The future of cybersecurity in the Pentagon

With the Department of Defense launching a new zero trust portfolio management office, Zero Trust's evolution from a provisional concept into something much bigger is clear. Although military leadership has always prioritized a proactive security posture, significant breaches within the past year have lit a fire beneath zero trust efforts.  

Given the fundamentally transformative and digital nature of modern battlefields—moving on short notice and communicating with globally deployed troops—traditional security methods no longer suffice. Yesterday’s firewalls and authentication methods can inadvertently grant broad access to move through DOD networks unchecked and undetected.   

The new zero trust-focused office will help centralize the department’s efforts. That includes the joint zero trust architecture between the DOD and the Defense Information Systems Agency, developed with collaboration with the National Security Agency and U.S. Cyber Command. The shared effort creates a mission-focused zero trust cybersecurity reference architecture and demonstrates how the defense space is addressing evolving security concerns. The draft framework aims to limit the effects of malicious activity by instituting strategies built on the principles of "never trust, always verify; assume breach; and verify explicitly." 

The framework’s targeted categorization of technologies and capabilities allows for a defense-specific, comprehensive zero trust plan that continuously assesses risk, reviews access privileges and monitors user and device activity, among further steps when necessary.   

Looking forward while staying agile

A comprehensive and robust zero trust strategy must provide a constantly evolving posture that addresses all potential access points, including those emerging with the rapidly shifting landscape. This means understanding the users, their personas, cloud and network access, and the user devices needed to get their jobs done.   

To cover these devices and applications, zero trust strategies must include comprehensive, continuous monitoring and risk assessment through tools such as secure access service edge (SASE) and its associated elements, cloud access security broker (CASB), zero trust network access (ZTNA) and secure web gateway (SWG).   

A secure access service edge is the backbone of this platform. It helps secure the DOD's networks by providing one solution that supports continuous verification through combined cloud security solutions. SASE enforces security policies by assessing the user and device risk within context. As a result, the SASE platform secures the network regardless of the devices or users requesting access.  

The Defense Information Systems Agency is working to offer SASE capabilities and other identity-based technologies through the Thunderdome program, an effort to assist in transitioning to a zero trust architecture. Thunderdome has seven capabilities that align with the zero trust architecture's seven pillars: user, device, network and environment, application and workload, data, visibility and analytics, and automation and orchestration.  

A cloud access security broker is an element of SASE that performs the vital function of monitoring communications between applications, automatically and continuously scanning for risks and anomalies like unusual access or privilege modifications.  This is an improvement from standard security measures of the past. For example, virtual private networks provide full access to any device that connects to the network. This means that once given access, cybercriminals can move laterally across an organization's infrastructure. However, CASB will be able to detect these anomalies in real time. Real-time rule blocking prohibits the device or user from accessing the network until validated, protecting critical government data.   

A zero trust network architecture is another solution that allows organizations to limit access to private applications—a key factor for the DOD, where the work inherently involves highly sensitive information. ZTNA also gives users seamless and secure public access to otherwise internally-only accessible applications without the need for exposing these apps to the Internet directly. The approach of giving users only access to the applications that they need to perform their job, rather than access to an entire network of applications or devices, follows the principles of zero trust. This approach can help restrict an attacker’s ability to move laterally within the environment if singular user accounts were to be compromised.

A secure web gateway provides yet another layer of network protection by serving as the portal that can safeguard user access to certain sites and networks. By deploying SWG, the DOD can utilize a first-line defense to block access to certain sites and safeguard data with pre-established security policies.

These platforms serve as an overarching solution to help DOD secure data on their networks as targeted threats evolve in sophistication. 

A dedicated strategy for mobile 

To prepare for a zero trust-oriented future, defense leaders must create a comprehensive cybersecurity plan factoring in these elements and addressing the proliferation of mobile devices.   

With one in 15 government employees exposed to phishing threats, and application-specific threats surging nearly twentyfold across all levels of government in 2020, mobile devices are often overlooked by government agencies.   

DOD information technology leaders must educate employees on emerging and increasingly common mobile threats. User education needs to be coupled with robust mobile solutions that offer real-time visibility and protection against threats. 

Scale, scale, scale 

One single agency or branch of the military alone evaluating and disseminating technology is not enough. The scale, cost and depth of skills required for such a large undertaking far exceeds what one branch or organization can—or should—handle alone. 

As with the recent Joint Cyber Defense Collaborative, there must be a large-scale movement within DOD to collaborate and disseminate zero trust practices throughout contractor organizations and private sector companies. In turn, these groups provide their own broader industry expertise in zero trust architecture.  

The cyber threat environment that the DOD faces is daunting as attacks and cybercriminals evolve in complexity. Targeted tactics and vulnerabilities continue to emerge at an alarming rate. Military leaders must be prepared to defend against these threats—and a proper zero trust strategy is critical to mission success.