Military Must Move Out to Implement Zero Trust
With no end in sight to the ever-increasing cybersecurity challenges, the federal government must move quickly and deliberately to adopt an architecture to protect against all outside threats. This means building on existing strengths and bolstering cybersecurity strategies.
In March, the U.S. Government Accountability Office (GAO) published a report on the precarious state of security for military weapons systems. Previously, in 2018, the GAO raised concerns about the U.S. Defense Department facing “mounting challenges in protecting its weapon systems from increasingly sophisticated cyber threats” due to “the computerized nature of weapon systems; DoD’s late start in prioritizing weapon systems cybersecurity; and DoD’s nascent understanding of how to develop more secure weapon systems.”
The more recent report indicates that the Defense Department has made some progress since 2018 to make its network of high-tech weapon systems less vulnerable by using such methods as enhanced testing. However, it also reveals that agencies are not universally writing cybersecurity standards into contract language. Among the four military services reviewed, only the Air Force has issued service-wide guidance on how acquisition programs should define cybersecurity requirements and how to include those in contracts. Some contracts reviewed had no such conditions when they were awarded, according to the GAO.
The situation could prove problematic, given that military readiness relies on exchanging information among numerous diverse systems, and each connection—from mobile devices to printers to routers to the Internet of Things (IoT) to industrial control systems—creates new cybersecurity challenges. The March report, for example, noted that the Defense Department’s “growing dependence on software and IT [information technology] significantly expands weapons’ attack surfaces. Any exchange of information is a potential access point for an adversary. A system designed and built to exchange information with many other systems or subsystems has more potential vulnerabilities to address than a system that has few such connections.”
It’s clear there is a building sense of urgency here and that moving forward, contracts must include specifications as to how protection is built in from the beginning as opposed to treating cybersecurity as an afterthought. But it is not feasible to conduct a rigorous audit/inspection of all existing suppliers’ weapon systems/products to make sure they’re “safe.” That’s why the Defense Department needs to fortify its own networks, systems and devices from within while eliminating the introduction of outside entities and vulnerabilities that could threaten these networks.
Fortunately, the government is moving quickly toward across-the-board adoption of an architecture that can help agencies reach this level of protection: zero trust.
As defined by the National Security Agency (NSA), zero trust “eliminates implicit trust in any one element, node or service and … assumes that a breach is inevitable or has likely already occurred.” It deploys comprehensive monitoring, granular risk-based access controls and security automation for real-time protection. It adheres to the principles of least privilege—“Never trust, always verify”—to authorize access strictly according to what is required to perform an approved function.
Recent events speak to federal officials’ commitment to a swift launch of zero trust programs governmentwide.
In March, Chris DeRusha, federal chief information security officer, told lawmakers during testimony before the Homeland Security and Government Affairs Committee that the White House will push agencies to move toward a “zero trust paradigm,” citing Russia’s massive hack of the government via SolarWinds software last year as a primary demand driver.
In May, the Defense Information Systems Agency (DISA) released its initial Defense Department Zero Trust Reference Architecture—developed with the Defense Department chief information officer (CIO), U.S. Cyber Command and the NSA—to “maintain information superiority on the digital battlefield.”
Also in May, the White House’s “Executive Order on Improving the Nation’s Cybersecurity” called for agencies to present a plan to implement zero trust by describing any related steps that they’ve already completed along with a schedule for additional measures to establish this architecture.
If experience with government orders “delivered from up high” have demonstrated anything, it’s that these directives will prompt many agencies to search for “something new” in the manner of technology policies, products and/or services that will somehow magically enable them to launch a zero trust program that is an unquestioned success.
But these agencies need to understand that they do not have to start from scratch. There is already an approved framework in place that can help them in the form of Comply-to-Connect (C2C). The Defense Department has incorporated C2C into its overall cybersecurity strategy to improve the authentication, authorization, compliance assessment and automated remediation of devices and systems connecting to a network. Within the C2C framework, information technology teams authenticate devices and systems and assess them for compliance with military security policies prior to authorizing them. Compliant devices and systems gain appropriate access to the network, while unauthorized devices do not until they meet compliance requirements.
Effectively, C2C supports zero trust by evaluating security posture before granting access to networked resources. Once authorization is approved, C2C requires continuous monitoring, enforcing access to data resources via network segmentation and limited penetration to additional networked resources. C2C also ensures that trusted, authorized devices are rigorously inspected for risks such as malicious code and prohibited software. Given the robust characteristics of C2C-delivered orchestration capabilities, agencies can apply these principles to all connected devices, including weapon systems and other mission-critical connected endpoints.
C2C is not “something new.” It is not in an experimental stage. It is funded. It is here and available now. And it is already supporting agencies as they seek to implement zero trust. In April, David McKeown, the Defense Department’s senior information security officer/CIO for cybersecurity, and Rear Adm. William Chase III, USN, a senior military advisor for cyber policy for the Defense Department, testified before the U.S. Senate Committee on Armed Services Subcommittee on Cyber about the effectiveness of the C2C framework as a foundational component of zero trust.
“The comply to connect that you’ve asked us to build pilots into and learn from,” Adm. Chase said, “have had significant success. … Are we finished? Absolutely not. We’ve taken the beginning steps and are now only starting to understand how much better we can be [in response to] probably the arms race of our time.”
It is encouraging to see that the Defense Department has already taken those essential first steps. Because of this, the military community does not need to entirely reinvent when a proven invention is taking hold right now. Adm. Chase’s “arms race” assessment is both forebodingly cautionary and accurate. Agencies must rapidly and effectively take the lead in this race by building upon existing strengths such as C2C to reach an optimal state of zero trust. With this, they’ll be ready for the inevitable—whether it targets weapons or anything else within the Defense Department cyber ecosystem.
Col. Dean Hullings, USAF (Ret.), is a global defense solutions strategist at Forescout, guiding engagements within the U.S. Defense Department and across global public sector agencies by educating customers on best practices.
