Following recently disclosed cyber breaches of a number of federal government and private sector networks, the Defense Department is accelerating its adoption of a zero trust (ZT) framework across the department's information network, the DODIN, defense officials told a Senate panel on Wednesday.
The DoD was already moving toward a ZT framework but the "increasing sophistication, determination, and resourcefulness of our adversaries in cyberspace" as evidenced by the compromises of software supplied by Microsoft [MSFT] and SolarWinds [SWI] "highlight the importance of accelerating adoption across the department," three DoD officials said in their written statement to the Senate Armed Services Committee's panel that oversees cybersecurity issues.
"Currently, untrusted users, machines, applications and other entities are kept outside of our network perimeter while trusted ones are allowed inside," David McKeown, deputy chief information officer for Cybersecurity and the Chief Information Security Officer for DoD, told the subcommittee in his opening statement. "We have developed advanced capabilities to monitor traffic flowing between untrusted networks, such as the internet, and our trusted networks to identify attempted attacks or exfiltration of data. The limitations of this defense are exposed when the adversary is able to establish a foothold on a device within our perimeter on our trusted network."
In the cases of the compromises of SolarWinds and Microsoft, the DoD wasn't hacked although nine other federal departments and agencies were, including the Department of Homeland Security.
The SolarWinds incident is being attributed to Russian actors by the U.S. intelligence community. In this incident, a foreign intelligence service is suspected of compromising the software supply chain of the company, which ultimately approved the software to be used in patches to upgrade customer networks using their Orion platform. This way, the hackers avoided having to penetrate a network perimeter by using what was considered a trusted upgrade that is routinely downloaded by network administrators.
A ZT framework assumes a network has been compromised.
"As the threat landscape evolves, so must we," McKeown, Rob Joyce, director of the National Security Agency's Cybersecurity Directorate, and Rear Adm. William Chase, deputy principal Cyber Advisor to the Secretary of Defense, stated in their written testimony. "We must assume the DODIN is compromised and utilize existing and future advanced cyber defense capabilities to isolate and expel intruders. This advanced defense posture is at the core of the ZT framework."
McKeown, speaking for the witnesses in opening remarks, said that not-trusting a network means to "constantly" search for threats and only giving approved users and devices access. So, if a non-trusted user gains accesses to the DODIN, they won't be able to move laterally across the network or expand their privileges to gain further access to the network, he said.
Perimeter and other cyber defense tools are still necessary, McKeown said. His view here has been echoed by top DHS cybersecurity officials who have said that despite hackers using the SolarWinds software as a vector to penetrate some government networks, perimeter detection and intrusion prevention tools remain necessary but that more resources have to be invested in better understanding the applications and components of existing networks and then providing defenses inside these networks.
The defense officials outlined seven pillars to the DoD ZT framework, which are "predicated on our strategy to architect from the inside out." The pillars include the users, which require continuous multifactor authentication, activity monitoring and behavioral biometrics to confirm activity.
The other pillars include application and workloads, which involves containerizing and micro-segmenting to secure software, devices, which require real-time inspections and patching, data for end-to-end encryption and tagging to protect sensitive information, networks and infrastructure that includes next-generation firewalls and physical and software-based segmentation, visibility and analytics to analyze events and activities on the network, and finally automation and orchestration, which refers to the responses and alerts when an incident is detected.