Department of Defense on 'cutting edge' of IT security
[Editor's note: This story originally was published by Real Clear Defense.]
By Dan Goure
Real Clear Defense
The phrase “DoD is leading the way” is one that has been largely absent from conversations having to do with information technologies and cybersecurity. Commercial sectors such as banking are more frequently described as being on the “cutting edge,” while the U.S. Department of Defense (DoD) is often labeled a “technology laggard.” But that distinction is neither fair nor entirely accurate. DoD is leading the way in moving to a “zero trust” architecture for protecting its IT infrastructure. Where DoD leads, the aerospace and defense industry and other parts of the federal government may follow, thereby improving national security overall.
Before the current hyper-networked era, DoD established lofty – bordering on seemingly impossible – goals and requirements for its computer networks, such as connectivity in austere conditions, the ability to exchange massive amounts of data, and solutions in smaller and lighter form factors (the size, shape, and physical characteristics of IT hardware) that meet combat demands. The IT industrial base responded with capabilities to meet these requirements, often stretching to connect antiquated assets with new ones.
Technologies ubiquitous today, such as satellite television, GPS navigation, and even the internet itself, have roots in DoD-led requirements for combat capabilities. But in recent years, the commercial IT community that decades ago followed DoD has taken the lead in pioneering new technologies that enable products to meet the demands of businesses and consumers, with the military close behind. For example, DoD asked for neither smartphones nor smartwatches, but once these technologies were established commercially, DoD followed suit by using these capabilities to suit the evolving needs of warfighters.
Within this context, it is satisfying to see DoD taking the lead in defining requirements and solutions for solving a decades-old problem for IT and cyber professionals in the form of a concept that is now referred to as “zero trust network environments.” Zero trust is a cybersecurity framework that continually assesses the trustworthiness of access requests to online resources. Zero trust security presumes that a persistent threat can penetrate any perimeter security system with enough time and resources. Therefore, security must be based on the assumption that no device or software on a system can be considered secure without verification.
During an April Senate Armed Services Committee (SASC) hearing on “Future Cybersecurity Architectures,” Senators and witnesses from the National Security Agency (NSA) and the defense department focused heavily on zero trust architecture. Testimony from DoD witnesses extolled the virtues of zero trust and laid out the seven pillars to DoD’s zero trust framework: securing users; applications; devices; data; network/infrastructure; visibility and analytics; and automation and orchestration. When fully implemented, these seven pillars provide a new approach to cybersecurity, one that should prevent penetrations of public and private networks.
The SASC hearing provided numerous examples of implementing a zero trust strategy and building the appropriate architecture. One oft-mentioned capability that is proving to be extremely useful is Comply-to-Connect (C2C). Without paying close attention, it may have been easy to miss the reference to this key program that is positioning the defense department to accelerate zero trust into practice.
C2C is a cybersecurity program first directed by the FY17 National Defense Authorization Act and is now established as a program of record managed by the Defense Information Systems Agency (DISA). C2C aims to “establish a framework of tools and technologies operating throughout the network infrastructure that discover, identify, characterize and report on all devices connecting to the network.” C2C is being deployed in five increments, each of which builds upon preceding capabilities: discover and identify; interrogate; auto-remediate; authorize connection; situational awareness and enforcement.
Shortly after the hearing, DoD leaders upheld their commitment to sharing lessons learned and publicly released their reference architecture for zero trust. As explained by a senior DISA official, "the intent and focus of zero trust frameworks are to design architectures and systems to assume breach, thus limiting the blast radius and exposure of malicious activity.”
The reference architecture will provide much-needed guidance for the entire Department of Defense. It may also serve to promote zero trust architecture in civilian government agencies as required by the May 12 Executive Order on Improving the Nation’s Cybersecurity. Having a template for implementing a zero trust architecture should be extremely helpful for federal departments and agencies in fulfilling their responsibilities to improve cybersecurity.
The timing for DoD to come into its own as a leader in cybersecurity is critical. Near-peer adversaries are well beyond threats to use cyber as an instrument of warfare, and while perhaps not state-sponsored, sophisticated crime syndicates are using similar tactics to great effect. The SolarWinds attack and Colonial Pipeline's network penetration are just the latest of a long list of intrusions that will continue to grow unless a serious effort is undertaken to implement zero trust. C2C is particularly useful in protecting operational technology networks as represented by companies such as Colonial Pipeline.
Defense leaders are responding to ever-changing and asymmetrical cyber threats. They are publishing reference architecture for zero trust environments and being an early adopter of cybersecurity programs like C2C. DoD is leading by example.
The Biden administration has appointed individuals with extensive experience in cybersecurity to high positions in DoD. Ms. Heidi Shyu has been nominated for the position of Undersecretary of Defense for Research and Engineering and Mr. Michael Brown, currently head of the Defense Innovation Unit will fill the post of Undersecretary of Defense for Acquisition and Sustainment.
Military leaders often speak about the need to understand their own capabilities and those of the adversary and the environments in which they operate (e.g., physical, psychological, political). C2C is providing DoD with the capability to apply what they know about their adversaries’ capabilities to defend networks and data systems.
The cybersecurity focus of DoD is a welcome development as U.S. adversaries pour resources into cyber capabilities to meet their global ambitions. Solutions coming from programs such as C2C will need to keep pace to establish and sustain zero trust network environments, thereby ensuring mission success.
Dan Gouré, Ph.D., is a vice president at the public-policy research think tank Lexington Institute. Gouré has a background in the public sector and U.S. federal government, most recently serving as a member of the 2001 Department of Defense Transition Team. You can follow him on Twitter at @dgoure and the Lexington Institute @LexNextDC. Read his full bio here.
[Editor's note: This story originally was published by Real Clear Defense.]
SUPPORT TRUTHFUL JOURNALISM. MAKE A DONATION TO THE NONPROFIT WND NEWS CENTER. THANK YOU!
The post Department of Defense on 'cutting edge' of IT security appeared first on WND.