Former Pentagon leaders are urging the Defense Department to consider how the zero-trust concept could be used to strengthen technological security across the department, in a new report from a leading defense association.
The National Defense Industrial Association released the report Monday to coincide with the formal launch of its new Emerging Technologies Institute. The report summarizes findings from a recent online ETI workshop, which "convened speakers and three groups of panelists who explored possible solutions from three perspectives: 1) Prioritizing the technology areas to maximize capability for cost, 2) Examining process changes to improve delivery, and 3) Reducing legislative barriers to fielding the technologies."
The report states: "Zero-Trust is a concept formulated initially for cybersecurity, where no user or data on a network is granted access beyond its direct scope, and where everything is verified. The Zero-Trust approach represents a very different view from the more traditional network security methods that have focused primarily on establishing seemingly secure perimeters that are intersected by trusted connections. The problem with this latter approach is that absolutely secure perimeters are all but unattainable, and trusted connections may in fact not be trustworthy."
The report continues: "The Zero-Trust concept should be expanded and applied to additional technology areas, particularly in the microelectronics area but also to autonomous systems, networked command and control, and next-generation communications. In practice, this expansion might include authorizing all personnel entering and exiting a given laboratory, monitoring data transfers on laboratory computers, and similar practices -- all without exception. To do so, the Department should consider commercial standards and advanced monitoring strategies as it applies Zero-Trust principles internally. Of note, another panelist pointed out some challenges with implementing Zero-Trust, including transitioning from current approaches, as well as the certification of new Zero-Trust systems."
DOD is in the process of moving to a zero-trust architecture and released its policy for services and agencies in February. The DOD Zero Trust Reference Architecture publication was led by the Defense Information Systems Agency, in partnership with the DOD chief information officer, U.S. Cyber Command and the National Security Agency.
The Senate Armed Services Committee is also interested in ZTA and directs DOD to develop "a joint zero-trust strategy and a model architecture for the Department of Defense Information Network and a data management strategy" in its version of the fiscal 2022 defense authorization bill. The legislation was approved by the full committee last week and the House Armed Services Committee marks up its version of the NDAA on Wednesday and Thursday.
Participants at the workshop included former Deputy Under Secretary of Defense for Acquisition and Sustainment Alan Shaffer; acting Navy Under Secretary James Geurts; ETI Executive Director Mark Lewis; MIT Lincoln Laboratories Director Eric Evans; MITRE's Dana Jackson; Nicole Petta, former principal director, microelectronics in the office of the under secretary of defense for research and engineering; Kevin Fahey, former assistant secretary of defense for acquisition; Katharina McFarland, former assistant secretary of defense for acquisition; and NDIA President and CEO Hawk Carlisle.
House Armed Services Committee Staff Director Paul Arcangeli, Senate Appropriations Committee staffer Kate Käufer, and former senior DOD officials Elaine McCusker and William Greenwalt also participated.
The report focuses on modernizing DOD's acquisition practices and has recommendations for the Pentagon and Congress.
ETI argues that the U.S. government "should expand the limits of data that can be released to academic institutions to the maximum extent possible without compromising security" and DOD "should emulate digital engineering and data collection techniques used by industry."
The Department should overhaul the Planning, Programming, Budgeting, and Execution process to allow for increased flexibility and transparency.
The Department should clearly define ownership, use, and protection as they relate to data and intellectual property.
The Department should continue to integrate digital engineering into production processes to accelerate timelines and reduce costs.
The report does not specifically mention the Pentagon's Cybersecurity Maturity Model Certification program that is designed to the use controlled unclassified information by the defense industrial base. However, one of the goals of the program, protecting intellectual property, is highlighted.
ETI says: "With the transition to digital engineering, it has been observed that there is an increasing need to examine data and IP rights. To do so, it was suggested that the Department not only be diligent in negotiating with industry partners about the ownership of data but also clearly delineate that data’s intended use. Multiple production and maintenance processes could be accelerated through greater access to collected data. Equal focus should also be given to protect this data and intellectual property through encryption methods and Zero-Trust policies. Cybersecurity standards ought to be followed to defend against potential cyber attacks, particularly those conducted by peer competitors."
Concluding the report, ETI says, "Modernizing the Pentagon is a challenge everyone agrees on; however, without consistent public and political commitment, it may prove impossible, thereby putting American security and prosperity at risk. As this report makes clear, the Biden administration has inherited a military at an inflection point. Making the right policy changes and investments now can ensure American supremacy for decades to come; the wrong policies and investments risk ceding global leadership."