Pentagon’s Biggest Challenge to Zero Trust: Data Tagging

As the Defense Department grows into the zero trust model, the recently stood up Zero Trust Portfolio Management Office is evaluating how to train people with new skills and new thought processes on how to control access to data.

The office is working on solving the most pressing issues associated with zero trust implementation. One of the biggest hurdles is data tagging and labeling.

“Right now, the Department of Defense has a multitude of tagging and labeling efforts, but there’s no main single standard in the Department of Defense. And that’s both a problem and an opportunity,” said Randy Resnick, director of the Zero Trust Portfolio Management Office, at the DOD Zero Trust Symposium on April 5.

CISA Associate Director for Vulnerability Management Jay Gazlay said data management is critical for making zero trust a reality during his closing fireside chat at GovCIO Media & Research’s zero trust event last fall.

“If you don’t know how to structure your protection mechanisms, if you don’t know how to structure the information you want to exchange, you’re not going to have an idea how to budget design or protection,” Gazlay said.

AI Opportunities

To Resnick, DOD now has the opportunity to think through what precisely needs tagging and labeling so the department can be in a position to best take advantage of the latest artificial intelligence (AI) and machine learning (ML) capabilities.

“How could we use AI to ride sidesaddle with a defender to make that person ten times more efficient? To truly find those needles in a haystack?” Resnick said. “We couldn’t really answer that question with such conviction or thought a couple of years ago. ChatGPT changed all that. We knew AI was coming but not so suddenly as it is now.”

DOD will also need assistance from academia to accelerate the zero trust framework implementation efforts.

“What sort of research do we need on zero trust at this point forward? For academia, this needs to be taught. So what is the teaching aspect of this? How far do you want to go with the teaching? Where could we do improvements here? How do we select product? Many vendors out there need help identifying products and how to integrate them all together. That’s part of a research thing as part of an academic thing that’s part of a testing thing,” Resnick said.

To amplify workforce education efforts, the Army Cyber Center of Excellence will roll out its zero-trust course next week. Army officers will learn about zero trust concepts and implement zero trust principles when they go to their next duty station.

The course will provide two hours of video instruction, 14 hours of hands-on labs, and an eight-hour red team event on the third day to help cyber defense officers and cyber defense non-commissioned officers the opportunity to understand what it means to have a zero trust architecture and the tools they need on the battlefield to protect themselves in cyberspace.

“We know that our unified network operations, we know that the DOD, the federal government is moving towards zero trust, so we can’t just wait for the technology to happen, we have to teach this and we have to teach everyone,” said Chief Warrant Officer 3 (CW3) Benjamin Koontz at the same zero trust symposium Resnick spoke at. “We’re starting to develop zero trust into the curriculum so that as it starts getting implemented, we’re going to have a better opportunity to actually get hands on and be more effective with it.”

Zero Trust in Korea

Koontz was the first to implement a zero trust framework in a tactical environment at a unit in Korea in 2020. At any given time, they had 2,500 to 3,000 devices and around 5,000 users with different types of communication and transport methods.

They designed the architecture and implemented detection procedures where they primarily responded to events breaking zero trust policies. When they saw an activity that was not allowed, they immediately responded to it.

In 2021, they started moving toward a more automated, preventative mode without manual actions.

“We were starting to get to the point where no matter what they did, even in August of 2022 … a brand new team showed up with a zero trust architecture. They had a close action team, so they had multiple red teams, with assistance from the unit going to different locations and attempting to compromise the environment. And even then, they couldn’t do anything. So we’ve made a lot of progress there,” Koontz said.

The Army Cyber Center of Excellence is also preparing to release its zero trust curriculum to train soldiers on the zero-trust cybersecurity model later this year.

The Army recently established a Zero Trust Functional Management Office to implement Koontz’s zero trust framework across the service in alignment with DOD’s recently released zero trust strategy.

“We wrote down our zero trust roadmap for the Department of Defense,” Resnick said. “It doesn’t mean that our roadmap is necessarily perfect. It’s a living document. It’s version one and we plan on updating it definitely every year until it reaches some sort of stability, but I can’t imagine it will. It’s a fast-moving technology.”