Zero trust is critical for enabling command and control (C2) operations, according to defense cyber leaders at the Navy League of the United States’ annual Sea-Air-Space conference and the Defense Department’s virtual zero trust symposium this week.
Despite the hype, zero trust is transforming how DOD approaches cybersecurity and engages in non-kinetic warfare. Zero trust is also tightly integrated with DOD’s massive cloud modernization push.
Zero Trust is an Enabler
Defense cyber leaders said zero trust is foundational to building out the Joint Warfighting Cloud Capability (JWCC) contract, which the Pentagon recently awarded to the “big four” cloud service providers (CSPs): Amazon Web Services, Google, Microsoft and Oracle.
“All of this is predicated on having assured C2,” U.S. Marine Corps Forces Cyberspace Command Executive Director Russell Meade said at Sea-Air-Space. “If we can't talk and communicate and move data … collecting data will be critical for closing other people's kill chains. If we can’t do that then we're dead in the water. Everything we do is geared toward assured C2.”
Meade said zero trust helps you “earn” your right to access the network and network resources, such as mission-critical data and communications systems. In other words, zero trust enables C2.
“That's critical for us because we recognize that the network will be the lifeblood of everything from testing logistics to closing kill chains,” he said. “It's definitely something that is critical to us, especially as we start finding ourselves inside of weapons engagements against a very capable series of adversaries.”
According to CIO John Sherman, U.S. Indo-Pacific Commander Adm. John Aquilino said zero trust is “critical throughout his ecosystem” for the same reason.
“I heard the commander of U.S. Indo-Pacific Command use the word zero trust yesterday,” Sherman said during DOD’s virtual zero trust symposium Tuesday. “That does my heart well as the chief information officer — that we have moved beyond those of us who are practitioners of it and cybersecurity in command and control (C2) to the operators who realize that it's not just servers and blinky lights, and it's not just the CIO, or CFO, or J6, being in military parlance, the staff level officer who's kind of the CIO on the military side. It's not just our problem, but it's everybody's responsibility to think differently about zero trust.”
Cybersecurity is a critical component of integrated deterrence, Sherman added. The point of zero trust is not to provide a bulletproof “wall” around a network, but rather to segment the network, isolate bad actors and limit data access once the network is breached.
Adversaries including China, Russia, Iran and North Korea "might get away with some things. Maybe they've stolen credentials, or maybe they have an insider threat, but we're going to get them [with zero trust],” Sherman said. “If we do all seven pillars [of zero trust], it's very, very low probability you're going to get past all of this.”
Maintaining Security During Cloud Modernization
A major challenge facing Navy leaders modernizing in the cloud and implementing zero trust is maintaining user access to critical data even when systems are “denied or degraded” due to low connectivity or a cyber incident. Identity, credential and access management (ICAM) — a key component of zero trust — meets these needs in a connected cloud environment. Still, challenges arise when a naval vessel can’t connect due to a lack of bandwidth.
As the Navy continues to implement Flank Speed, which intends to be a single sign-on Navy enterprise cloud solution providing access to cloud solutions such as Microsoft Office 365, zero trust is the driving “mentality,” according to U.S. Fleet Cyber Command Deputy Commander Rear Adm. Stephen Donald.
“I love the cloud, but don’t have access all the time when I’m afloat, so I need industry to figure out how to give me a virtual cloud while I’m afloat, so when I’m disconnected I have all the capabilities I can possibly have while afloat, and when I reconnect its seamless,” Donald said at Sea-Air-Space. “Our warfighting platforms are going into contested areas. I’ve got to be able to fight through adversaries, jamming, adversary deception, whatever the case may be.”
Rear Adm. Tracy Hines, director for the Navy’s Cybersecurity Division, said the COVID-19 pandemic accelerated the Navy’s shift to Flank Speed, but also stressed the Navy’s bandwidth.
“We’ve still got some of those infrastructure challenges that we need to have more robustness and resiliency,” she said at Sea-Air-Space. “We’ve also got to make sure we keep things protected. I keep getting asked the question, 'When is Flank Speed getting to the ships?' And I think the big challenge is when you’re in that deny/degrade environment, how do you … get back online and get what you need?”
Sherman described JWCC and the different services’ and components’ shift to the cloud as a “pick-your-own-adventure” story anchored by zero trust.
“This is a culture shift,” Sherman said during DOD’s virtual zero trust symposium. “This has to be a leadership priority. Cybersecurity is not a nice-to-have, but a must-have.”
Zero Trust in a Multi-Cloud Ecosystem
At Sea-Air-Space, Department of the Navy CTO Don Yeske asked Microsoft CTO Steve Faehl how the military services can maintain interoperability and a strong cybersecurity posture within the multi-cloud, multi-vendor world of JWCC.
Faehl said other DOD customers have come to him with similar concerns following the JWCC award, saying, “I can't defend three clouds separately, I can't defend six clouds separately. If I have as many clouds as I have on-premise networks, how in the world would I defend?”
The concept of a hybrid identity translating across multiple cloud environments and providers, powered by artificial intelligence (AI), could help DOD integrate cloud solutions across multiple vendors and environments supported by zero trust.
“As we look at creating continuity, a common operational picture is absolutely essential,” Faehl said at Sea-Air-Space. “The next layer is, how do I translate those things because identity in an Azure ecosystem is going to be different than identity in an AWS ecosystem. And that's where having true hybrid identity, that is the same identity that you have in the cloud as on-premises as afloat, as in third-party cloud is really the north star for Microsoft."
"As we also look at AI advancements, we have security copilots that we just recently announced, which is a large language model for cybersecurity. Not only does it help with readiness and equipping cyber operators, but it can also be used to translate information from various systems," Faehl added. "So if a particular security construct or control that's one way in one cloud and another way in another cloud, security copilot can be trained on all of that and make it appear seamless for the operator. We are incorporating that into our zero trust work as well.”