Laying the groundwork for zero trust in the military

In this Help Net Security interview, Curtis Arnold, VP and Chief Scientist at Core4ce, discusses the starting points for military training in zero trust principles, emphasizing foundational technologies and a unified taxonomy.

Arnold provides insights into the DoD’s Zero Trust Overlays guide and the future evolution of zero-trust principles in a military context.

Where should the military begin its training process for zero trust principles? Should specific tools or technologies be implemented first to support this training?

While zero trust is a strong foundation for DoD, initial military training should be focused on base technologies and a taxonomy that can ensure everyone is talking about the components of zero trust in the same way.

Currently, network devices are mainly referred to and managed as they have been for decades. They are viewed in a stove-piped manner, meaning each network solution is managed as a unique solution instead of aligning to a larger integrated security architecture such as zero trust. This traditional approach contrasts sharply with the principles of zero trust architecture, which emphasizes continuous verification and assumes that threats can come from both inside and outside the network.

Initial training and standardization of network device security will help set the baseline for the forces that can be built on top of the foundation – like other military training practices such as the development of Cyber Protection Team (CPT) team members.

It is hard to identify a technology that should be implemented first since each service and agency is free to implement zero trust in the manner that best fits their mission across a myriad of zero trust solutions. However, the most beneficial adjustment will be for security leaders to shift their mindset from the need for a change in technologies to a change in data types and models.

Zero trust is more about having a data mindset than implementing a specific tool or technology. The primary data elements, such as authentication logs or device health, will be the same among the various technical solutions. A focus on training in those data sets will allow individuals to better support zero trust across multiple environments.

How are AI and ML used on both sides of the digital battlefield, and what potential threats do they introduce that we need to be prepared for?

Artificial intelligence and machine learning (AI/ML) offers multiple threats and concerns on both sides of the battlefield. Externally, AI/ML enables malicious activity to potentially change, or morph, at a faster rate than our sensors can detect and be countered by Defensive Cyber Operations (DCO). Our adversaries may also try to attack, or poison, the underlying language models of our own AI/ML models. This could lead to false reporting or unwanted actions in response to malicious activity.

Internally, AI/ML can support many of our cybersecurity efforts by automating detection and response activities, writing incident reports, creating Security Information and Event Management (SIEM)/Security Orchestration Automation, and Response (SOAR) signatures and queries, and more. The potential use cases for AI/ML will shape future cyber operations, but it also comes with flaws that can be exploited. Specific training and observation teams need to be developed to track major AI/ML initiatives to make sure they are operating as designed. Likewise, the cyber forces need to better understand how the technology works so they can understand effects at their level and make the best use of the vast capabilities that will be brought by AI/ML.

Are there any lessons or best practices from the private sector that the military can adopt for zero-trust training and implementation?

As with all major IT and cyber initiatives, the collaboration between the public and private sectors is increasingly important. The technology and threat landscape is ever-changing and emerging at a faster pace than many other domains. The government is working hard to develop rules and policies to address the changing landscape. They need to make the most informed decisions possible in these rules/policies and that can only come from close collaboration with private industry.

Together, they can ensure that the best decisions are being made for the country. The industry is leading the technology development in this area and developing new capabilities and processes daily. These need to be shared often, while government develops and updates policies to keep up with technological innovation.

Can you provide an overview of the DoD’s Zero Trust Overlays guide? What are its main objectives? How does this guide standardize the approach to zero trust across the armed services?

The DoD’s Zero Trust Overlays guide is meant to provide clear, actionable guidance for how an agency can properly implement a zero trust architecture in a methodical, phased approach. The DoD’s overlays identify the standards or capabilities that must be implemented within each of the seven pillars (User, Devices, Applications & Workloads, Data, Network & Environment, Automation & Orchestration, and Visibility & Analytics). This allows for a standard approach focused on capabilities across multiple technical solutions.

This is important because within an organization the size of the DoD there are multiple types of missions that make standard solutions virtually impossible. However, there still needs to be a standard that each mission must meet to ensure a secure baseline across the department.

How do you see the zero-trust principles evolving in the military context? What additional measures might be necessary as the digital battlefield continues to expand?

The military will continue to evolve into a zero trust, data-centric environment. The zero trust principles force mission owners and capability providers to think about data and access it differently. From a Defensive Cyber Operations (DCO) perspective, it highlights that data must be protected from all aspects and all directions instead of just at the border.

This will provide not only a more secure environment that protects data, but also a standard approach that includes additional sensors to identify potential misconfigurations, leaks, or malicious activity.

The most important measure needed to support this initiative is training and collaboration with industry partners to ensure the DoD can understand new technologies and combat emerging threats.