For the “cutting edge” technology of IT security, is DOD a “leader” or a “lag behind”?

“As long as there is sufficient time and resources, continuous threats can penetrate any border security system.”

Dr. Daniel Goure, vice president of the Lexington Institute, a public policy research think tank, published an article “Department of Defense on’cutting edge’ of IT security” on RealClearDefense, commenting on the application of the Zero Trust Architecture and its supporting project C2C in the Department of Defense system and Its effect. The main content is compiled as follows.

For the “cutting edge” technology of IT security, is DOD a “leader” or a “lag behind”?

In conversations related to information technology and network security, the statement that “The Department of Defense is leading” basically does not exist. Commercial sectors such as banks are often described as being at the “frontier” of technology, while the U.S. Department of Defense (DoD) is often labelled as a “technical laggard”. But this distinction is neither fair nor completely accurate. In order to protect its IT infrastructure, the Department of Defense is transitioning to a “zero trust” architecture. Under the leadership of the Department of Defense, the aerospace and defense industry, as well as other departments of the federal government, may follow to improve national security across the board.

Before the current hyper-network era, the Department of Defense established lofty-almost impossible-goals and requirements for its computer network, such as connectivity under harsh conditions, the ability to exchange large amounts of data, and the ability to make smaller and smaller Light form factors (size, shape, and physical characteristics of IT hardware), etc., to meet combat needs. In response, the IT industry foundation’s ability to meet these needs has often led to the need to extend to connecting old and new assets.

Today’s ubiquitous technologies, such as satellite TV, GPS navigation, and even the Internet itself, are rooted in the demand for combat capabilities led by the Department of Defense. But in recent years, the commercial IT community that followed the Department of Defense decades ago has taken the lead in the development of new technologies. To enable products to meet the needs of businesses and consumers, the military follows closely behind. For example, the Department of Defense requires neither smartphones nor smart watches, but once these technologies are commercially established, the Department of Defense will follow suit and use these capabilities to meet the changing needs of warfighters.

In this case, it is great to see the Department of Defense take the lead in defining requirements and solutions for IT and network professionals, and address this decades-old problem in the form of a concept now called the “Zero Trust Network Environment”. Zero Trust is a network security framework that continuously evaluates the credibility of requests for access to online resources. Zero-trust security assumes that persistent threats can penetrate any border security system with sufficient time and resources. Therefore, security must be based on the assumption that any device or software on the system cannot be considered secure without verification.

At the Senate Armed Services Committee (SASC) hearing on the “Future Cyber ​​Security Architecture” in April 2021, senators and witnesses from the National Security Agency (NSA) and the Department of Defense focused on the zero-trust architecture. The testimony from a witness from the Department of Defense affirmed the advantages of zero trust, and listed the seven pillars of the Department of Defense’s zero trust framework: protection of users; applications; equipment; data; network/infrastructure; visibility and analysis; automation and editing match. When these seven pillars are fully implemented, a new solution will be provided to solve the problem of network security, and public and private networks should be prevented from being infiltrated.

For the “cutting edge” technology of IT security, is DOD a “leader” or a “lag behind”?

Zero Trust Architecture

The SASC hearing provided many examples of implementing a zero-trust strategy and constructing appropriate architectures. One frequently mentioned feature that has proven to be very useful is the comply to connect (C2C) project. If you do not pay close attention to it, it is easy to overlook the reference to this key plan, which is accelerating the implementation of “zero trust” by the Department of Defense. C2C was launched in 2013 and is a comprehensive cyber security framework tool and technology designed to improve the cyber security of the current and emerging operational environments of the Department of Defense in order to improve its cyber security status. C2C is a joint project led by the National Security Agency, the Marine Corps, and the Air Force.

For the “cutting edge” technology of IT security, is DOD a “leader” or a “lag behind”?

Schematic diagram of C2C concept

C2C was originally guided by the FY17 National Defense Authorization Act and is now a record project managed by the Defense Information Systems Agency (DISA). The goal of C2C is to “build a tool and technical framework to run, discover, identify, describe, and report on all devices connected to the network in the entire network infrastructure.” C2C is deployed in five stages, each of which builds on one of the previous capabilities Top: Discovery and identification; inquiry; automatic repair; authorized connection; situational awareness and execution.

Soon after the hearing, the leaders of the Department of Defense insisted on their commitment to share experience and lessons and publicly released a zero-trust reference architecture. As a senior DISA official explained, “The purpose and focus of the Zero Trust Framework is to design architecture and systems to withstand attacks and damage, thereby limiting the radius of influence and the exposure of malicious activities.”

The reference architecture will provide much-needed guidance for the entire Department of Defense. According to the requirements of the May 12 administrative order on improving national cybersecurity, it may also help promote a zero-trust architecture for civil government agencies. Having a template for implementing a zero-trust architecture should be very helpful for federal departments and agencies to fulfill their responsibilities to improve network security.

The timing of the Department of Defense to become a leader in cyber security is critical. The threat of a close adversary using the Internet as a tool of war is much more than that, and even though there may be no state support, complex criminal groups are also using similar tactics and achieving great results. Solar wind’s supply chain attacks and the network penetration of colonial pipeline companies are just the latest in a long list of intrusions. Unless practical measures are taken to achieve zero trust, the number of intrusions will continue to increase. C2C is particularly useful in protecting operational technology networks represented by companies such as the Colonial oil and gas pipeline.

Defense leaders are responding to constantly changing and asymmetric cyber threats. They released a reference architecture for a zero-trust environment and became an early adopter of C2C and other network security projects. The Ministry of Defense is leading by example.

The Biden administration has appointed people with extensive experience in cyber security to hold senior positions in the Department of Defense. Ms. Heidi Shyu was nominated as the Deputy Minister of Defense Research and Engineering. The current head of the Defense Innovation Department, Mr. Michael Brown, will fill the position of Deputy Minister of Defense Procurement and Maintenance.

Military leaders often talk about the need to understand their own capabilities, the capabilities of their opponents, and their environment (for example, physical, psychological, political). C2C provides the Department of Defense with the ability to use the capabilities of adversaries that they know to defend against networks and data systems.

With US opponents investing significant resources to satisfy their global ambitions, the US Department of Defense’s attention to cybersecurity is a welcome development. Solutions from projects such as C2C need to keep up and establish and maintain a zero-trust network environment to ensure mission success.

About the Author

Dr. Daniel Goure is the Vice President of the Lexington Institute, a think tank for public policy research. The Institute is a non-profit public policy research organization headquartered in Arlington, Virginia. As part of the Institute’s National Security Plan, he was involved in a wide range of issues.

Dr. Goure has held senior positions in the private sector and the US government. Most recently, he was a member of the 2001 Ministry of Defense Transition Team. Dr. Goure worked in the US government for two years as the director of the Office of Strategic Competitiveness in the Office of the Secretary of Defense. He has also served as a senior analyst on national security and defense issues at the Naval Analysis Center, Scientific Applications International, SRS Technologies, R&D Associates, and System Planning Corporation.


Scroll to top