started down the road of zero trust years ago. Its 2019 Digital Modernization Strategy mentioned that zero trust was an emerging initiative concept it was “exploring.”
Accepting more rigorous cybersecurity measures through the zero trust mindset is something the Marine Corps has been working on through education and raising awareness, said Renata Spinks, assistant director and deputy chief information officer of information, command, control, communications and computers and acting senior information security officer.
“We spend a lot of time educating, because if people know what they’re doing and why they’re doing it … it has been my experience that they will get on board a whole lot sooner than resisting,” she said
The 2021 zero trust mandate from President Joe Biden’s administration was “a godsend” because it gave justification for personnel inside the Marine Corps who may not have understood the necessity of some of the IT initiatives, she said.
A successful zero trust implementation will reduce threats to some of the most critical types of capabilities that warfighters will be relying on in the future: cloud, artificial intelligence and command, control, communications, computer and intelligence.
The military needs the help of defense contractors to protect sensitive data, Spinks noted. Industry can help the military’s IT personnel understand how to work with the type of data that they will be providing and to how much the military will need access.
“Zero trust will not be zero trust successfully if we don’t get help in managing identities,” she said.
The Marine Corps recently hired a service data officer who could use input from contractors about how much access the military will need to figure out the best ways to classify and manage the service’s data, she noted.
Having access to secure data anywhere will help military members and personnel in the defense industrial base who are working outside of business hours and in remote locations, according to the Pentagon’s strategy.
The push for zero trust is different from some cybersecurity initiatives because it has muscle behind it, Spinks added. Leadership has provided policies and procedures and are willing to be held accountable, she said.
“Cybersecurity is not an inexpensive venture. But I think what truly drives it is the vicious adversary and all of the activity across not just the federal government, but even at the state and local levels,” she said.
Better cybersecurity practices will also be needed to secure supply chains, Natarajan noted. Making them more resilient, especially in critical technologies such as semiconductors, has been a focus at the Pentagon in recent years.
“We know that this is being used by malicious cyber actors really to exploit a lot of third party risk after going after an organization’s supply chain,” he said.
That’s another reason why the government can’t work alone, he added.
“As we look at this, we’re looking at this not just from a sector perspective but also looking at this from national critical functions,” he said.
CISA released cybersecurity performance goals for companies to measure themselves in October. Though the performance goals don’t cite zero trust specifically, the goals are intended for companies to use regardless of their size.
“We’re really looking at these to be that minimum baseline of cyber protections that will reduce the rest of critical infrastructure operators,” he said. “But at the end of the day, by doing that we’re also impacting national security and the health and safety of Americans throughout the nation.”
The private sector in turn needs the government’s investment in education and resources to build up its cyber workforce.
“Cyberspace involves not just the hardware and software, the technology, your tablets, your iPhones, your technology, but it involves people. People developed cyberspace. People use cyberspace. We are in cyberspace,” Kemba Walden, principal deputy director of the National Cyber Director’s Office, said during the MeriTalk event.
Not yet at full operating capacity, the National Cyber Director’s Office was established in 2021 to take the lead on cyber issues at the federal level, including the first national cybersecurity strategy.
Just as important as the broad strategy will be the national workforce and education document that will be released after the cybersecurity strategy, Walden said.
“We took a look and recognized that 700,000 or so U.S. jobs with the word cyber in it are left unfilled,” she said. That number comes from market research firm Lightcast’s 2022 report based on 2021 data.
“As a national cyber and national security lawyer, that frightens me,” she said. “That is a national security risk from my perspective.”
In recent years, organizations such as Joint Cyber Defense Collaborative and the National Security Association’s Cybersecurity Collaboration Center have sprung up to gauge the needs and collect feedback from large enterprises, she said.
“Those are the types of collaborative efforts that I think are necessary in order to evolve public-private collaboration and information sharing overall,” she said.
Ultimately, the benefits of zero trust trickle down to the warfighter, according to the document.
For example, the Pentagon’s joint all-domain command and control effort — which aims to link sensors and shooters while using artificial intelligence to make decisions — relies on that data being secure. If it falls into the wrong hands, military leaders can’t achieve information dominance, the strategy notes.
“We need to make certain that when malicious actors attempt to breach our zero trust defenses; they can no longer roam freely through our networks and threaten our ability to deliver maximum support to the warfighter,” Chief Information Officer John Sherman said in the strategy.