The Defense Department has been pushing hard for digital modernization, but the massive hacking campaign that breached multiple federal government agencies via Solarwinds software has put some of its more nascent efforts at risk — namely software factories. “Yes, this creates a new kind of target for our adversaries. These digital factories that we are using to design things may become crown jewels and they’ll have to be protected as such,” Will Roper, the Assistant Secretary of the Air Force for Acquisition, Technology and Logistics, told reporters Dec. 2020 during a virtual Defense Writers Group event.
The 2021 defense policy bill, which is under veto threat and awaiting a presidential signature, has a number of cyber provisions aimed at improving the federal government’s preparedness for security breaches like Solarwinds. “This attack is a stark warning that our nation must bolster its cybersecurity posture and capabilities, and it must do so without delay,” wrote House Armed Services Committee Republicans Ranking Member Mac Thornberry (Texas), incoming Ranking Member Mike Rogers (Ala.), and four other members said in a statement Dec. 18. “There is no doubt our adversaries will take advantage of any opportunity to attack vulnerabilities in our cyber infrastructure. The measures in this year’s bill will provide critical safeguards to protect the information and capabilities most foundational to our nation’s security.” During his talk, Roper stressed DOD’s need for zero trust principles on a large scale.
“The other thing that we have to bring into our software environment, into our digital infrastructure which the department is behind on is new technologies that allow you to deal with adversaries that have gotten in — so zero trust technologies and doing continuous monitoring,” Roper said. “We don’t do that in the Defense Department. We certify things are impregnable and commercial industry assumes everything is pregnant and has to deal with that after the fact.”
The U.S. Defense Department will release an initial zero trust architecture to improve cybersecurity across the department, says Vice Adm. Nancy Norton, USN, director, Defense Information Systems Agency, and commander, Joint Force Headquarters-Department of Defense Information Network.
Zero trust is expected to eliminate the traditional network-centric security model for the department. “This paradigm shift from a network-centric to a data-centric security model will affect every arena of our cyber domain, focusing first on how to protect our data and critical resources and then secondarily on our networks,” she said. “Under our traditional defense-in-depth approach, we have tried to make the DODIN trusted and safe territory. Under our new zero trust model, we will always assume that our internal networks are as hostile as external networks.” The shift to a zero trust architecture will be a significant change for the department. “This changes a fundamental premise that denies all [network access] and allows by exception rather than allowing all and denying by exception,” Adm. Norton added.
The change is needed because the Defense Department is constantly inundated with cyber attacks. “We are being attacked in the cyber domain constantly, with state and non-state actors generating more than a billion cyber events a month on our networks across every DOD component around the world,” Norton said. “State and non-state actors try to attack our networks every day, and that attack surface spans the world across every service, combatant command and warfighting domain. The incredible increase in telework within the Defense Department as a result of COVID-19-related social distancing requirements has provided U.S. adversaries more attack surface to cause harm to defense networks. This, among other factors, has increased the department’s focus on zero trust architecture, the director of the Defense Information Systems Agency said.
Clever adversaries try to steal our credentials, escalate privileges and exfiltrate our data. That’s why we’re embracing zero trust—to prevent data breaches.” And the old, network-centric model is no longer enough, she indicated. “In the traditional perimeter or castle-and-moat approach to defending our networks, if our adversaries make it across the moat, they have free reign inside the castle. We are working to end that.” This is a no-fail mission for our nation and its warfighters,” she declared. “Joint Force Headquarters-DODIN directs the defensive actions for millions of events across the attack surface of our DOD networks every day.
Second, she said, that users will always assume a breach of security and will intentionally operate and defend as if an adversary is already present inside the IT environment. “It ensures that all users and devices are treated as untrusted and everything is authenticated and explicitly authorized to the least privilege required using dynamic security policies,” she said. “We will scrutinize each request for access, users, devices and data flows using a deny by default approach and logging and inspecting all traffic,” she said.
Finally, the third principle is to verify explicitly, she said. “All resources must be consistently accessed in a secure manner using multiple attributes to build confidence levels for appropriate access to resources,” she said. “With zero trust, we will affect every arena of our cyber domain, allowing us to shield our data better by closing every compartment in the ship.”
Zero trust architecture, which encompasses network and other infrastructure; user authentication, authorization and monitoring; visibility and analytics; automation and orchestration; end user device activity; applications and workload; and data tenants, “is a natural evolution of information technology,” Wallace noted. “We’re quickly moving in this direction, but the one thing that I want to make very clear is that this is not an overnight journey. This is a multiyear journey, and it’s going to take us some time to get there.”
As a naval officer, Norton used the compartmentalization within a ship or submarine to prevent flooding as an example of how a network can be protected against attack from adversaries. “Segmenting critical assets ensures that when — not if, but when — your network is compromised, the damage is limited, the loss of data is limited and your mission is assured,” Norton said. “In a traditional perimeter defense model to network defense, if an adversary got through the perimeter, they would have free rein throughout the network. We wouldn’t want a [similar] ship design that would allow one flooded compartment to sink a warship.”
