WASHINGTON — The Navy’s chief technology officer said that if the Pentagon had already implemented its “zero-trust” approach to protecting its information networks, it may have more quickly detected a recent, high-profile classified document leak.
The discovery this month that a 21-year-old member of the Massachusetts Air National Guard with a top secret security clearance had posted possibly hundreds of classified documents to a gaming website called Discord has drawn attention to the U.S. Defense Department’s ability to combat threats from within its own networks.
Navy CTO Don Yeske said April 26 during the virtual C4ISRNET Conference that while a zero-trust approach to network defense may not have prevented the leak, the underlying tenets would have helped the department detect the security breach sooner.
“The whole point of zero trust is to never trust. Always verify and assume breach,” Yeske said. “You begin from the point of assuming your network has been compromised, and if it hasn’t been compromised, that compromise is inevitable. Insider threats light up like a Christmas tree when that is your approach.”
The Pentagon released its zero-trust strategy last November, laying out a plan to implement the basic elements of the “trust no one” approach by 2027. The model requires that users and their devices be constantly evaluated.
“Part of what you do in a zero-trust approach is, every time a particular asset is accessed, you evaluate that access according to a set of policies,” Yeske said, noting that he doesn’t have knowledge of the investigation beyond what’s been reported publicly. “That policy-driven evaluation would have identified, I believe, a pattern of activity here where someone who’s a network administrator, someone who is an IT professional accessing this kind of information . . . would have been questioned.”
In response to the leak, the Pentagon announced April 17 it has revoked access to highly classified information for some users and is conducting a 45-day review of its security policies. Yeske declined to confirm whether the Navy has initiated a separate review, but said the service is “a part of that broader DoD team.”
The Navy is making good progress implementing zero trust and is modernizing its network environment based on the department’s strategy, Yeske said, adding that the 2027 deadline is mostly realistic if the service can stay on course.
“We are continuing to do a lot of development and testing in that environment,” he said. “In order to get there in ‘27 or before that, we have to be smart about how we get there.”
Courtney Albon is C4ISRNET’s space and emerging technology reporter. She has covered the U.S. military since 2012, with a focus on the Air Force and Space Force. She has reported on some of the Defense Department’s most significant acquisition, budget and policy challenges.