When it comes to “zero-trust” cybersecurity and the Federal Government, the clock is ticking. Federal agencies must make the move to zero-trust architecture (ZTA) by the end of fiscal year (FY) 2024. The Department of Defense (DoD) just released its zero-trust strategy and roadmap that lays out dozens of capabilities the DoD and its components must realize in order to achieve “targeted zero-trust” by FY27.
Yet there is still a considerable lack of clarity when it comes to Zero Trust, from foundational questions to operational and tactical ones, such as:
- What is Zero Trust in practice, and why is it critical for DoD?
- How does the DoD strategy and Roadmap fit into the larger U.S. defense strategy?
- How will Zero Trust affect the men and women in our armed forces?
- When it comes to Zero Trust implementation, where do we go from here?
Answering these questions will go a long way towards ensuring the DoD and other agencies meet their Zero Trust requirements now and years ahead.
What Is Zero Trust, Really, and Why Does It Matter?
Zero Trust is not a single solution but a set of principles, capabilities, and best practices designed to change mindsets and approaches to cybersecurity. It represents a pivot away from assuming trust, which allows a user unchecked subsequent access or lateral movement throughout a network. It assumes all network traffic is potentially malicious, therefore, a “castle and moat” methodology of defense will not adequately protect data. Instead, the answer is: every user must be verified and authenticated upon every attempt to access sensitive data or systems.
Conceptually, Zero Trust is a security model that focuses on continuous verification during every session across every application, regardless of where they are working. For the DoD, this means enabling the warfighter on the tactical edge, as well as personnel working from home, to securely access the applications and tools they need to achieve their mission.
What the DoD Got Right – and Where Is the Next Shift?
The preamble of the National Defense Strategy states, “We are living in a decisive decade, one stamped by a dramatic change in geopolitics, technology, economics, and the environment.” Zero Trust is ideally suited to address each of these factors because it too will set the cyber defense strategy to meet our current and future challenges.
China is a pacing threat and Russia is an acute threat to our country. These nations are also extremely capable in the cyber arena making full information dominance very difficult to achieve. That’s why the DoD is implementing a new form of security for its enterprise that spans the globe, interfaces with mission partners, and supports millions of warfighters who need access.
However, according to the principles of Zero Trust we are already behind the power curve because our adversaries may already be within our networks. To achieve improved security, the DoD must adopt a Zero Trust mindset and the “never trust, always verify” methodology which will set the stage for supporting the larger defense strategy. Ultimately, cyber resilience requires cultural change and adaptation to continuously stay ahead of the ever-evolving threat landscape.
What Zero Trust Means for the Warfighter
The Zero Trust strategy focuses on access to data anywhere, anytime, and at any location, which gets complex because the DoD has many unique requirements. First, it leverages classified data and information. Second, mobility is essential in warfighting.
For the Department of the Air Force, Agile Combat Employment or ACE is key to protecting the force. The fundamental principle of ACE is to physically and rapidly disperse forces from traditional Air Force bases to complicate adversary targeting and safeguard critical airframes. ACE requires several capabilities including advanced logistics, security, Command and Control (C2), and Intelligence, Surveillance, and Reconnaissance (ISR). Both C2 and ISR require a highly mobile and secure workforce that can operate leveraging Zero Trust principles.
We must also consider Joint All Domain Command and Control (JADC2). This strategy depends on multiple platforms and weapon systems communicating instantaneously and seamlessly at speed to outpace the adversary. Zero Trust provides the framework and architecture to ensure communications required to ensure JADC2 are secure.
Zero trust is not a new concept. During my time in the Air Force, we were already well aware of its importance in achieving mission success, but the DoD has a long way to go on its Zero Trust journey. The challenge is there are many competing funding priorities for the DoD – whether it’s new space systems, modernizing the Navy, or replacing an aging aircraft fleet, to name a few. This is where it gets hard.
The good news is the DoD Zero Trust strategy tackles the requirement to invest head-on. The strategy states that the DoD will implement Zero Trust over a period of 10 years (FY23 -32). The DoD’s CIO also states that the DoD will commit long-term funding to ensure the success of Zero Trust.
What Will It Take to Succeed?
Cultural adoption is critical to success when it comes to Zero Trust and is heavily prioritized in the DoD’s Zero Trust Strategy. A recent study shows that fewer than 50 percent of government professionals feel they are aware of Zero Trust principles. Enabling Zero Trust means ensuring all members of the workforce (not just the cybersecurity and IT professionals) are committed to and trained in Zero Trust strategies. Whether a pilot, a tanker, or a sailor on a surface ship, everyone needs to understand the zero-trust framework and process.
Ultimately, everyone will need to contribute and commit to Zero Trust across agencies and military departments. There will be stumbling blocks along the way, and it won’t be an easy journey. However, embedding Zero Trust into every mission and all users across the DoD will be key to staying ahead of the threat landscape and staying ahead of our nation’s biggest adversaries.