NASHVILLE, Tenn. — Although it sounds counter-intuitive, implementing zero trust principles is the pathway to ensuring that the Army’s data and communications network will be a trustworthy pillar supporting Army modernization, according to network cybersecurity experts across the service.
During last month’s Technical Exchange Meeting (TEM) 9 in Nashville, which convened industry and government experts to discuss current and future Army data and communications capabilities, the Army and Department of Defense amplified the adoption of zero trust architecture to continuously authenticate, authorize and validate users to access applications and data.
This lack of assumed “trust” makes hacking into a zero trust system more difficult than periphery cyber defense systems, which confine authentication to those seeking entry into the network, experts said. Zero trust systems do not stop at policing entry. They insert security checks throughout the entire system, through tagging the data itself, to verification of interactions and insisting on identification and verification of every part of the network including individuals and devices such as computers, servers, printers, phones and radios.
During a zero trust panel at TEM 9 chaired by Col. Evert Hawk, mission command lead for the Network Cross-Functional Team, Maj. Cory Dombrowski of the Army’s newly established Zero Trust Functional Management Office said the Army has been good at providing security at the edge of its networked systems by controlling access to the network and using personal identification or controlled locations, such as SIPR rooms. Zero trust will provide better cybersecurity, he said, because it will permeate every part of the network by tagging data, providing identity and credential management for devices as well as individuals and implementing attribute-based access control.
Dombrowski said the new office is working closely with tactical units on pilots to implement zero trust in the tactical arena. It works closely with Army Cyber, NETCOM, the Cyber Center of Excellence, Army CIO/G6, Network CFT, FORSCOM, Army Material Command, and several Program Executive Offices: Command Control Communications – Tactical (PEO C3T), Enterprise Information Systems and Intelligence Electronic Warfare and Sensors. It coordinates with wider Department of Defense zero trust activities, as well.
Dombrowski said the Army is implementing and operationalizing zero trust in alignment with the Department of Defense and the Air Force, Navy, Marines and Coast Guard. An important part of this effort involves building a zero trust-trained civilian and uniformed workforce, he added.
In a zero trust framework, the importance of knowing “what” device is on the network is nearly as important as knowing “who” is on the network, said Ogedi Okwudishu, of Product Manager Tactical Cyber and Network Operations. She said these questions explain why zero trust systems place a premium on Identity Credential and Access Management, known as ICAM.
“We should probably think of devices from a non-person perspective, because these are not just faceless IT devices; they are user devices, websites, web servers, and applications,” she said. “How do we identify everything that needs to be on our networks?”
Greggory Judge, Deputy Director of the Army’s Enterprise Cloud Management Agency , said Cloud computing will help address the challenge of managing identities and implementing zero trust.
“A lot of zero trust right now is tailored to operate in a cloud environment with effectively unlimited computing, unlimited power, unlimited throughput, and unlimited storage,” Judge said. Cloud technology also makes it easier to update the system, enhance communications, handle large amounts of data and provide improved resilience, he added.
These factors make cloud technology important for maintaining zero trust at the tactical edge, said Carl Bridges, chief information officer, PEO C3T. However, in limited bandwidth environments, the Army will need to develop processes for handling the flow of data and maintaining cybersecurity, he said.
“How do we get commanders information [in a disconnected or denied] environment, when we need to deal with potential disruptions, when we sometimes have access to cloud, sometimes no access to cloud?” Bridges said. “We're looking at a zero trust architecture that's going to enable us to operate in a tactical environment as well as an enterprise environment and pivot between the two.”
Even more important, Bridges said, is that cloud computing will enhance both zero trust and network resilience.
“We have to be able to pivot, when needed, from a more traditional high connectivity environment, with connectivity to a zero trust architecture, into a disrupted disconnected, intermittent and low-bandwidth environment,” Bridges said. “There's still a need to get the mission done. There's still a need to be able to access applications. There still needs to be the ability to create, generate and see data. And we can't assume that because we don't have access to those various resources anymore, that we're no longer trusted.”
Implementing zero trust is also a focus for S&T capabilities still in development, said Bob Kimball, Senior Research Scientist with the C5ISR Center. He said the Army S&T is currently focused on several key zero trust capabilities, ranging from logging all traffic and Machine Learning to providing Continuous monitoring and authorizations.
“A lot of research is taking place to reduce the burden on those making determinations and will improve the decision-making,” he said.