JUST IN: Army Going All-In on Zero Trust Principles (UPDATED)
The Army is looking to quickly accelerate its campaign to consolidate and unify its various networks and do so securely under zero trust principles, senior service leaders said April 17 at a Pentagon briefing.
The Army is implementing its Unified Network Plan, which will centralize services and allow personnel to log in wherever they are in the world on any device, whether it belongs to the service or the soldier. And zero trust is the way it will securely do this, officials at the briefing said.
“All you have to do is take a look at the news lately to understand why it’s so important that we get this notion of zero trust implemented,” Lt. Gen. John Morrison, Jr., Army deputy chief of staff, G-6, said at a media roundtable April 17.
Zero trust is the term for cybersecurity paradigms that are focused on data and resources, and “does not assume anything,” an Army article stated. A key pillar of the zero trust initiative is to prioritize protecting data — not just networks and servers — as was done in the past. It leverages attributes to determine access to resources such as user, location and device. The principle is part of a transformation of the Army’s digital environment.
Morrison said implementing the zero trust strategy will not only improve the Army’s security posture, but dramatically improve user experience. The two are inextricably linked, and cybersecurity and user experience “doesn’t necessarily have to be a trade-off. It just needs to be the appropriate balance.”
Embedding zero trust principles into “everything that [the Army] is doing,” including the user experience, involves ongoing initiatives for increased mobility, which involves over 22,000 service members, he said. The initiatives include a bring-your-own-device pilot involving nearly 7,000 service members and virtualized desktop services being delivered to remote locations or on personal devices.
The notion of a central delivery of services — underneath Cyber Army Command, the single service provider and network defender for the Army — will see a collapse of organizational networks over the next two years, Morrison said. The Army is going to move toward a single, fully resourced help desk that will not only prove more fiscally efficient, but also operationally effective, he said.
“Because it will be common services for all Army commands,” he added.
Morrison described a “significant investment” in zero trust activities, including items that accelerate end-to-end visibility and set the condition for a broader network implementation with a focus on modernization, “and specifically our mission networks.”
Identity and credentialing initiatives are a significant piece of zero trust, Morrison said. “…that allow a user to go anywhere in the Army’s portion of the DoD Information Network and log on immediately to conduct business.” A formation that’s deploying from one theater to another, and being rapidly able to plug in, get connected and fight upon arrival — “things we’ve talked about for many many years” — are now coming to fruition, he said.
David Markowitz, the Army's acting chief information officer and chief data and analytics officer, said the Unified Network Plan is underlined by zero trust principles, including the ability to trust devices, upgrading networks, migrating to the cloud and a continued emphasis on visualization analytics of their network.
A collapsing of networks and eliminating one-offs will showcase the harmonization of a single unified network based off zero trust principles, Morrison said. “And that’s where you’ll be able to seamlessly move Army users around, and no matter where they’re operating, they’re operating with a common look and feel with the proper security embedded behind it.”
One of the Army’s 2023 goals is central delivery of service and common endpoint management across the entire Army, whether its tactical or at the broader operational or strategic levels.
Markowitz said the delivery of network services and a continuation of unifying the network is central to the Army’s strategic direction, which has come from a series of capability portfolio reviews, he said.
The Army has “a lot” of diverging networks, Markowitz said. “And we’re accelerating the way of how we’re unifying them, both operationally and administratively.”
There is a “huge drive” to accelerate “as much of those actions … as we can” in 2023 and 2024, he said.
Morrison called 2023 “the year of accelerating,” but also building toward something — “this notion of a unified network that is built upon zero trust principles.”
“What that is allowing us to do is from end to end, see the network in its totality for the very first time as we roll that out,” he said. By being able to seamlessly push out networks around the world, “we have significantly improved the rate and how rapidly we can deploy forces.”
He called the digital transformation “exciting times” for the Army, but also “lots of change” and a cultural shift “forcing [them] to think differently. Zero trust is not a thing, he said, but a set of guiding principles.
Correction: A previous version of this story listed David Markowitz's title as chief data and analytics officer.
Again, we run off in search of the Holy Grail without absorbing the NIST CSF or present TSN mandates for NSS (not mentioned in this article, strangely). ZRA as written in the DoD Guidebook was for IS, not NSS, esp. those weapon systems with Mission and Safety Critical Functions. To assume we are going to pursue another architecture as in open systems is financially and time-wise wasteful. In a real war, once started either the communication pipes would have been jammed and/or the enemy as the Brisitah did successfully in WW II will remain passive in their intrusion. We need to focus less on weapon systems being Cybersecure, and more on them being Cyber Resilient and Survivable.Joe Yuna at 10:36 AM