Governance & Risk Management , Government , Industry Specific
Pentagon Doubles Down on Zero TrustZero Trust Will Be Implemented in the DOD by 2027, CIO Sherman Testifies
A top Pentagon technology official on Wednesday emphasized the U.S. Department of Defense's embrace of zero trust as a path to safeguarding military networks.
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
The department in November pledged to have a zero trust technical architecture within the next five years. The strategy calls for continuous multifactor authentication, microsegmentation of networks and more automation and better analytics.
Promoting widespread government adoption of zero trust principles was also a cornerstone of President Joe Biden's national cybersecurity strategy, unveiled earlier this month.
"We've committed to implementing zero trust across the DOD by 2027, which is an ambitious yet critical milestone, given the geopolitical threats we face," Department of Defense CIO John B. Sherman testified before the Senate Armed Forces Committee's Cybersecurity Subcommittee.
The panel's hearing occurred against the backdrop of persistent Chinese cyberespionage campaigns and Russia's ongoing invasion of Ukraine. While the conflict hasn't involved the full-fledged cyberwar some predicted, Moscow has used cyber operations to support its offensive military objectives - ranging from battlefield gains to information operations - as well as to undermine defenses.
The committee chair, Sen. Joe Manchin, D-W.Va., said Russia's invasion has demonstrated that "cyberattacks are no longer a novel tactic in warfare."
"This is precisely why we are holding this hearing this morning: to ensure that our defensive capabilities and awareness and our networks are up to the same standard as our offensive cyber capabilities," he added.
Also key to those defenses, Manchin said, is the cybersecurity posture of the more than 100,000 defense industrial base partners that research and develop new military weapons systems, as well as parts.
The federal government in October disclosed that an unnamed threat actor had gained access to a defense contractor's network and possibly exfiltrated information for nine months before being detected. The Government Accountability Office in November reported the DOD had experienced more than 12,000 cyber incidents since 2015, although the annual rate of detected attacks has been declining.
The Russia-Ukraine war is very much shaping the Pentagon's approach to how it advances its IT capabilities, Sherman said, including the ability to rapidly but safely spool up new cloud instances for military personnel, not least at the front edge of a conflict.
"As we've seen in Ukraine, today's battlefields are increasingly digital and connected with all the opportunities and vulnerabilities that environment presents," he said. "Nation-state challenges will present threats like we've not seen since the Cold War, if not more severe, and we must ensure all our systems, networks and data are ready."
The Defense Information Systems Agency, the military's network provider, for a year now has been implementing zero trust through a project dubbed Thunderdome. The DISA director, Air Force Lt. Gen. Robert J. Skinner, told the lawmakers Thunderdome is a "very successful prototype." He said the Pentagon is now working to bring it to many more of its enterprise networks, backed in part by requiring a software bill of materials for all software not developed by the DOD.