The Defense Department’s sprawling IT architecture includes at least 15,000 networks used by millions worldwide. Creating a zero-trust network for a system that complex is no small feat. As director of the Defense Information Systems Agency, Air Force Lt. Gen. Robert Skinner oversees a team of more than 20,000 that enables the White House, the DOD, the Joint Chiefs of Staff and others to communicate securely.
His agency is also the lead on the Thunderdome project, designed to bring all DOD networks into compliance with zero-trust requirements by 2027. He talked with FedTech at this year’s Department of the Air Force Information Technology and Cyberpower (DAFITC) education and training event.
FEDTECH: DISA has successfully completed the pilot phase of Thunderdome. How does the program work?
SKINNER: From a network standpoint, Thunderdome enables us to leverage technology to redo how we do networking. As an example, software-defined WAN is kind of your VPN, so that your remote users are able to apply that and then bring security down to the edge. That's really what the Thunderdome OTA [Other Transactions Authority] is all about.
But when you think about Thunderdome at large and the activities within the zero-trust strategy for DOD, we have to add more components to it, such as identity or endpoint security. From a DISA Thunderdome framework standpoint, we accomplish about 130 of 150 activities defined in the DOD CIO zero-trust strategy. Within the next year, we plan on having it at about 60 sites and then just keep rolling out from there.
FEDTECH: This is not a new network. This is something that you put your network into, correct?
SKINNER: Correct. This will be a new way of networking. For example, JRSS — our joint regional security stacks — gave us a midtier level of network routing and security. There's a security component and then a routing of traffic, which is your networking piece. Thunderdome is that, plus a lot more.
We are going to implement Thunderdome, and then we're going to get rid of our JRSS stacks and all the other networking components that we have because that's going to be all covered with Thunderdome. The existing core infrastructure will be gone.
Click here to learn more about zero-trust and IT modernization within the government.
FEDTECH: What technology was involved in creating Thunderdome?
SKINNER: It’s focused on remote access, software-defined networking, WAN and the customer edge security stack. All of our services and DISA, we're all coalescing around those same concepts of SD-WAN, customer edge security stacks and secure access service edge. It's just, what vehicle do you want to use? And then you may have some different architectural pieces within that.
FEDTECH: What challenges does the military in general face with its independently designed networks required to comply with identical requirements?
SKINNER: Interoperability and integration are the two key areas that, if you're not following the same standards and similar architectures, then your ability to communicate can be impacted. That's the big thing.
And we have significant technical debt issues within the department. We've accepted risks over the past decade from an IT standpoint that the department is now looking at. The department's focused on user experience, right? Well, part of user experience is that if you have hardware that is at end of life, end of support, then it's not going to operate nominally or efficiently, and therefore your performance is going to be bad. User experience is a part of that, but also network performance that we're not able to achieve because we have older equipment.
We’ve got to jump on the train to decommission JRSS, because it's coming to end of life, end of support. If we don't get off it soon, then we're going to have to upgrade it, because if something is end of support, that means you can't even patch it. If there's a security vulnerability, you're stuck. Part of this is, what's the minimum amount of investment for the existing system to keep it operating while jumping to the future and putting more of your resources towards decommission?
The number of countries in which DOD networks are deployed
Source: defense.gov, “DOD Aims to Improve Network Security, Leverage New Technologies,” May 2, 2023
FEDTECH: Defense and intelligence agencies must protect classified and top-secret information that most civilian agencies don’t have. How does that affect the development of a zero-trust environment?
SKINNER: I don't look at it like that. If you're a company, a Fortune 500 company or a financial company, if you don't protect your data, then your livelihood's gone. You could lose market share or you could lose intellectual property. Now, from a DOD standpoint, we do have the loss of life that we have to be cognizant of, which is more important than money. We have to be just as protected as businesses are in relation to their intellectual property — we just add cryptographic and other protections to make it that much more secure. But I think the basic principles are the same.
READ MORE: Find guidance on how to move forward on the zero-trust journey.
FEDTECH: Why does DOD get until 2027 to meet the required zero-trust standards while the civilian agencies only have until 2024?
SKINNER: I would say that we're more complex and our scale is much larger. DOD networks are the third-largest in the world after the U.S. and China. We have zero trust within the department already in certain areas. It's not proliferated throughout, but we’re well on our way down that path. I’d say we have our plan.
FEDTECH: What lessons can nondefense agencies take from DOD’s zero-trust efforts?
SKINNER: I think the biggest thing is that zero trust is a journey. If you're looking for the Big Bang theory or a silver bullet, it's not there. There's no end date; it’s a continuous journey.
The other thing with zero trust is don't try to eat the whole elephant. Focus on one of the seven pillars, get to a good state, work on the others as you go, and then have a plan. Have senior leader buy-in and support, have the resources necessary, have a plan and then methodically track and manage it — which a lot of people don't do, a lot of organizations don’t do, and that's when you start getting sideways.
The bigger thing is, while we talk a lot about technology, it's the people that make it work. You can have the best technology, but if you don't have a workforce that understands how to employ it and how to optimize it, then you’re suboptimizing. Our strategy is to help ensure that our workforce has the necessary skills to think critically and drive the organization forward. The exciting piece is the people.