WASHINGTON — The telework environment caused by the coronavirus pandemic has accelerated conversations about implementing zero-trust network architectures at the U.S. Department of Defense.
In recent weeks, several top IT officials have said on virtual events that their departments are discussing concrete steps to move toward zero-trust architectures and away from using the phrase as just buzzword for cybersecurity. Zero-trust is a network architecture that inherently distrusts the user and continuously verifies the identity of the user accessing data.
“The need for zero-trust has been highlighted by the COVID-19 pandemic,” said Vice Adm. Nancy Norton, director of the Defense Information Systems Agency, which manages and secures DoD networks across the globe. She announced July 15 a plan to release a zero-trust framework by the end of the year.
Conversations about implementing zero-trust network architectures have been facilitated in part by the hundreds of thousands of DoD employees using the department’s remote collaboration platform, known as the Commercial Virtual Remote Environment. That technology has allowed DoD employees to remain productive while working outside the Pentagon. But the network expansion efforts that ensured the working from home was successful also increased the attack surface for the department’s adversaries.
That’s where zero-trust could help, officials said. The technique differs from the traditional network-centric approach to cybersecurity, which generally assumes the user inside a network can be trusted.
For its part, the Department of the Navy has historically struggled with cybersecurity.
“I think you’re going to see the Navy, based on COVID, aggressively pursue zero trust,” Chris Cleary, chief information security officer at the Department of Navy, said on a webinar last week. “It was something that was being kicked around as the latest buzzword a year ago, but now it’s really moved to the top of the stack, principally to enable this telework problem.”
As part of the telework environment, Cleary said, the Navy is allowing mobile devices to access its network to maintain productivity in day-to-day business operations. However, operational and sensitive work does require people to come to secure facilities, he added.
The Navy, he continued, has found “a lot of success” with its remote access and has acknowledged that it is taking a risk by allowing mobile devices to access the network.
“Well, because of the risks, we are acknowledging allowing any device to come into our data — not going through other security stacks — this is what’s really began to push the zero-trust model,” Cleary said.
The Pentagon’s deputy chief information officer for information enterprise, Peter Ranks, also said last week that zero-trust conversations were “accelerating” as the department explores what temporary telework policies put in place at the department before the pandemic should be made permanent. To maintain productivity during telework, the DoD has relied on enterprisewide, cloud-based tools and capabilities, such as the CVR Environment.
“This arrangement accelerated some of our timelines for implementing zero-trust concepts that have been under consideration for some time,” said Russ Goemaere, a DoD spokesperson. “Consequently, we are emphasizing zero-trust principles as we design future enterprise cloud solutions with the department’s shift to online collaboration platforms as a prime example.”
The success of the department’s CVR Environment, which now has nearly 1 million users, has its CIO shop to explore upgrading the environment to allow access to sensitive information, Pentagon CIO Dana Deasy said last week, a move that would require increased cybersecurity measures.
“There is an active conversation about what does sustained teleworking environment look like,” Deasy told reporters. “We’ve now built this amazing, robust infrastructure, and so there’s no doubt that we will leverage that in the event that the future requires us to.”
Andrew Eversden covers all things defense technology for C4ISRNET. He previously reported on federal IT and cybersecurity for Federal Times and Fifth Domain, and worked as a congressional reporting fellow for the Texas Tribune. He was also a Washington intern for the Durango Herald. Andrew is a graduate of American University.