Reform

Assume Networks Are Compromised, DOD Official Urges

Sept. 24, 2019 | BY C. Todd Lopez

No matter how secure a computer network or the environment it's used in may seem to be, users should just assume it's compromised, the deputy undersecretary of defense for research and engineering said.

"This is something I'm very much behind," Lisa Porter said during a panel discussion yesterday at the Center for Strategic and International Studies in Washington.

During her time as the first director of the U.S. Intelligence Advanced Research Projects Activity, Porter said, she saw a growing emphasis on cybersecurity. The organization was created in 2008.

In a dark room, the words "NETWORK INTRUSION!!! Contact Cyber Protection Team ASAP" flash on a computer screen.
Network Intrusion
DOD networks are highly susceptible to attack. Military cyber professionals are trained to defend the network.
Photo By: C. Todd Lopez, DOD
VIRIN: 190626-D-NU123-001

"At that time, cybersecurity became really, really important," she said. "It had been important before, but people were really emphasizing it. And unfortunately, there was a huge emphasis on primitive defense models." The thinking at the time, she said, was that as long as perimeters were put in place, everything inside would be safe, including the data and the networks.

There is no such thing as a secure system."
Lisa Porter, the deputy undersecretary of defense for research and engineering

That turned out to not be true, Porter said, and security requires more than just building a barrier around the network.

"It leads you to a false sense of security. ... Think 'Edward Snowden,'" she said. "So then we said, 'Maybe this perimeter defense model has some flaws in it.'"

Instead, Porter said, users should assume the network is compromised already – either from outside or from bad actors on the inside.

A man looks at a computer screen.
Cyber Watch
Air Force Staff Sgt. Wendell Myler, a cyber warfare operations journeyman assigned to the 175th Cyberspace Operations Group of the Maryland Air National Guard monitors live cyber attacks on the operations floor of the 27th Cyberspace Squadron, known as the Hunter's Den, at Warfield Air National Guard Base, Middle River, Md., June 3, 2017. Air Force photo by J.M. Eddins Jr.
Photo By: Joseph Eddins
VIRIN: 170603-F-LW859-002C

"When you change your mindset to ... 'I have to assume that my networks aren't trusted – that no matter where I am, I have got to go in with an assumption that I can't trust what I am using as the backbone of my communications – it changes how you think about the technological solution," she said.

Now, she said, cyber professionals are thinking about "zero-trust architecture," which assumes that no one who uses the network can be trusted. In such a setup, users might be allowed access only to that information and those applications that they are pre-authorized to use. Past network security might have put a wall around the whole network, and once inside, a user would free rein to move about. A zero-trust environment uses "microsegmentation," which divides the network into smaller zones, each requiring special access.

Green letters scroll on a computer screen, leaving a blur.  The letters "C Y B E R F L A G 19-1" are in bold.
cyber Defense
DOD networks are highly susceptible to attack. Military cyber professionals are trained to defend the network.
Photo By: C. Todd Lopez, DOD
VIRIN: 190703-D-NU123-002

"I think we've been lulling ourselves into a false sense of security by thinking we can build perfectly secure enclaves," Porter said. "There is no such thing as a secure system. So we have to deal with that reality whether we are doing cyber, whether we are doing supply chain, whether we are doing 5G. You will see the zero-trust reference across many of [the Defense Department research and engineering] domains, because we are really trying to advocate for that perspective."