The U.S. Army plan to shift to a zero trust cybersecurity model hinges on workforce training and good data management, according to senior leadership and innovators developing zero trust solutions and laying the groundwork for the department-wide shift.
“This has got to be a comprehensive approach, it’s people, it’s processes, it’s capabilities, and last but probably not least it’s about culture,” said Lt. Gen. John B. Morrison, deputy chief of staff for cyber (G-6) in an interview with GovCIO Media & Research. “Too many times people get stuck on things and that’s not what zero trust is really about.”
Defense cyber leaders repeatedly say culture is the key enabler for zero trust. Educating and training soldiers to think with a zero trust mindset will help them win future fights, Morrison said.
Zero trust requires a dramatic cultural shift in the way the Army and the rest of the Defense Department thinks about cybersecurity. Zero trust means shifting from a passive, network-centric model, where you establish a network perimeter and wait for the adversary to attack, to a data-centric model where administrators can restrict data access and users and devices must constantly verify their right to access data.
Zero trust isn’t a budget line item or a program of record, Morrison said, it’s a reframing of the cybersecurity mindset.
“To make sure we’re protecting the data, to do that we’re ensuring who is on the network and who has access on the data, we’re really thinking about the people and the training we’re providing them,” Morrison said.
Workforce Training for Zero Trust
The Army Cyber Center of Excellence is gearing up to release zero trust curriculum to train soldiers on the zero trust cybersecurity model later this year.
The center’s Command Chief Warrant Officer, Paul Sankey, said Chief Warrant Officer 3 (CW3) Benjamin Koontz was the first to implement zero trust in a tactical environment in 2020.
Koontz worked at the Defense Information Systems Agency (DISA) for three years and while there, worked on zero trust prototypes with the National Security Agency (NSA) and CYBERCOM at CYBERCOM’s innovation hub, DreamPort.
“We utilized the currently fielded equipment, so whatever gets fielded on our tactical server infrastructure TSI stacks, and we looked at that and figure, how do we take what we currently have and put zero trust around it?” Koontz told GovCIO Media & Research in an interview.
To test the zero trust controls Koontz set up on various Army devices, he organized four separate red team events to try to penetrate the devices and extract data.
“We were extremely successful on all four events,” he said. “One time they utilized trusted insiders with administrative permissions. Another time they took one of our devices and uninstalled all of our security tools with an instructed insider and another time they utilized a close action team to try to get into facilities, and they utilized the trusted insider to help them get into other facilities and all those times they failed. We were extremely successful on stopping that. So now going forward with that implementation that we did, we took the lessons, and we're building guidance to other organizations to say hey, these are things that all the other technical organizations within the Army can do as well.”
Due to the success of Koontz’s prototype, the Army Cyber COE Commanding General Maj. Gen. Paul Stanton recruited Koontz to develop training for soldiers at the COE.
“A lot of organizations [within the Army] are leveraging his expertise and experience in that realm,” Sankey told GovCIO Media & Research. “A lot of the pilots revolve around him assisting the divisions and other organizations. He’s working with the 101st Airborne Division to implement control concepts on their tactical network using that guide and scorecard with the specific goal of improving those so that once it's fully developed, it can be provided to HQDA G-3/5/7 for distribution across the entire Army.”
Morrison said the COE is helping the Army “change our processes,” which is critical for the shift to zero trust to be successful.
“Zero trust isn’t something you buy, it’s a journey,” Army Acting CIO David Markowitz said in an interview.
Data Anchors Zero Trust
Culture and workforce training constitute one piece of the zero trust puzzle, but Army cyber leaders believe good data management and governance are also critical for any zero trust approach to be successful.
Markowitz said the Army Unified Network Plan and Army Data Plan are the two engines driving zero trust implementation at the Army in accordance with the DOD’s recently released 5-year zero trust strategy.
“General Morrison was talking about the people, but there's also a data component,” Markowitz said. “So the Army has a data plan to make sure if we get the right view of who is in the Army and who has the right to see what data and has the right credentialing…[and ensure] we've got the right tagging of the data so that those can marry up, so we can control access at a granular level.”
The Army is now in the third year of implementing its data strategy. The first year, Markowitz said, focused on establishing a data enterprise governance plan.
“The main goal is to simplify the data landscape,” he said. “Just tag what’s important and focus on cybersecurity for what’s important, for management control. That data lifecycle management is a key component of our governance.”
Army Secretary Christine Wormuth highlighted data-centricity as one of her primary objectives for the Army last year.
For Morrison and Markowitz, zero trust and data-centricity are symbiotic. Data readiness is necessary for zero trust to be successful and vice versa.
“There is no data centricity without applying zero trust,” Morrison said.
Zero Trust Role in JADC2
Joint exercises with the sister services for the Defense Department’s Joint All-Domain Command-and-Control (JADC2) initiative and the Defense Information Systems Agency’s Thunderdome zero trust prototype are also helping the Army hone its zero trust implementation and training plans.
Morrison and Markowitz said they saw zero trust use cases and lessons learned come out of Project Convergence, the Army’s contribution to JADC2.
“Project Convergence has many benefits to the Army, this is just one component of it,” Markowitz said. “Understanding what data is needed for a specific mission, trying to tag it appropriately…zero trust should be inherent so they can rapidly decide [securely]. It’s a critical component for our operations and for understanding our network under an adversarial attack. This network reform is critical.”
The Army is currently working through how to iterate those lessons learned while maintaining interoperability with the other military service branches.
“We're putting that same kind of iterative process in place specifically focused on data operations into an operational theater, mainly with U.S. Army Pacific,” Morrison said. “Key to that is also how are we doing that iterative development and learning of applying zero trust principles so we can move towards this notion of being a data-centric Army and how that will actually support us conducting military operations, but also being very user centric in our design, putting it with an operational formation where we can bring all of that together, really focused on data, but applying zero trust principles so we can iterate and learn and figure out what looks like and then apply it more broadly across the Army.”
DISA’s Thunderdome zero trust prototype also highlighted the importance of data interoperability between the services for the kind of secure, rapid data exchange JADC2 requires.
“From the data side, the DISA folks, because they had to wrangle with the processes that are different across the services, it was very insightful to hear from DISA how they had to wrangle the processes to get to a common view of the data for identity management, core to zero trust principles,” Markowitz said.
Morrison said the Army will meet with DISA in a series of sessions in the coming weeks to discuss next steps for zero trust implementation.
“[Zero trust is] absolutely central to everything that is JADC2,” he added. “I mean, because at its core, [JADC2 is] how fast can we pass data [securely] amongst the joint forces and our coalition partners.”