Feb 27 2023

RMCS23: DOD Looks to Adopt Zero-Trust Security Architectures Faster

Expect the Pentagon to shift focus to standardization and programming soon, if the funding and training are there.

The Department of Defense isn’t migrating to the cloud fast enough, nor is it spending money on the right security frameworks and capabilities to alter the terrain of cyberspace to its advantage, retired Air Force Maj. Gen. Earl Matthews noted Wednesday.

“Massive” application volume is the biggest reason for the Pentagon’s slow transition to the cloud, but it needs to adopt zero-trust security architectures more quickly, said Matthews, now Mandiant’s vice president of strategy, during the Rocky Mountain Cyberspace Symposium 2023.

Zero-trust security is an integration of products and capabilities that will take the DOD time to implement, but companies that have already done so — such as Mandiant, which is now part of Google Cloud — no longer rely on virtual private networks or need to change passwords unless there is a compromise.

“We talk about being innovative in the DOD, but when we really get down to it, our risk tolerance is still too high, in that we don’t adopt the technologies fast enough or even try to adopt the technologies,” Matthews said. “We allow either the current acquisition process or the current armament process to get in the way of doing large-scale, quick deployments able to prove out technologies.”

Click the banner below to receive content beyond our RMCS 2023 coverage by becoming an Insider.

Confronting Cyberspace’s Growing Terrain

The cyber strategic landscape continues to increase in size, with both China and Russia leveraging new technologies to spread disinformation and misinformation among global populations and exploit devices designed to ensure personal freedoms, said Air Force Lt. Gen. Kevin Kennedy, Joint Force Headquarters-Cyber (JFHQ-C) commander, at RMCS23 the previous day.

China, in particular, aims to steal warfighting secrets of the U.S. defense industrial base, which is why DOD is extending its defensive umbrella to include operational weapon systems, critical infrastructure and private sector partners.

“As an early step, we are addressing our technical debt, disadvantages stemming from past underinvestment in our cyber infrastructure,” Kennedy said.

Examples of this include the Air Force 561st Network Operation Squadron’s initial experiments with zero-trust tools and microsegmentation, and Space Force acquisition teams’ integration of cyber into planning and demands that capabilities be secure.

JFHQ-C is currently improving the detection and disruption capabilities of sensors within fielded operations and weapons systems not traditionally connected to the larger network, as well as building greater command and control capabilities for shared risk awareness that will inform all commanders’ decision-making.

While the Air Force remains in the zero-trust pilot phase and is just beginning to consolidate networks, standardization and programming work will soon become its focus, and that will require funds and training, Kennedy said.

EXPLORE: What agencies should know about establishing zero trust in a hybrid work environment.

F-35 Design Theft Energized DOD’s Cyber Oversight and Response

“The hardest things in cybersecurity start off with identity and access management,” Matthews said. “We’ve got to verify who you are before we trust you, and what I’m concerned about, as we move to zero trust, is really the administration of the zero-trust framework.”

Managing roles-based access is a different cyber skill set, and the Air Force is still in the process of coding positions to the DOD Cyber Workforce Framework.

DOD’s strong partnership with industry is critical as ever in the new zero-trust paradigm, and Kennedy pointed to the F-35 aircraft as an example.

The Pentagon suspects China exploited the networks of nuclear defense contractors to steal F-35 designs years in the making and accelerate the design and production of its own J-31 aircraft by years if not a decade.

Following the theft, the Air Force adopted more integrated solutions for cyber oversight and monitoring of the F-35 in the form of the Autonomic Logistics Information System, which monitors the health of the fleet and shares a broad information set with a “specific but large” audience, Kennedy said.

DOD further developed four lines of effort it plans to apply to all its systems: defining and assessing its cyber terrain, applying a cyber architecture to it, implementing a cyber service provider strategy and documenting the resulting framework.

“This may sound straightforward and foundational, and it is. But the difference is the enterprise-level attention and the integrated solutions,” Kennedy said. “Single units, single services, single industry partners and single nations will not be able to achieve the necessary level of resilience of the F-35 enterprise.”

To learn more about the 2023 RMCS event, visit our conference page, and follow us on Twitter at @FedTechMagazine to see behind-the-scenes moments.

gorodenkoff/Getty Images

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.