The size and complexity of both private and public networks – and the number of devices on them – are growing at a rapid pace. It is apparent to all that the old way of providing security for Department of Defense (DoD) networks, by creating an ostensibly penetration-proof barrier, will not work. As recent major cybersecurity breaches have demonstrated, all systems are vulnerable to penetration. DoD recognizes that it must pursue with all possible speed a strategy based on zero trust (ZT).
Zero Trust Networks
ZT cybersecurity assumes that unauthorized users will be on a network. The key to countering this threat is putting in place the policies and supporting cybersecurity systems that continually monitor networks to identify unauthorized users and isolate them. DoD has announced a strategy for the rapid implementation of ZT on all its networks. To that end, it needs to make broader use of existing techniques and technologies such as those provided under the current Comply-to-Connect (C2C) program.
Recent major network penetrations such as the SolarWinds and Colonial Pipeline attacks demonstrate how difficult it is to protect critical government and commercial networks. As the Internet of Things proliferates, there will be more endpoints on networks. The U.S. military is seeking to develop the Joint All-Domain Command and Control system, which will simultaneously connect tens of thousands of platforms, sensors, and weapons. These networks encompass a wide variety of endpoints, some state-of-the-art, and others several generations old. This unique Internet of Military Things must be secured against penetrations.
It is now clear that these networks are simply too massive and complex for any perimeter security system to provide an adequate defense. As these networks grow, the potential for unauthorized devices to be present also grows. As a result, operators must assume that there will be successful penetrations of their networks. As Senator Joe Manchin asserted during a hearing of the Cybersecurity Subcommittee of the Senate Armed Services Committee:
“We have to assume at all times that our networks have been penetrated, that at every moment adversaries are inside our system. We have to act on the possibility that every action and transaction on our networks is being conducted by an adversary. We have to constantly challenge and verify the identities and the credentials of all the users.”
Constant Vigilance in Zero Trust Networks
In response to recognizing that network penetrations will take place, DoD is adopting the zero trust network security principle. In essence, ZT seeks to maintain the operation of defense networks while they are under continual attack and assumes that a persistent threat can penetrate any perimeter of a security system with enough time and resources. As a design principle for network security architectures, ZT requires that all users or endpoints on a network be authenticated, authorized, and continually monitored in order to have access to data or applications.
DoD sees an urgent requirement to implement a ZT-based cybersecurity strategy. According to DoD’s Chief Information Officer, Mr. John Sherman: “What we’re aiming for is by 2027 to have zero trust deployed across a majority of our enterprise systems in the Department of Defense. Five years. That’s an ambitious goal … but the adversary capability we’re facing leaves us no choice but to move at that level of pace.”
Having determined to pursue a cybersecurity strategy based on ZT, DoD must now deploy the tools and techniques to continually monitor, authenticate, and validate network endpoints. When it comes to countering cyber threats, the government cannot defend what it cannot see. DoD must enhance its ability to continually surveil its networks and identify and interrogate all devices. A key aspect of ZT is to provide cybersecurity officials with a continuing real-time picture of who is on their networks and to identify unauthorized and potentially hostile endpoints.
Fortunately, DoD has a program underway that can provide the tools necessary to pursue the ZT strategy. This is the Comply-to-Connect program. According to the Defense Information Security Agency, implementing C2C will “establish a framework of tools and technologies operating throughout the network infrastructure that discover, identify, characterize, and report on all devices connecting to the network.”
C2C does not require network managers or users to trust that the network is secure, as all users are both authorized access and are compliant with the minimum standards of security. This way, C2C allows for an environment of zero trust. In essence, all C2C users and devices must prove their legitimacy to be allowed to operate on DoD networks. Those devices that may be authorized but lack the proper security software can be remediated. According to a longtime cybersecurity expert involved in the C2C program:
“The ultimate goal is understanding exactly what is happening on the network, who is connecting, what is connected, and what are those devices and users doing on the network so you can make sure that, where connection is necessary for a mission, it’s available but also that it’s secure.”
C2C is gaining wide acceptance in DoD. It is scheduled to be fully implemented on DoD’s Non-classified Internet Protocol (IP) Router Network (NIPRNet) by June 2023 and on the Secret Internet Protocol Router Network (SIPRNet) by March 2024. In addition, both the Marine Corps and Navy have aggressively implemented C2C.
Having developed a DoD-wide strategy for securing its networks—ZT—and identified a set of tools and capabilities to provide continuing surveillance, authentication, and response—C2C—the Pentagon needs to establish responsibilities for implementing its security program, and metrics with which to determine the effectiveness of its efforts. This last piece of the overall network security architecture is the revised Risk Management Framework (RMF) for DoD systems. The RMF lays out a clear chain or responsibility for implementing network security and establishes metrics to judge progress towards the goal of ZT.
In order to meet the exacting requirements for ZT on the timeline articulated by CIO Sherman, DoD will need to make full use of existing capabilities. C2C is a proven capability that is already being widely implemented across critical defense networks. It makes sense to expand the C2C program and make it an essential enabling capability of ZT strategy.
Dr. Daniel Goure, a 1945 Contributing Editor, is Senior Vice President with the Lexington Institute, a nonprofit public-policy research organization headquartered in Arlington, Virginia. He is involved in a wide range of issues as part of the institute’s national security program. Dr. Goure has held senior positions in both the private sector and the U.S. Government. Most recently, he was a member of the 2001 Department of Defense Transition Team. Dr. Goure spent two years in the U.S. Government as the director of the Office of Strategic Competitiveness in the Office of the Secretary of Defense. He also served as a senior analyst on national security and defense issues with the Center for Naval Analyses, Science Applications International Corporation, SRS Technologies, R&D Associates, and System Planning Corporation.