The incredible increase in telework within the Defense Department as a result of COVID-19-related social distancing requirements has provided U.S. adversaries more attack surface to cause harm to defense networks. This, among other factors, has increased the department's focus on zero trust architecture, the director of the Defense Information Systems Agency said.
"The move to maximum telework has also accelerated a cybersecurity paradigm shift that we will outline in our upcoming 'zero trust' reference architecture," said Vice Adm. Nancy A. Norton during a keynote address today at the Armed Forces Communications and Electronics Association's virtual TechNetCyber 2020 conference.
Under the "zero trust" model, Norton said, DISA makes the assumption that the DOD's internal networks are as hostile as external networks.
"We are being attacked in the cyber domain constantly, with state and non-state actors generating more than a billion cyber events a month on our networks across every DOD component around the world," Norton said.
To defend against that, Norton said, the defense department must get better at defending its network. That's something DISA and Joint Force Headquarters Department of Defense information networks are working on.
"We are moving towards more micro-segmentation in this cybersecurity model with zero trust," she said. "It will apply to our data and critical resources from our data centers to our mobile devices."
As a naval officer, Norton used the compartmentalization within a ship or submarine to prevent flooding as an example of how a network can be protected against attack from adversaries.
"Segmenting critical assets ensures that when — not if, but when — your network is compromised, the damage is limited, the loss of data is limited and your mission is assured," Norton said. "In a traditional perimeter defense model to network defense, if an adversary got through the perimeter, they would have free rein throughout the network. We wouldn't want a [similar] ship design that would allow one flooded compartment to sink a warship."
Norton said the paradigm change for zero trust comes through three principles.
The first of those is to never trust, but always verify.
"It ensures that all users and devices are treated as untrusted and everything is authenticated and explicitly authorized to the least privilege required using dynamic security policies," she said.
Second, she said, that users will always assume a breach of security and will intentionally operate and defend as if an adversary is already present inside the IT environment.
"We will scrutinize each request for access, users, devices and data flows using a deny by default approach and logging and inspecting all traffic," she said.
Finally, the third principle is to verify explicitly, she said.
"All resources must be consistently accessed in a secure manner using multiple attributes to build confidence levels for appropriate access to resources," she said. "With zero trust, we will affect every arena of our cyber domain, allowing us to shield our data better by closing every compartment in the ship."