The Defense Department’s (DoD) top cybersecurity official said at the RSA Cybersecurity Conference today that the agency’s current efforts to implement zero trust security concepts represent a “game changer” in the Pentagon’s network security efforts, but emphasized that traditional perimeter and layered defenses remain as important as ever in DoD’s big-picture security strategy.
Momentum to implement zero trust has been visibly building at DoD for some time, with Acting CIO John Sherman telling MeriTalk in April that he aims to speed the move to zero trust, and the Defense Information Systems Agency (DISA) sharing its zero trust cybersecurity reference architecture late last week.
Build-up to Zero Trust
Dave McKeown, deputy CIO for cybersecurity and DoD’s senior information security officer, said at the Public Sector Day portion of the RSA conference on May 17 that the migration to zero trust security concepts “will serve as one of the most significant cyber defense game changers in our department’s history,” but also one whose foundation has been built by the Pentagon for many years.
Discussing the impetus for zero trust implementation, McKeown predicted that the current trend of “increasingly sophisticated” attacks of the type making headlines over the past several months will only continue and that DoD needs to eliminate the ability of attackers to “hijack trust relationships” and to gain footholds in networks.
“This paradigm shift is at the heart of implementing zero trust,” he said, which represents a “key evolution of cyber defense strategies designed to outpace our adversaries in cyberspace,” and breaks down the cycle of increasingly sophisticated perimeter defense and penetration techniques that network defenders and attackers have undertaken for the past several decades.
In the long run-up to zero trust implementation, McKeown said that previous security game changers have included multi-factor authentication in common access cards. “The common access card,” he said, “did not completely remove the threat of an adversary compromising the credentials of one of our users, but it did make doing so exponentially more difficult.”
Similarly, he said, zero trust implementation – which emphasizes constant testing of user identity combined with micro-segmentation of network access – “represents the next game changing advancement in our cyber defenses.”
“We are making this shift because we have long understood that an increasingly determined adversary will eventually find a way to breach our perimeter and layer defenses,” he said. “Therefore, we must assume the adversary is already on our network and deny by default by assuming compromise.”
Augmentation, not Replacement
Zero trust, however, does not stand alone in defense but is part of the sophisticated perimeter and layered defenses that already exist.
“Zero trust does not protect against all types of networks attacks, however, it will dramatically improve detection, response, and recovery efforts,” he said. “Our networks will be exceedingly more secure, the warfighting mission will be defended, and our adversaries will have to dedicate significant resources only to achieve very small gains.”
“It’s important to mention that while zero trust will bolster our existing perimeter and layered defenses, it does not replace them,” McKeown said. “These capabilities remain our first line of defense and repel a vast majority of cyberattack vectors.”
“Zero trust also does not serve as a replacement for good cyber hygiene,” he continued. “We will continue to hold our network operators, mission commanders, and defense industrial base partners accountable for their cyber hygiene practices because we know that this effort will still work against most of the tactics, techniques, and procedures utilized by our adversaries.”
“Our movement towards zero trust does not represent a redirection of our cybersecurity efforts,” he said. “Rather, it is the evolution of the cyber defenses that the Department of Defense has been implementing and enhancing since the earliest days of the internet.”
Finally, he said that DoD’s cyber workforce underpins implementation of the latest security concepts. “Our existing cybersecurity workforce will continue to utilize many of their current skills, but will need to learn the new zero trust concepts and technologies,” he said adding, “a fairly new and maturing workforce supporting digital modernization initiatives focused on data science, machine learning, artificial intelligence, and orchestration, will also be vital to creating the department’s zero trust architecture.”