Pentagon ‘zero trust’ cyber office coming in December
WASHINGTON ― Next month, the Pentagon will formally launch a new office dedicated to accelerating the adoption of a new “zero trust” cybersecurity model, a senior DoD official said Wednesday.
David McKeown, DoD’s chief information security officer, said the office will fall under DoD’s chief information officer and be led by a yet-to-be-named senior executive. The move is part of an acceleration to ongoing zero trust implementation spurred by the Russian-orchestrated SolarWinds intrusion of federal systems.
“We’ve redoubled our efforts, we’ve fought for dollars internally to get after this problem faster,” McKeown said at C4ISRNET’s CyberCon event. “We’re standing up a portfolio management office that will ... rationalize all network environments out there, prioritize and set each one of them on a path of zero trust over the coming five, six, seven years.”
Zero trust assumes no trust across networks, devices or users, and demands constant, real-time authentication of the users accessing data. It’s a departure from perimeter-based security, through which an intruder can often move freely through a network after penetrating it.
McKeown said that while DoD has adopted some components that are meant to work together to create a “zero trust” environment, it’s not being prescriptive about the products its enclaves choose to adopt, as long as those products work together.
“We’ve got a lot of attention on this now, and we’ve got senior leadership in the department on board and putting their money where their mouth is and helping us to implement this at a very fast pace,” he said.
His comments come nearly six months after the Biden administration’s cybersecurity order to improve protections at government agencies in the wake of the SolarWinds intrusion.
McKeown said the sophisticated attack demonstrates the lengths to which intruders will go and the need for better security. SolarWinds, he noted, was a widely trusted piece of software that nonetheless began “beaconing out” from within networks.
“We have to be able to detect something like that,” McKeown said. “Not only the external compromises but the internal malicious behavior and potential supply chain risks need to be looked at.”
“We feel like zero trust is the only solution out there right now that gives us a fighting chance on detecting these folks that may have a foothold on our network or this anomalous software that we’ve allowed in.”