Governance & Risk Management , Government , Zero Trust
US Army Banks on Cyber Defense Based on Zero Trust - Part 2Army CIO on How Cyber Command Matured to Gain Offensive and Defensive Capabilities
For the U.S. Army, cloud will provide the firepower to enhance its war-fighting capabilities. The Army's strategic partnership with cloud service providers such as Amazon Web Services, Microsoft Azure and Google Cloud assures that cloud is inherently more secure than on-premises infrastructure.
But the proliferation of cloud requires the implementation of zero trust principles. Since 2021, the U.S. Army has embarked on a zero trust journey to guard access to sensitive data and create resilience to keep adversaries out.
"One of the ways we are preparing to engage in modern warfare is through a multi-domain operation by integrating data and functions between land, air, sea, space and cyberspace. We call it Joint All-Domain Command and Control (JADC2)," says Dr. Raj Iyer, CIO of the U.S. Army.
The U.S. Army is also augmenting its efforts to prevent software supply chain attacks. A fully accredited DevSecOps platform has been established to safeguard the applications being built by the Army Software Factory in Austin, Texas.
"We have to continuously assess the security challenges emerging from the commercial software, especially the open source. That does not mean we will stop using it," Iyer says. "Strong risk management principles along with our zero trust network architecture will help us in becoming resilient to sophisticated nation-state attacks."
In Part 1 of this interview with Information Security Media Group, Iyer explored how organizations of strategic importance are leveraging digital transformation and cloud-native architecture to enhance their war-fighting capabilities. In Part 2, he discusses:
- How the U.S. Army is building a multi-domain operation through JADC2;
- How the application of a zero trust network architecture is safeguarding identity and access management;
- Ways to strengthen policies to thwart software supply chain attacks.
Iyer serves as principal adviser and directs all matters representing the Secretary of the Army for information management and information technology. He sets the strategic direction and oversees the execution of policies and programs for IM/IT, including managing an integrated IT architecture, enterprise data management, cybersecurity and cloud management.
Rahul Neel Mani: Hi there. Welcome once again to the ISMG studio. I'm Rahul Neel Mani, vice president, community engagement and editorial. It's an honor to have with us Dr. Raj Iyer, CIO of the United States Army. In the first episode, we heard Dr. Iyer speaking about his vision, digital army 2030, and how platforms like cloud, artificial intelligence and other cognitive technologies are helping commanders and soldiers of the U.S. Army take informed decisions. In the second part of this exclusive conversation with ISMG. Dr. Iyer will focus on U.S. Army's preparedness for cybersecurity and cyber warfare. Once again, welcome Dr. Iyer. It's an honor to have you with us. I would like to now talk about the roadmap for cybersecurity in the wake of new warfare techniques, where nation-state actors and organized cybercrime syndicates are constantly in hunt for finding vulnerabilities to steal data of strategic importance. Now, what's the plan to give a robust cybersecurity posture to the U.S. Army information infrastructure?
Dr. Raj Iyer: Yeah, great question. So one of the ways we are going to fight in future is what's called through multi-domain operations. And so multi-domain operations means we're integrating data and functions between land, air, sea space and cyberspace. And those are the five domains that we're going to - that we're in the process of integrating to a concept called Joint All-Domain Command and Control. So, what this means now is that the cyber domain is a key warfighting domain. And we know that going up against tech savvy adversary, like China means that we have to be able to not just be able to conduct offensive cyber operations, but also be ready to be with a defensive posture that enables us to be resilient, and to be operationally effective. And that means that we need to be ready to be contested in cyberspace through things like electronic warfare, information warfare, jamming, and so on and so forth. And we know that these are capabilities that China is sophisticated with. And so, huge emphasis in terms of protecting our infrastructure, and, by the way, given that, as it just noted that moving forward, we do plan on making cloud part of our warfighting platform, it means that from a cybersecurity perspective, it's no longer just protecting the army networks and army systems and data. It's a collective effort that includes the private sector as well. And so this includes us working closely with cloud service providers, like Amazon, Google and Microsoft and others. And acknowledging the fact that there's a shared responsibility from a cybersecurity perspective to make sure that their hyperscale architectures for cloud computing are able to withstand any kind of adversarial impacts. And so this is a growing partnership between the United States Army and industry to make sure that we are, that we have the right agreements in place in order to share threat intelligence and cyber vulnerabilities between our two organizations. But at the end of the day, to us, it's very clear that the cloud is inherently much more secure than any on-premises data center that we currently have, but requires us to make sure that we build in what's called zero trust principles into that cybersecurity architecture. So for the last year or so, we have been on an active plan to get to zero trust. And that means that essentially the zero first principle says that assume that at any given time that we are at risk of any kind of cyberattack and we are vulnerable, and then, we got to make sure that we don't trust anybody to come to our networks. It's limiting access to data. And that's the journey we've been on. So the good news is that this is an all-of-nation effort between us in the United States Army as well as the private sector and industry, because the general recognition is that adversaries are not specifically targeting the military, they're going also after civilian infrastructure. And when that's the case, this becomes an all-of-nation effort. But every one of the initiatives that we have ongoing tries to bake in zero trust cybersecurity into the architecture and not as a bolt on.
