In the zero-trust cybersecurity model, all of an organization’s network users must be authorized and continuously validated before they are granted access, and to keep access, to applications and data. Users are given the lowest level of network and computing access they need to do their jobs.
Moving to a zero-trust model is critical, given that adversaries are “in our networks, exfiltrating our data, and exploiting the Department’s users,” John Sherman, the DOD’s chief information officer, wrote in the zero-trust document.
“Defending DOD networks with high-powered and ever-more sophisticated perimeter defenses is no longer sufficient for achieving cyber resiliency and securing our information enterprise that spans geographic borders, interfaces with external partners, and support to millions of authorized users,” he added. “To meet these challenges, the DOD requires an enhanced cybersecurity framework built upon Zero Trust principles that must be adopted across the Department, enterprise-wide, as quickly as possible.”
The DOD has made “tremendous strides” in cybersecurity in recent decades, but the agency focuses now on perimeter security, which doesn’t prioritize finding hackers once they’ve breached a network, added Navy Cmdr. Jessica McNulty, a DOD spokeswoman. DOD defenses are not keeping pace with its adversaries, she said.
“When that perimeter is compromised, attackers are often able to roam freely for days and even years, in some cases, inside our networks without being caught,” she said. “With the many ways to access our systems via remote devices such as cellphones and network and data access coming from all over the world, our current paradigm for cybersecurity must change.”
The DOD lists security tools, such as multifactor authentication, data loss prevention, and security information and event management, already in use at many organizations, as a second step in the move toward a zero-trust model. Continuous monitoring and ongoing authorization are listed as a third “advanced” step.
Multifactor authentication is used widely across the DOD but may not be used in all cases, McNulty said. “Since a major tenet of zero trust is ‘never trust, always verify,’ … multifactor authentication must always be used with no exception,” she said. “The goals in the document are not too conservative since zero trust is a journey that begins with changing individual and organizational mindsets about what are trusted entities and insiders.”
Some cybersecurity professionals saw the new strategy as a positive step for the DOD. The document sets deadlines for the adoption of various zero-trust tools and methods, noted Steve Judd, solutions architect at identity management provider Venafi.
“Without these, there is often a lack of urgency to act,” Judd told the Washington Examiner.
The move toward a “never trust, always verify” mindset is an essential way to protect DOD networks, Judd said. “Every actor on the network, whether inside or outside the perimeter, must be authenticated and authorized with a valid identity.”
Others suggested 2027 is too far away for the DOD to hit basic zero-trust goals. While the DOD is more secure than many other agencies, it should “move with a sense of urgency,” said Tom Kellermann, senior vice president of cyber strategy at Contrast Security.
The DOD needs to rethink its cybersecurity posture given that “rogue nations are waging an insurgency within DOD networks,” he added. “Rising geopolitical tensions are driving increasingly sophisticated threats in cyberspace. In a world that is defined by rapid digital transformation, intrusions are ubiquitous.”
However, the DOD will face several challenges when adopting a zero-trust model, said Andy Ellis, an operating partner at YL Ventures, a cybersecurity venture capital firm, and advisory chief information security officer at Orca Security.
The DOD can have an “imperfect connection” between users and their devices, he said. In most private companies, users are assigned to devices, and they use the same one day after day.
However, “warfighters in the field will often need to use computers wherever they are, changing the trust dynamics even more significantly, especially when professional computing support personnel may not be readily accessible,” Ellis told the Washington Examiner.
In addition, the ability of military equipment or groups to operate in conjunction with each other will be an issue because the DOD runs one of the most diverse information networks in the world, Ellis said.
“Data loss protection is generally implemented at the time of access, but when data is moved to another system, data protection controls rarely follow the data,” he said. “Changing this architecture is a necessary but painful step for the DOD to contemplate and will likely be the greatest drag on an effective zero-trust program.”