Pentagon Ponders Zero Trust Predicament
ICAM centralization may be the best option.
The U.S. Defense Department has chalked up a number of accomplishments in a short amount of time aimed at achieving a vision of connecting sensors and weapon systems from all of the military services. However, officials still are assessing the best way to achieve zero trust.
The overall vision, known as joint all-domain command and control (JADC2), essentially will connect any sensor to any shooter while also enhancing the ability to share data with allies and other mission partners. It is considered a once-in-a-generation modernization of military command and control and requires a transition from a network-centric approach to a datacentric approach. Among other benefits, JADC2 is expected to provide commanders with the data they need to make decisions more quickly than their adversaries.
The successes include the creation of the JADC2 Cross-Functional Team (CFT) and the delivery of critical documents defining JADC2 strategy, governance and implementation. By all accounts, the concept has drawn unprecedented support from the Office of the Secretary of Defense, the Joint Chiefs of Staff, the military services, defense agencies and the U.S. Congress.
While officials already have overcome many challenges, some do remain. For example, military officials still wrestle with the best approach to accomplishing the zero trust portion of the JADC2 concept. Zero trust essentially means that all users and devices trying to connect to military networks will be identified and authenticated before being granted access. The goal is to never trust and always verify before allowing network connectivity.
But zero trust poses a fundamental challenge. Officials working on the JADC2 CFT’s data working group decided early on that the JADC2 framework would require a federated environment, allowing the Defense Department to initially work with the services and combatant commands “where they are,” explains Brig. Gen. Robert Parker, USA, deputy director, J-6, who chairs the JADC2 CFT.
“The best way to do that, this group determined, was through a federated environment with what was termed adaptive governance, meaning that governance applied at the enterprise level may have to be adjusted to still ensure compliance but in a different way at the tactical level and have the variances embedded to adjust for changes in mission, change in organizational structure, manmade or non-manmade events that may happen out there,” Gen. Parker offers.
Zero trust and identity credential access management, or ICAM, are considered foundational elements of JADC2, and officials have gone to great lengths to digest lessons learned from an array of experts, including industry leaders. The consensus seems to be that a federated environment and zero trust simply do not go together.
“Senior leaders from industry come in and spend time with us to think through the problem set. Many have fully endorsed moving to a zero-trust environment, but it has put us in a predicament that we’re still studying right now. We don’t have the right answer,” Gen. Parker elaborates. “You cannot have a zero-trust environment and bring in federation. That’s a problem we’re looking at.”
Lt. Gen. Dennis Crall, USMC, director, command, control, communications and computers/cyber and chief information officer, Joint Staff, J-6, agrees. Gen. Crall says that in speaking with data experts, he often looks for diverging opinions to determine where the truth lies. But when it comes to zero trust incompatibility with a federated environment, he has found no disagreement. “The advice I’ve been given is to not put a lot of stock in the idea that we can federate zero trust.”
Therefore, department officials likely will have to implement zero-trust standards with a big “S.” That would mean a prescriptive approach rather than standards with a little “s” that would act only as guideposts for the services and others to follow.
The good news is that the department has seen little pushback. “When we threw this out to our services and our combatant commands and a few others, we didn’t really get a lot of disagreement. In many cases, I think they’ve been welcoming,” Gen. Crall adds. The prevailing attitude, he indicates, is that if the department is going to prescribe a zero-trust standard, it should “get on with it because it’s a lot easier in development to understand what those outcomes look like, and we’re going to get started much sooner.”
Asked about the pros and cons of a single zero-trust solution over multiple solutions, Gen. Crall says there is no upside to the latter option. “I’m not aware of any cons from following a rather prescriptive approach in that area. The con of multiple solutions is it doesn’t work like zero trust should work. You can’t scale it.”
He adds that a number of studies, including by U.S. Cyber Command, all indicate the same thing. “If we have a nonfederated approach that works in front of us, and an appetite to get there, and we think that we can scale that faster and less expensively, then the con would be to avoid it and go some other route. The pro would be to adopt it and get on with it.”
Among other options, officials are considering centralizing identity credential access management. That would allow the federated networks to still work with the networks of mission partners, which includes international partners and allies as well as federal, state, local and tribal agencies and nongovernmental organizations. “There are some good ideas out there that we’re studying,” Gen. Parker reports. “Recently, this idea of having a brokerage out there to work through the credentialing access management is an idea that we like. We think there is no ability to fully execute the JADC2 ecosystem without identity credential access management, meaning back to the data problem, making sure we know who’s getting the data, who has access to the data and where that may be shared.”
Gen. Crall stresses the importance of ICAM. “ICAM remains a lynchpin for us that is just critical to almost everything we do. You can’t do artificial intelligence without ICAM. You can’t really work the types of networks we’re talking about without identifying who is who. That’s essentially how this works,” he says.
It is too early to tell whether the Defense Information Systems Agency or some other entity would act as the ICAM broker. “I’m not sure, to be honest with you,” Gen. Crall offers. “I have seen kind of a position paper on a few ideas, but I’m not familiar enough, nor am I comfortable enough, with the pros and cons of that trade to formulate an opinion. But I imagine I will soon.”
The J-6 notes that he created a stir about a year ago when he stated publicly that the ICAM solutions he had seen were effective in garrison but not at the tactical edge. “When I threw that out there, we got a flurry of activity, and I’m starting to see solutions from our industry partners and even from academia that are getting closer to what I think we’re hoping for.”
He also praises the Defense Information Systems Agency’s work on the Thunderdome project, the agency’s solution for zero trust. It includes ICAM as well as secure access service edge capabilities, software-defined area networking and virtual security stacks.
Gen. Crall says that some of the longer timelines associated with Thunderdome are concerning, and agency officials should learn and act quickly and should not “let perfect be the enemy of good enough.”
Technology is only one leg of a three-legged stool supporting JADC2 and may get an unfair share of attention, Gen. Crall suggests. “We’ve spent a lot of time on technology, but … datacentricity is often defined in three parts, not one. The technology part, I think we’ve nailed. But in addition to technology, datacentricity involves people—our workforce—and processes, and I haven’t heard a lot of talk in those areas,” he says.