The Pentagon next month will formally launch its delayed new office responsible for accelerating the adoption of its "zero-trust" cybersecurity program, a senior Defense Department official said Wednesday.
The office, originally planned to launch in October, will “rationalize” and prioritize all network environments and set each one of them on a path to implementing zero trust over the next several years, David McKeown, deputy DOD chief information officer for cybersecurity, said during a C4ISRNET CyberCon event.
The United States continues ”to be attacked by a very persistent set of adversaries,” McKeown said. “We have sort of eliminated the low-hanging fruit, an unpatched server or an application or website that has a vulnerability. We’ve really done a very good job of taking away the easy paths and they’ve had to up their game and become more sophisticated in how they get on our networks.”
The zero-trust concept aims to prevent data breaches by assuming no trust for any user or divide on a network. McKeown said the SolarWinds supply chain cyberattack accelerated DOD’s push for zero-trust.
“When we look at the SolarWinds attack, for instance, where we all trusted a piece of software that was developed by a vendor, we all brought it into our network, and then we thought it was a good piece of software, but it was compromised and it started beaconing out and we have to be able to detect something like that,” McKeown said. “So not only the external compromises, but the internal malicious behavior and potential supply chain risks need to be looked at. And we feel like zero trust is the only solution out there right now that gives us a fighting chance on detecting these folks that may have a foothold on our network or this anomalous software that we’ve allowed in.”
The new office will be under the direction of the DOD chief information officer, McKeown added.