Mani: I would also like to know if you're working with the specialist security vendors to strengthen the posture.
Iyer: Absolutely. So, we're doing that as well. But then, we also have within the army an entire command, dedicating to cyber. So the Army Cyber Command has been established now for over 10 years and has matured to the point where we're able to conduct both offensive and defensive cyber operations. With the tight integration that we have, with the intelligence community, we're getting a lot of threat intelligence in cyberspace coming to us, far ahead of any such data going to other private-sector vendors and our ability to hunt forward has been well recognized. And this is, again, open news that in the start of the operations in Ukraine, the United States Cyber Command was actively engaged in forward hunting some of the adversarial capabilities, which did, at the end of the day, have an impact on everybody, because we never saw the kinds of cyberattacks that we thought we might, after the start of the war in Ukraine. So we have some tremendous capabilities that we've established in the army and the Department of Defense in the cyber domain. A lot of it is highly classified. But we're proud of what we've been able to accomplish. And the most recent current operations and support of Ukraine is giving us a lot of great lessons learned about what is working and what's not working. And we're using that continuously to update our standard operating procedures, our policies and procedures and tools and so on.
Mani: Great, Dr. Iyer. One more point in the security domain that I wanted to highlight and get your response for is - since the U.S. Army is planning such a mammoth cloud infrastructure, involving a lot of third parties, the point that I want to discuss right at this stage is about the software supply chain management security. That's something which has come to light in the past three-four years, and we have had massive breaches when it comes to software supply chain, so how are you planning to safeguard the infrastructure from such attacks?
Iyer: Yeah, so that is one of the most complex issues or challenges that we struggle with right now. And I'll be the first to admit that - I don't believe anybody has a real solution for this. And so, especially, if you are integrating a lot of open source, and we're not able to validate some of the security signatures on open-source software and software provenance, that becomes a challenge. Now, from a policy perspective, some of the things that we've done is we have policies in place to start requiring software vendors to provide what's called software builds and materials. And so, that is now law under the Executive Office of the President as an executive order to all federal agencies requiring that we use software builds and materials so we can at least see what's embedded within software. But validating provenance and so on is always a challenge. And this is where this requires much tighter collaboration with industry. Because for the software that we write within the army, I think we are in a much better situation, because we have accredited tools. We have a fully accredited DevSecOps platform in the cloud that we use to build our own applications. And it takes the cybersecurity - testing is all fully integrated and built into that. And I think we have some good ideas too, what security posture is of software that we write, but when it's commercial software and especially when it's open source, I think we have challenges that we need to continue to assess. That doesn't mean that we're going to go away from open source, but it all comes down to having good risk management processes in place to be able to assess the risk and put mitigations in place. But then, if you follow the zero trust principles that I talked about and assume that at any given time, you have been compromised. And it doesn't matter how you've been compromised, because our adversaries are getting more sophisticated with new attack vectors, like inserting themselves into the software supply chain. It all comes down to how quickly we're able to find spurious or anomalous behaviors in our systems and our networks, how quickly we're able to isolate them, and how quickly we're able to recover, is the strategy that you're pursuing.
Mani: You mentioned about the skills and unfortunately, not all skills are available in house. There's a shortage of skills across departments and organizations with no exceptions. So how do you plan to bridge that gap? And what's the roadmap prepared by the CIO's office to address the skill and talent issues, both in cybersecurity and in information technology?
