The Defense Department is outlining the tools and capabilities it will need to stand up its zero-trust program office later this fall, and improve its overall cybersecurity posture.
Kelly Fletcher, a senior career DoD official carrying out the duties of the DoD chief information officer, said Thursday at the Billington CyberSecurity Summit that the department is in the interim steps of standing up that program office.
The Defense Information Systems Agency, she added, is providing enterprise services to DoD to enable zero-trust capabilities. The military services are also standing up their own zero trust capabilities.
As part of moving to zero trust, Fletcher said DoD is focused on streamlining its networks and retiring tools it no longer needs in order to decrease its attack surface.
“What we’re trying to do really is harvest savings from pivoting from our old architecture to our new architecture, and I think that’s going to drive some trust throughout the department. We aren’t just spending more,” Fletcher said.
Fletcher said part of the culture shift around zero trust will focus on getting cyber analysts to think beyond traditional perimeter security.
“If you assume the robber’s in the house, that changes how you protect your valuables. And the other thing is that changes the culture around what should defenders be doing,” Fletcher said. “I want defenders to ferret out adversaries in my network, and success for them is finding them quickly fighting through their presence in my network, and then removing them rapidly.”
Civilian federal agencies are also making foundational investments in zero trust. The Office of Management and Budget released its draft strategy for moving the federal government to a zero-trust architecture last month, in meeting the goals of the Biden administration’s cybersecurity executive order.
In order to implement the goals of the strategy, Federal Chief Information Security Officer Chris DeRusha said the move to zero trust will require buy-in from agency leadership and building trust from end-users.
To accomplish both of those goals, he urged CIOs to work with C-suite partners, including chief data officers.
“When you’re looking at zero trust, one of the things you need to do is really understand where your sensitive data is, not where you think it is. You’ve got to use tooling to verify, validate and then go from there. And that can be a painful cultural journey,” DeRusha said.
But zero trust alone won’t give DoD the cyber defense capabilities it needs to keep up with emerging threats. Kelly said DoD also needs to leverage artificial intelligence as a force multiplier to secure its networks.
“Cyber defenders, I think, have a hard time figuring out what is most important, and we need to leverage AI to help them, to say, ‘You have a lot of tools, but we’re going to get the most important data, and we’re going to make that available to you all to pursue those places where we’re most concerned about what’s happening,’” she said.
Fletcher said DoD has rallied around artificial intelligence as a critical component of readiness for emerging threats. But enterprise-wide adoption of AI, she added, is going to require more foundational work.
“We need to use data and AI to our advantage. We need the right folks to have the right data at the right time to make the right decision,” she said. “But I think that we’re not all understanding the investments that are needed in sort of the more boring stuff. AI is super cool, [but] you know what I need? I need bandwidth? I just need fiber on the ground, and that’s kind of boring, but that’s how this works.”
DeRusha said that civilian federal agencies also need to adopt automation solutions to stay ahead of threats.
“We will only be able to start really beating our adversaries and having defense when we can do it at their speed. And really that means automation, and then training people to understand how to use those tools,” he said.
Fletcher said DoD is also looking at ways to improve the diversity of its cyber workforce, both in terms of demographics and their location.
DoD as part of its Cyber Workforce Framework (DCWF) efforts earlier this year cataloged its cybersecurity workforce into 54 work roles. From there, Fletcher said the department is running data analytics to better understand where it has — and needs — additional expertise.
“I’m going to give an example that is possibly incorrect, but in Kansas City, it’s really hard to recruit systems administrators, so then we can target, we can provide some recruitment and retention dollars to get that done, and I think that’s really valuable,” Fletcher said.