In cybersecurity, time is of the essence. The sooner a hack is detected, the less damage is done. However, it takes the average company about 300 days to catch and contain a breach. That gives bad actors just under a year to exploit systems and potentially steal, surveil, and sabotage.
Now magnify this threat across 90 branches of different sizes—often under attack by the world’s best hackers—and the challenge is clear for the U.S. Department of Defence. Since 2015, the department has experienced more than 12,000 cyber incidents, with concerns that this number could increase following heightened tensions with Russia or China. It’s no wonder, then, that zero trust architecture is gaining ground.
In September, The Pentagon announced a review of plans to implement zero trust across the military by 2027. Getting this right is no mean feat and the clock is ticking. Let’s consider how defense can unite its approach and better protect itself.
The Pentagon’s cybersecurity challenge
The scope of this cybersecurity restructuring is enormous. Each branch of the military operates with its own distinct systems and procedures, so unifying its security posture is akin to assembling a puzzle with pieces from different sets. Further complicating matters, the military counts many legacy systems, requiring careful modernization to align with zero trust architecture. A lack of comprehensive cyber capabilities, workforce readiness, and visibility across multi-cloud setups also pose significant obstacles.
A successful zero trust transition demands more than technological prowess—it requires a reorientation of mindset and strategy. The motto of zero trust is “never trust, always verify.” This means not trusting users and devices by default, even if they are connected to a “permissioned” network. This marks a fundamental shift away from implicit trust and toward a model that scrutinizes every interaction regardless of source.
There’s an argument to be made that a thorough assessment is overdue from The Pentagon. Research consistently shows that poor planning results in poor integration of zero trust, leading to slower issue resolution, worse user experiences, incorrect access privileges, manual intervention, and compliance issues. And, for an organization this large and multi-faceted, these potential issues are only compounded. Defense must stay on track, especially when it comes to updating identification processes, unifying the new architecture, and keeping employees onside.
Getting the tech right
In practice, trusting nothing and authenticating everything demands a complete cybersecurity rewrite. Identity, for example, will now require ongoing verification which the military can then use to precisely control network access and data entitlements. This guarantees that users only access what’s appropriate. Encryption, authentication, and network traffic segmentation also strengthen the integrity of such communications. But, again, there’s inherent complexity in onboarding all of these tools alongside a new approach that focuses on the identity rather than the perimeter.
Additionally, with this framework in place, The Pentagon must ensure the new architecture operates in the most agile way possible. Automation, orchestration, and unification are big parts of this. Especially when it comes to flagging security breaches, the military will need to explore continuous monitoring and consider artificial intelligence and machine learning solutions.
Of course, compatibility with aging infrastructure is also vital to preventing weak links in the security chain. Therefore, it’s up to leaders to ensure the above solutions integrate smoothly with older hardware and software. And, once updated, they must test and troubleshoot everything. All of this takes time and needs to be factored into the upcoming review.
Creating a culture of vigilance
Likewise, the military mustn’t overlook the human side of this evolution. The DoD’s workforce must be brought along for the ride and empowered with the skills to navigate this ever-changing landscape. In this sense, any plans must include training programs that instill best security practices and regular assessments. Equally crucial is the ability to respond swiftly and decisively when incidents arise.
Three years is not long to redesign a sprawling organization’s cybersecurity from top to bottom. Nor is it much time to change workplace norms and security awareness. Therefore, as the clock marches toward 2027, every decision counts.
Military leaders, the time for action is now. Plan carefully, build deliberately and partner accordingly with commercial hardware and software suppliers. There’s plenty of innovation and expertise in the market that can accelerate your journey to zero trust. A collective effort across private and public players is a well-regarded way to improve the delivery of cybersecurity redesigns—and, ultimately, help to better protect us all.