Iyer: Yeah. So, I think that's not a challenge that I face alone, but it's one that's widely recognized across the federal government. And frankly, I talk to my peers in the private industry as well. And everybody's struggling to find good technical talent to be able to meet the requirements and there's always going to be a gap between demand and supply. I think what we're doing in the army is, we have started a concerted effort to try and find non-traditional ways to recruit into the army. So this is, take through things like direct commissioning for officers. So, if you're in the private sector and you want to wear the uniform, we have a process in which we can bring you in and commission you as an officer directly. We're targeting the private sector to bring in the best civilians. And we have authorities that Congress has given us to be able to be flexible when it comes to pay. We will never be able to match the compensation that's provided by private industry. But there are flexibilities in place to be able to do that. We, this year, announced and we have gone live with a new talent management system for cyber professionals. So, it turned out that civilian talent management structure that we had, just had not been updated in decades. And so we needed something that was specific to the cyber professionals. So the cyber excepted service is now live and we plan on expanding that across the army. So that'll give greater opportunities for things like retention bonuses, opportunities for career advancement and development that is not as much more rigid in the general schedule, civilian pay scale. And then, it's about providing all kinds of opportunities for training certifications and growth within the army. So we will continue to upskill our existing workforce. And we are fully acknowledged that will not happen across the board. If we look at our demographics, we have a portion of our employee base that are not at a point where they are capable of picking up new skills, but we'll try and at least, get them to be tech savvy enough to be able to understand and talk about what cloud is and what AI is and how machine learning works and so on. And so combination of tech savvy training to hands-on software development are all things that are in the works. For the last two years, we started as a pilot, the Army Software Factory in Austin, where we're actually training soldiers to code and to develop software. And we're the second year of that program, we're finding and identifying expertise, people that have the capability to code and to develop software. But again, this will not be at scale, this will always be niche within the army, that if we build enough capacity and momentum, then between now and the army of 2030, we feel like we would have accomplished critical mass in this area.
Mani: Before we let you go, just create an overall organizational resilience picture for us with the help of new technologies.
Iyer: Yeah, so technologies are key enabler. But, to me, as I noted earlier, there are two things that make the difference for us in the United States Army of what makes a difference between winning a war and not winning one. And in every case, nearly every situation, where we've trimmed, it's been two things. One is, our soldiers who are the best in the world, and at the end of the day, we'll take any technology, whether it's low or high technology, and then they will find awesome ways to put that to work on the battlefield. And we've proven that over and over again. And secondly, is the fact that when we go to fight, we always go to fight with our allies and our coalition partners. And we never go alone. And that's because we know that the force multiplication effect, the force multiplier that we get from our partnerships around the world, are absolutely critical. And so what we're focused on in the army and my own organization, is build on both those legs, while at the same time, we focus on building technical capabilities and capacity. And as I noted, just this year, starting February 24, we've seen some tremendous lessons learned. And in both of these areas, for the first time, the army's 18th Airborne Corps when they deployed to Europe in support of Ukraine. For the first time, we went out with cloud infrastructure, cloud-native applications, or data fabric, to enable the three-star general on the ground and make decisions on the fly. And then we used commercial networks, including, SpaceX Starlink, satellite communications to be able to communicate, and that's three great commercial technologies that we've never used in the past. But for the first time, we brought that to operational use. And we're already seeing how well that's working for us, the ability for us to be able to share targeting information with our partners, the collaboration environment, that we've stood up in Europe, to communicate and collaborate with our NATO partners, the Ukrainians, and how we're able to exchange information. All of that has been critical to success. And so for us, even as we are engaged in those operations in Europe, for us, the eye on the ball is the Indo-Pacific, is the pacing challenge from China. And so what we're focused on in terms of resiliency is building those partnerships in the Indo-Pacific. And that includes India as well. And I wanted to make sure that I point that out. Because right now, as of yesterday, the U.S. Army and the Indian Army are together, exercising in the Himalayas, as part of the UWS exercise, and that is in the 19th year, since 2020 or so, the US and the Indian armies have been working together and exercising and that partnership continues to grow, not just at the battalion or brigade level, but at the senior-most levels of the army where we're building strategic partnerships and relationships. And we are open to sharing those lessons learned that we have gathered in terms of how to bring these technologies to bear for warfighting, and the more we're able to share those lessons learned. And we're able to create that coalition in South Asia and Southeast Asia. That's going to be the key factor that deters somebody like China in the future. I think we have tremendous potential for us to build a coalition of the willing to deter aggression. And for me, it's been a proud moment to be the first CIO to show how technology can enable all of these things. But it's a transformation effort and it just will not - technology alone by itself will never able to get us there. But a combination of building relationships and partnerships, taking a look at the workforce aspects, reforming our institutional processes and how we start to change the nature of warfighting, all put together is how we're going to be successful in future.
Mani: Indeed. That was Dr. Raj Iyer, speaking exclusively with ISMG on U.S. Army's data and digital modernization roadmap, and how U.S. Army is augmenting its cybersecurity resilience to tackle the nuances of modern cyber warfare and preparing itself for 2030. Thank you, Dr. Iyer. It was fascinating talking to you.