AUSA NEWS: Army Making Progress on Zero-Trust Cybersecurity Framework
To better protect its networks and comply with a Biden administration executive order, the Army is working to establish a zero-trust cybersecurity framework, said an official Oct. 13.
In May, President Joe Biden released his “Executive Order on Improving the Nation’s Cybersecurity,” which required the Army to complete two key tasks, said Maj. Gen. Matthew Easley, director for cybersecurity and the chief information security officer in the office of the Army chief information officer.
One is moving its networks to a cloud environment, which the department has already been working on, he said during a panel discussion at the Association of the United States Army’s annual conference in Washington, D.C.
The other is establishing a zero-trust framework. The zero-trust security concept has become a buzzword in the Pentagon, and essentially means an organization should not trust any user trying to gain access to its network and must require verification.
“We are already well on that journey for the capabilities that we've been enabling around the Army — through Army Cyber Command, through the G6, through [Network Enterprise Technology Command],” Easley said. “We already have that foundational layer for our zero-trust system.”
The service is already employing endpoint security, identity solutions, active monitoring, cloud isolation and perimeter defenses, he noted.
“All these systems have created that foundation layer for zero trust, and our goal over the next few years is to develop the capabilities to improve that, to really be able to use that technology to increase the way we defend our networks,” he said.
Over time, the perimeter of the Army’s networks has become “more and more fuzzy” as officials allow more cloud-based access, Easley noted. That has resulted in a dramatic increase in endpoints, users and devices on the service's networks.
A zero-trust framework is needed to manage the deluge of systems accessing those networks, he noted.
“To do that we know we need data,” Easley said. That will require new data standards which will allow the service to scale its systems for a “million-person organization.” Additionally, the service will also need architectural standards to truly understand how to bring its networks together.
The Army’s chief information officer, Dr. Raj Iyer, said zero-trust is a big shift for the Army.
“Zero trust is the opposite of what we've done in the past where we said, ‘Hey, we're going to build systems,’ and our policy said, ‘Well, this is how we're going to protect the perimeter for those systems … [with a] perimeter-defense approach,’” he said. The “policies that we need for zero trust is all about saying we're not going to let anybody in, that's our policy, and now we're going … to be using analytics to determine whether you're a good actor or a bad actor.”
Perimeter defense used to work well, Easley said. However, many attacks now are moving up to the “application level or person level,” he noted.
“That's forcing us to change the way we think of cybersecurity, the way we think of the network, the way we think of our systems that need to be pulled together,” he said.
As a first step toward fulfilling Biden's executive order, the Army will inform the administration of what capabilities it has today, Easley said. However, the ongoing initiative to bolster cybersecurity is going to be "a multi-year, probably decade-long effort," he added.