How the DOD is Leading the Charge on Zero Trust

This article originally appeared on FedScoop.

The Department of Defense has been ahead of the curve in security practices on many fronts, a trend that is no different in the push for zero-trust architectures for government networks.

For many in the DOD cybersecurity workforce, zero trust is a buzzphrase that bundles practices they have helped pioneer. Defense-in-depth, compartmentalization and working in secure spaces all are practices incorporated in the central concept of zero trust, where no user or data on a network is trusted or given broad access. The difference is now zero trust is being embraced as a whole-of-network concept that DOD is ready to fully implement as more than just a security practice for sensitive material.

“In many ways, folks in DOD were practicing zero trust all along,” secure messaging platform Wickr co-founder Chris Howell said in an interview last fall. Howell added that DOD appears to be combining many of its past practices.

“It is like bundling up those things into one formal methodology,” Howell said of recent announcements from the Defense Information Systems Agency (DISA) regarding moves to zero trust for enterprise networks.

At the end of 2020, DISA announced it would be publishing a reference architecture guide for agencies across the DOD to move to a zero-trust operating model. The hope from DISA is to have an “evolving” model that can meet new security needs as threats evolve, Director Vice Adm. Nancy Norton said in January during an AFCEA conference.

That methodology is coming into greater importance with the fallout from the SolarWinds hack, where suspected Russian cybercriminals were able to access government networks through compromised technology that the DOD used. While DOD said it has yet to detect breaches, in a zero-trust world the hacker’s lateral movement across any compromised network would be truncated.

“You can shut off SolarWinds today … but how do you assess the integrity and clearness of the environment after that?” Ben Johnson, a former NSA cyber operator and co-founder of cloud security firm Obsidian, told FedScoop after the hack became public.

In a recently revised strategic planning document that DISA published for the next two years, developing the zero-trust reference guide and building out from there was one of the first milestones for the agency. DISA noted it is working with the National Security Agency, U.S. Cyber Command and DOD Office of the Chief Information Officer on zero trust adoption.

Industry following DOD

For all the hand-wringing on the sluggish pace for much of the department‘s adoption of enterprise technologies, zero trust might be one of the few that DOD has led the charge on,  Howell said.

“I’m pretty sure RSA next year will have a large majority of booths have that phrase on it,” Howell said, referring to one of the largest cybersecurity conferences.

But what puts DOD ahead of the curve on zero trust are the practices behind the buzzword. The DOD has long heavily segmented user access to information and its disparate systems have by nature created separate networks. The way to bring these practices into a true zero trust means of operating is by being more intentional and centralizing them under one operating methodology.

Being ahead of the curve also naturally means DOD is likely to hit speed bumps before others on the road to zero trust.

The first bump is the complexity of centralizing network traffic monitoring so that zero-trust principles can be applied to users. Networks need to be structured to fully incorporate zero-trust principles, Johnson said.

“You don’t have to do it all at once, but you are trying to get to a place where it’s the default method,” he said.

Monitoring data is a process that takes resources, and more resources often mean fighting for more budget space for the less-sexy back-office IT than for a new weapons program.

The second major challenge Johnson predicts is even bigger: retraining the humans on the networks to adjust to reduced network privileges.

“When you have humans in the loop it just changes the number of time requests and credentials can take,” Johnson said.