The Defense Department has finally laid out its plan for protecting its cyber networks after years of pledging to make it a commitment.
The Office of the Chief Information Officer released “The DoD Zero Trust Strategy” in November — which laid out metrics and deadlines for the department to achieve full zero trust adoption by 2027. Cybersecurity experts said the government and private sector should work together to leverage resources to successfully enter the new regime.
“Cyber physical threats to critical infrastructure really are one of our biggest national security challenges that we’re facing today, and that the landscape that we’re dealing with has gotten more complex,” Nitin Natarajan, deputy director at the Cybersecurity and Infrastructure Security Agency, said during a MeriTalk event in October.
Cyber attackers have more resources than they have in the past, and it’s less expensive to do a lot of damage to an unsecure system, he said. It’s not just lone wolf hackers, but nation states and cyber terrorists who can pose a threat.
For example, the 2019 SolarWinds cyber attack, which swept past the defenses of thousands of organizations, including the federal government, has been linked to Russia-backed operatives.
The new strategy’s basic tenet is that treating organizations’ security like a moat around a castle doesn’t keep out bad actors.
“Mission and system owners, as well as operators, increasingly embrace this view as fact. They also see the journey to [zero trust] as an opportunity to affect positively the mission by addressing technology modernizations, refining security processes and improving operational performance,” the document said.
Zero trust culture requires every person within a network to assume that it is already compromised and requires all users to prove their identities at all times.
The strategy lists technologies that can help cultivate a zero trust environment such as continuous multi-factor authentication, micro-segmentation, advanced encryption, endpoint security, analytics and robust auditing.