With authentication—including identity, credential and access management (ICAM)—being a foundational element of zero trust, the agency is developing associated capabilities centering around how DISA handles identity and authentication in the department. And while Wallace was not at liberty to publicly discuss the details, “the new capabilities that come in the next year will help us get to stronger cloud-based authentication that is more scalable than what we have done in the past,” he noted.
DISA also is working on software-defined perimeter provisions meant to offer warfighters increased security and flexibility, essentially getting users to data faster and more directly, Wallace said, including users who are not on the Non-classified Internet Protocol (IP) Router Network, or NIPRNet.
“Rather than the traditional segmentation and boundary type protections that we’ve used in the past, we need to move more toward a software-driven logical model where we’re actually laying down local or virtualized infrastructure in real time that the user would traverse,” he explained. “Automation and orchestration become very important because you can’t have someone at a keyboard standing up the different parts of the architecture in real time. We need automation and orchestration in order to make that happen. The software defined perimeter aspect is something that I think is coming together reasonably quickly, especially as we look to leverage more and more cloud services. DISA is involved in a number of prototypes across the department, and we’re pretty excited about that.”
One challenge with zero trust architecture, however, is the current lack of standards, especially given how DoD depends on federated information technology. DISA is working with the National Institute of Standards and Technology (NIST) to provide input on the guidance NIST is drafting. “The lack of standards hinders the adoption of a lot of these capabilities going forward until we can work some of this out, but it won’t stop us,” Wallace said. “We are going to adopt zero trust principles everywhere that we can, but to really create the vision of a harmonious zero trust environment is going to be a bit of a challenge until we get some of these interoperability issues worked out.”
Norton’s agency, commonly known as DISA, is working with the National Security Agency, the Department of Defense (DOD) chief information officer and others on what she calls an initial “reference” architecture for zero trust, which essentially ensures every person wanting to use the DOD Information Network, or DODIN, is identified and every device trying to connect is authenticated.
The Defense Information Systems Agency plans to release a zero-trust reference guide next year, a step in moving Department of Defense networks to a new security configuration. The reference guide will provide a blueprint for defense agencies and IT shops to transition networks to a model that treats every user with the same heightened level of security. In essence, the network literally gives zero trust to its users. The concept is not new to the DOD, with many similar compartmentalized configurations already in place for certain sensitive information. But most enterprise network architectures still rely on perimeter defense, like using strong passwords.
The initial reference architecture is being built and tested in the Joint Interoperability Test Command Laboratory and will be used to “align core capabilities needed for zero trust and guide our lab testing,” she said. While specific products that represent portions of the department’s current enterprise network capabilities will be tested to support reference architecture development, the objective is to develop a vendor-agnostic solution. “This work will inform and guide the department’s efforts to evolve toward a next-generation architecture. It will align cybersecurity and IT efforts to optimize tailorable, risk-based decisions based on performance and security. It also will serve as a framework and architecture to guide cultural change in how we operate and defend our information environment.”
The new architecture will take advantage of existing capabilities while incorporating new principles, analytics, policies, devices and automation. “It won’t replace many of our current systems, tools or technologies, but it will enable us to take a more holistic approach to integrating, augmenting and optimizing existing functionality to evolve our enterprise architecture,” Adm. Norton explained.
Rolling out zero trust across the military will be different than other cyber initiatives, DOD leaders have said. It’s a wholesale shift in the architecture of DOD’s networks with the changes that must happen over time, Norton said. “It’s not a rollout like it would be for most programs because zero trust is not a program,” she said, adding that the reference guide will provide “a way to think about the tools we are using.”
Trusted public-private partnership
He suggested that the commercial industry participate in the NIST zero trust forums, and once the standards come out, he advised companies to adopt the standards “in a pure type of way,” without adding “twists” that could create interoperability problems and challenges when integrating platforms into a larger military system.
Like the DoD, DISA is heavily dependent on industry solutions. As such, Wallace encouraged interested companies to get involved with the agency through its Small Business Office, or through the Emerging Technologies directorate, to provide a technical briefing of capabilities. The directorate hosts weekly technical exchange meetings with DoD’s chief information officer.
DreamPort, a private cybersecurity lab that is run by the Maryland Innovation and Security Institute (MISI), played a critical role in the collaborations between agencies and the private sector in developing the reference guide. The organization helped set up a zero-trust lab out of its workplace in Columbia, Md. The lab was set up through a partnership with NSA, Cyber Command and other security-focused agencies.
DreamPort said it helped get the government new technology and software to test and provided a place for vendors and government officials to meet “without the red tape,” Armando Seay, co-founder of MISI, told FedScoop in an email. “The lab was and is an ever-evolving foundation for perpetual experimentation, evaluation and proof of viability prototyping,” Seay said. The collaborations included “thought leaders” and early pioneers in the zero-trust movement, he added. The lab will continue to run as a place to collaborate in an unclassified space.
“The ability to engage with our stakeholders at the lowest possible classification level allows for broader engagements across the community and an increased understanding of cybersecurity as it evolves,” Ziring said. “We have a separate testbed with DISA that will host any anticipated classified information.”
References and Resources also include: