Defense Department leaders say zero trust will be “essential” to their Joint All Domain Command-and-Control (JADC2) effort, which focuses on the idea of “data centricity” to improve information-sharing, data interoperability, and increase warfighter efficiency and accuracy in theater.
“For JADC2, zero trust is essential,” said DOD Cyber and Command, Control, Communications and Computers (C4) Deputy Commander Stuart Whitehead during a recent Potomac Officers Club earlier this month. “When dealing with peer competitors, we have to assume things are compromised. That particular policy or set of policies is essential to the way forward.”
Data-tagging is DOD’s first step toward implementing JADC2 and operating under a zero trust security framework.
“If I can tag my data, know who the person is who wants to access it, operating in a zero trust environment, that gives me a great advantage to manage my data effectively,” Whitehead said.
Whitehead wants DOD to consider zero trust holistically within the context of JADC2: every device or sensor connected to the network is a potential source of risk and should be treated as such.
"When we talk about zero trust or identity management, the same holds true for machines," he said. "Machines have identities. Sensors have identities. The extent that we understand or should understand what sensors are out there and what information they're producing is the starting point. The conversation we're having right now is, when do I actually implement those [metadata] tags? We'd like to implement at the point of creation."
Brig. Gen. Chad Raduege, C4 director and CIO of Headquarters U.S. European Command for the Air Force, said getting to JADC2 and zero trust requires a cultural shift around how DOD thinks about data.
“It's really a cultural shift of, I'm willing to send the data, and I'm willing to trust the data I receive from someone else,” he said at the Potomac Officers Club event. “I think that's what the information-sharing and data centricity models of the future will get to. We're seeing that right now in the European theater.”
Capt. Christina Hicks, who leads the Navy Cyber Defense Operations Command, said “data is the new bullet, so we need the new trigger puller.”
The new “trigger puller” is tech-savvy talent, which is a challenge for DOD. The department recently announced a shift toward prioritizing software factories like the Air Force’s Kessel Run, which develop, secure and iterate software on a continuous cycle to meet mission needs at the speed of relevancy.
One prong of DOD’s IT modernization plan is to turn soldiers into software engineers, which will be a critical component of implementing JADC2.
DOD’s plan requires major cultural overhaul, but the cost of doing so is too high given the increasing interconnectedness of communications and battle systems, the accelerated rate of malicious cyber activity and the willingness of the enemy to “take risks” with new, more agile technology that outperforms DOD systems.
“We continue to struggle with cybersecurity not being baked in from the onset,” Hicks said, which is something the DevSecOps approach of the DOD software factories aims to address. “We continue to bolt it on. From my perspective, where policy is not pacing technology is how we're managing risk. We've been following compliance-based risk-adverse policy and it’s hampering our ability to onboard new technology.”
During a Bloomberg Government event, DOD CISO David McKeown described zero trust as “integral” to JADC2 implementation, signaling a top-down approach to ensure zero trust concepts are “baked in” to every combatant command and service branch.
“We've fought for dollars in the department to realign under this new architecture,” he said at the event. “We're part of a cross-functional team working with the JADC2 community, there's a specific line of effort dealing with all the communications, whether it be cloud communications, zero trust or [data] transport. We engage early and often to make sure we're baking in all these zero trust concepts from the beginning. I think it's a good initiative, and we're happy to bake in zero trust from the beginning on a new evolving system.”
Despite bad Russian actors’ recent infiltration of default multi-factor authentication protocols — a core pillar of zero trust — McKeown believes the incident only reinforces the importance of a zero trust approach.
According to McKeown, it’s common for phishers to infiltrate DOD and “wander around” and take what they need and get out, only for DOD to discover the breach 18 months later. Zero trust won’t necessarily keep phishers out, but it will improve DOD’s ability to respond quickly.
“Zero trust is not perfect,” McKeown said. “What it will allow you to do through the detection of anomalous behavior, find out those credentials have been stolen and flag that earlier. Once you're in the system with these credentials, zero trust will also stop you from escalating privileges, it segments you from other parts of the network, it restricts you to specific servers [so you can’t] just wander about the network smashing and grabbing whatever you want. SolarWinds could potentially still happen [again], but the saving grace is we would detect it earlier, respond quicker, find the source of the anomaly quicker and return to normal operations much quicker.”