DOD research and engineering lead pushing ‘zero trust’ approach to cyber, 5G developments
The Pentagon’s research and engineering directorate is advocating for a “zero trust” approach to security across many of its technology initiatives, including cyber capabilities and fifth-generation wireless networks.
Lisa Porter, deputy under secretary of defense for research and engineering, said there has been a “mindset shift” regarding network security in recent years.
“There is no such thing as a secure system,” Porter said during an event on 10/23 hosted by the Center for Strategic and International Studies in Washington. “We have to deal with that reality, whether we’re doing cyber, whether we’re doing supply chain, whether we’re doing 5G.”
Porter said the R&E organization is “advocating” for the zero trust perspective across many of its technology focus areas.
“When you change your mindset to, ‘Wow, I have to assume that my networks aren’t trusted, that no matter where I am, I’ve got to go in with an assumption that I can’t trust what I am using as the backbone of my communications,’ it changes how you think about the technological solution,” she said. “And it actually opens up your aperture for, ‘How will I approach this?'”
Bill LaPlante, senior vice president and general manager for MITRE Corp.’s national security sector, said there needs to be more discussion about the technical implementations of a zero trust approach.
“What’s the affordability?” LaPlante said. “And then how do you get to the point of where you pay for however much trust? That’s the piece where this needs to go.”
Defense Advanced Research Projects Agency Director Steven Walker, speaking at the same CSIS event just before Porter and LaPlante, said DARPA is exploring how to “stay secure in an unsecure network.”
“How can we stay secure, for instance, in a 5G infrastructure that may not be secure?” Walker said. “If you have ideas in that space, come talk to us.”
Last week, officials said DOD is preparing to issue a request for proposals in early November for testing the use of 5G networks, including operations on “untrusted” or “partially untrusted” networks that include components or entire systems built and operated by Chinese companies.
Meanwhile, the Senate Appropriations Committee’s fiscal year 2020 defense spending bill would carve out $436 million in DOD’s budget for a new “5G-XG” program.
In July, the Defense Innovation Board released a white paper recommending DOD embrace a “Zero Trust Architecture.” The department should rely less on perimeter cybersecurity measures and instead assume “zero trust in the network itself,” according to the board’s paper.
“ZTA operates on a ‘least-privilege access’ model by only granting users and devices access to the applications, services and data that are absolutely necessary for their role within an organization,” the paper continued. “By using ‘role’ as a centerpiece for determining access, an organization can share its resources and data with more precision, and quickly expand or limit a user’s access as he or she takes on different roles.”
The white paper suggests the CAC card used across the department could serve as the foundation for implementing a zero trust approach based on authentication and authorization rules.
However, the number of disparate networks across DOD means the shift to zero trust would “likely have to be incremental,” according to the board, which also pointed out the department will have to improve its digital management and tracking of user roles across organizations to build controls that determine access to specific applications and services.
“While some of this effort will require security architecture reconfiguration, there will also need to be a shift in the security culture throughout DOD to promote accurate and consistent record-keeping of roles and other identity characteristics,” the white paper stated.
At CSIS, LaPlante suggested “zero trust” is a key dimension in the simmering technological competition between the United States and potential adversaries.
“That could be the thing that we say, we’re going to win – we’re going to win the race to zero trust architectures,” LaPlante said. “We win that race as a country, we’ve won. I just think it’s really important.”
Learn more about the biggest trends in cybersecurity in CenturyLink’s 2019 Threat Report.
This blog is provided for informational purposes only and may require additional research and substantiation by the end user. In addition, the information is provided “as is” without any warranty or condition of any kind, either express or implied. Use of this information is at the end user’s own risk. CenturyLink does not warrant that the information will meet the end user’s requirements or that the implementation or usage of this information will result in the desired outcome of the end user.