FEDTECH: What zero-trust challenges does DOD have that a civilian agency might not?
BEAVERS: We’ve got in the neighborhood of 3 million people spread over several hundred thousand facilities globally and networks going to all of those locations. Within our networks, we deal with classified information at various levels as well as unclassified information. This is something that is very particular to the government, not just DOD, and that adds a layer of complexity to tagging and managing information. We have to enable sharing but also protect information at the same time; those two ideas are diametrically opposed. We have to walk a fine line to make sure that we’re able to understand who is requesting information at a level of scrutiny that is much higher than on the civilian side, because we have to determine trustworthiness from the classification level as well.
FEDTECH: Are you able to upgrade existing technology, or have you had to acquire new technology to build zero trust?
BEAVERS: Both. With the DOD, this is another area where we have a bit of a unique challenge, although there are other industries that have the same issue. We were early adopters in the technology realm, and we have poured an enormous amount of capital and resources into our technology. We have an enormous legacy installed base, which wasn’t designed to be monitored. It wasn’t designed to be in the cloud. It wasn’t designed with artificial intelligence and data sharing and the machine-to-machine communication that you see today. That’s a challenge to secure that information and make it available in modernized systems. We are also continuing to buy, so we have a lot of newer technology as well. It can be a struggle to make it backward compatible and also maintain its security.
FEDTECH: What have you learned along the way that you could pass on to other CIOs who might not be as far along in the process?
BEAVERS: The journey starts with getting back to basics and doing basic cybersecurity. The practice of knowing your architecture and infrastructure has become a little less rigorous over the years. With zero trust, you’ve got to know what you have and who’s on the architecture. Starting with the basics and getting really good at that is the first and biggest step. You do that as you start trying to map out your architecture so you can instrument it to tag the people, tag the data and audit it.