Critical Infrastructure Security , Governance & Risk Management , Standards, Regulations & Compliance
US Department of Defense to Launch Zero Trust Office
Move Comes as Agencies Accelerate Adoption of the Model in Wake of SolarWindsIn an effort to streamline the adoption of zero trust cybersecurity architectures, the U.S. Department of Defense in December will launch an office dedicated to zero trust, according to a senior DOD official.
See Also: Zero Trust Citizen Access: Securely Delivering Government Services from the Internet
Deputy DOD CIO for Cybersecurity and Senior Information Security Officer David McKeown said this week that the zero trust office will be led by a senior executive - who has yet to be named - with oversight from the department's CIO, Kelly Fletcher.
This announcement comes as federal agencies move to modernize their systems following the monthslong SolarWinds cyberespionage campaign that was first detected in late 2020, in which threat actors allegedly backed by the Russian government pushed out a malicious software update and breached some 100 organizations globally. This included nine U.S. federal agencies - including the Treasury, Commerce, State, Energy, and Homeland Security departments.
Speaking at C4ISRNET's CyberCon event this week, McKeown said, "We're standing up a portfolio management office that will … rationalize all network environments out there, prioritize and set each one of them on a path of zero trust over the coming five, six, seven years."
'Implementing at a Fast Pace'
The "never trust, always verify" model suggests that devices - even those previously verified on corporate networks - cannot be trusted by default. It advocates for the principle of least privilege, in which access to applications and services is based on necessity, user behavior and additional authentication.
McKeown said this week that the Defense Department has adopted some components that, collectively, will achieve zero trust status, and has taken that approach for its enclaves.
"We've got a lot of attention on this now, and we've got senior leadership in the department on board and putting their money where their mouth is and helping us to implement this at a very fast pace," McKeown said, according to C4ISRNET. "We feel like zero trust is the only solution out there right now that gives us a fighting chance on detecting these folks that may have a foothold on our network."
John Kindervag, who created the zero trust model while working as an industry analyst for Forrester, tells ISMG that initial zero trust guidance issued by the Defense Information Systems Agency, or DISA, which provides IT support to defense officials and military services, is "in line with the 'authentic' zero trust model."
"It's gratifying that the DOD recognizes this and is the first of the big government organizations to understand the volume," says Kindervag, who now serves as senior vice president of cybersecurity strategy at the firm ON2IT. "The DOD was already on a zero trust journey, and they're now standing up this office to manage it.
"It's good news for the world, and shows what's being done by arguably the largest cybersecurity organization in the world - the U.S. Department of Defense."
"By focusing on zero trust, the Pentagon sends a clear message to cybercriminals that they are taking cybersecurity seriously," says Felipe Duarte Domingues, a security researcher for the firm Appgate. "This should be a wake-up call to all organizations that haven't adopted zero trust yet. The best way to contain the damage from a ransomware or a spyware attack is to implement [the model]."
Agencies Acting on Cyber EO
DOD's announcement aligns with principles laid out for federal civilian agencies in President Joe Biden's May executive order on cybersecurity, which is one of the most sweeping cyber mandates to date, demanding widespread technology modernization. It lays out a series of deadlines that, according to one of Biden's top cybersecurity advisers, Anne Neuberger, are "aggressive but achievable."
The executive order mandates that agencies update plans to prioritize the adoption of zero trust and the use of cloud technology, as well as develop a plan to implement the architecture (see: Biden's Cybersecurity Executive Order: 4 Key Takeaways).
It also lays out extensive guidelines for how federal agencies must evaluate software for their IT infrastructures and calls for the establishment of a Cyber Incident Review Board modeled on the National Transportation Safety Board - to be created by the Department of Homeland Security secretary, with interagency members.
Biden's order also calls for the removal of contractual barriers that hamper the sharing of threat intelligence between government agencies.
Despite its ambitious nature, the order will take years to fully come to fruition, though one six-month milestone - Nov. 8 - called for agencies to adopt multifactor authentication and encryption for data at rest and in transit. The order gave agencies 180 days to comply - with assistance from CISA - or provide a written explanation as to why they are unable to do so.
Though Neuberger, who serves as the deputy national security adviser for cyber and emerging technology, confirmed in October that agencies had met previous deadlines, it was widely expected this week that agencies may be filing with the Office of Management and Budget, the Cybersecurity and Infrastructure Security Agency, and the White House national security adviser about related challenges, CyberScoop first reported.
Administration officials, however, continue to work with agencies on securing high-priority assets based on identified gaps. Eric Goldstein, executive assistant director for cybersecurity at CISA, tells ISMG: "As directed by President Biden’s executive order, we are working with federal civilian agencies to advance deployment of MFA, particularly for remote access and privileged users, as part of a broader transition to zero trust principles across the executive branch."
Neuberger has said that MFA could prevent 80% to 90% of successful cyberattacks, requiring threat actors to crack another security layer - often a smartphone with an authentication code or hardware token. Nevertheless, the next phase of the executive order now largely involves often time-consuming technology deployment.
Cyber EO Has Resonated
Zero trust pioneer Kindervag says the formation of the DOD's related office no doubt "shows that [President Biden's] executive order on cybersecurity has resonated throughout the government, not just the civilian side of it."
"This new office is going to play a major role in helping [select] agencies and [thus] the IT industry better understand zero trust as a strategy and how to implement it," says John Yeoh, global vice president of research for the Cloud Security Alliance. "Those that understand the basic philosophy of zero trust still don't always know where to start. The IT ecosystem has become, and continues to be, more complex with virtual tools and technologies.
"The office will succeed if it gives [agencies] an understanding into the layers of trust that must be made and maintained within this operating environment. … A zero trust approach for establishing and maintaining trust will help better evaluate the risks throughout the digital ecosystem."