Adopting a zero trust approach to cybersecurity inside a single federal agency is hard enough. For U.S. Indo-Pacific Command, it’s many times more complex. That’s because INDOPACOM needs to adopt zero trust in a way that works not just for the U.S. military, but for numerous other allies and partner nations — some of which are further behind the curve than others.
Long before it started the work of bringing “mission partners” into a zero trust environment, INDOPACOM’s first task was to figure out how to apply the principles to the U.S. military’s own requirements for IT networks.
Paul Nicholson, the command’s deputy chief information officer, said the previous approach to network defense wasn’t working well.
“I think there were approximately 57 of those domain-centric networks … we were fighting hard to defend them all and to some extent failing miserably,” he told attendees at AFCEA’s recent TechNet Asia-Pacific conference in Honolulu.
And so when the Defense Department and White House policy started directing Defense components to implement zero trust, INDOPACOM saw it as a chance to start with a clean sheet of paper on the topic of network defense – pivoting away from that “domain-centric” approach completely.
“Our J6 team said ‘We want to build a zero trust stack from scratch in accordance with all the principles and zero trust requirements,’” Nicholson said. “They said it would be more cost effective to start over than it would be to try to go modernize things that are already being used for operations – no one wants to inhibit operations or break the as this fight. So it gave us the opportunity to begin rapidly learning from CENTCOM and EUCOM, to rapidly start doing experimentation with DISA and Cyber Command, and we went at this thing from a very, very collaborative approach.”
Specifically, those collaborators on the INDOPACOM team include engineers from the National Security Agency and other parts of the intelligence community, the Defense Innovation Unit, along with regular discussions with other combatant commands, the Joint Staff and DoD’s Chief Data and Artificial Intelligence office.
The new “data-centric” architecture will also be designed to connect directly with U.S. allies and other partners — the idea being to selectively give them access to only the data they need via information sharing agreements.
And Nicholson said that’s where things get even more complex. With the exception of the “Five Eyes” nations with whom the U.S. regularly shares intelligence, there are relatively few other countries that are thinking about data security in the same way the U.S. military is.
“It is an extremely high demand across the INDOPACOM theater to bring the cybersecurity capacity of these nations to a place to where we are able to connect and have a trusted, operational network environment,” he said. “The Five Eyes are our starting five, but after that, we have no bench. Beyond that, we have a lot of work to do. There’s a lot of guidelines that we have to bring into play with our mission partners, and there’s a lot of capacity building that has to be done.”
One of the biggest early challenges will be around identity and access management, said Jane Rathbun, the Department of the Navy’s CIO. For U.S. users, the identity topic is comparatively straightforward, since the Defense Manpower Data Center already maintains authoritative data sources on all military members and DoD civilians.
“But for our mission partners, we’re going to have to figure out what that identity ecosystem is, to really make sure what [INDOPACOM] has built has been red teamed, and meets the criteria of zero trust,” she said. “The other thing that needs to happen is how we’re going to make data flow into that environment to be consumed by whatever mission you have going on. Those are not challenges of zero trust, but challenges of how to operationalize a zero trust model … I’m very impressed with what INDOPACOM has done, but we need a set of business rules for how coalition partners work with us in that environment.”
Rathbun said many of those problems can likely be overcome by employing sound design concepts as DoD builds out its own zero trust environments, and continually sharing those standards and guardrails with allies to encourage as much commonality as possible.
“Whatever the functional domain is, the things that need to be common or at least federated, like identity solutions, they need to be able to understand where that needs to come from,” she said. “We’re not going to build their networks for them, but if we can give them standards and guardrails that they have to meet in order to connect to the mission partner data source, I think that’s really going to be the way we have to work.”
Another major hurdle will be making sure data is tagged accurately — incorporating aspects like each data element’s origin and other attributes — so that the military’s systems know which partners information can be shared with, and for what purpose.
Nicholson said the good news is once a meaningful tagging methodology is in place, it will also open up huge automation opportunities for INDOPACOM.
“I’ve been in some targeting shops where they’re still using spreadsheets, and you are never going to win against a very competent adversary if you are doing targeting that way,” he said. “So it’s exciting to that we now have a framework where we may be able to securely enhance the way we do battle management. There’s a long ways to go, but it opens a door where we can do this with our mission partners. It’s not just pairing a red target to a U.S. firing battery, but a red target to a partner firing battery. That’s the advantage — expanding the scope of what mission-target pairing looks like, in an automated way. That’s exciting.