Could ‘Zero Trust’ Prevent Intelligence Leaks?

As the Pentagon reels from the posting of secret documents to a Discord group chat, Army officials say their ongoing move to zero trust networks will help prevent more insider leaks.

“All you have to do is take a look at the news lately. And you understand why it's so important that we get this notion of zero trust implemented, because we firmly believe that it will not only improve our security posture, but we are already starting to see how it is dramatically increasing the user experience,” Lt. Gen. John Morrison, the Army’s deputy chief of staff for cyber, told reporters Monday.

Like the rest of the Defense Department, the Army has until 2027 to convert their networks to zero trust architectures, which continually check to make sure no one’s accessing data they shouldn’t.

This year, Army leaders say, they are “accelerating” efforts to build a cohesive, unified network “that is built upon zero trust principles” and which allows more standard and centralized management of connected computers, phones, and tablets. 

“What that is allowing us to do is from end to end, see the network in its totality for the very, very first time as we roll that out,” Morrison said. 

But how would any of this prevent, say, a junior National Guard IT specialist from leaking classified military documents?

The key would be better tracking of individuals’ access to certain networks and materials, down to the device. 

When asked about the recent Pentagon intelligence leaks, acting Army Chief Information Officer David Markowitz wouldn’t comment on the case against 21-year-old Jack Douglas Teixeira. But he said the service is tracking lessons from the investigation.

“We absolutely want to be able to control who sees what information…making sure that's updated in real time,” said Markowitz, who is also the Army's chief data and analytics officer. “And then if information is being accessed, being able to understand who has seen it, so that it's not as much information gets out and gets redistributed without control.”

Markowitz said with zero trust and preventing leaks, it’s important for information to come from a “known authoritative source…where you have some form of control over who has access.” 

The Army, as with the rest of the DOD, is betting big on zero trust, including mapping out network access and all the devices and users that plug into it. Morrison said doing that will help “set the conditions for a broader network implementation, with a focus on modernization,” particularly with those related to missions. 

The plan is to also make it so users can “go anywhere in the Army's portion of the [Department of Defense] Information Network, and log on and immediately conduct business” as part of updating its identity and access management, Morrison said. 

The Army is trying to improve user experience as it updates its technology. The service has been piloting initiatives with 22,000 service members with bringing their own approved devices and virtualized desktop services “that are being delivered either to remote locations, or on personal devices, or even on DODIN so that we don't have to replace hardware at a pretty significant cost,” Morrison said, adding that those efforts are part of a shift to increase productivity in a secure way. 

Markowitz said zero trust could also improve user experience and is part of the Army’s modernization plan. 

For example, service members at a remote reserve station for training or mobilization could use their personal devices that have been previously secured to connect “directly to the authoritative source for mobilization, getting orders, updating your [common operating picture] of what you might be deploying to,” he said. The data would travel through what he called a “colorless transport” with encryption to a “virtual environment where you can get the information, but it disappears when you turn your machine off.” That is, the information doesn’t live on the device for perpetual access. 

Additionally, timestamps of when users log on and off plus what they accessed is “cataloged so you can control data at the point of distribution as opposed to data going from machine to machine to machine—you lose track of workers.”

It's that combination of efforts that make security and usability easier, Markowitz said: managing identities for access, properly tagging data and matching them with individuals who have the right permissions, and encryption. 

Together, he said, “we can enable using more, more venues to get that type of information to our soldiers or civilians at the point of need, and the ability to better monitor and control. That's the vision.”