Zero trust security relies on continuous validation for access as a user moves around a network regardless of their physical location and relationship to an organization, instead of a one-and-done security check like the normal username and password. In essence, it gives users or other device personas accessing a network “zero trust” as it connects to a network.
That mentality is now the leading force behind how the DOD purchases microelectronics, Mark Lewis, director of defense research and engineering for modernization, said recently during an AFCEA virtual symposium.
Microelectronics are in everything from weapons systems on fighter jets to IT platforms. And if a malicious or weak microchip is implanted into the military’s systems, it could open wide attack options. Zero trust is the department’s new answer to replace the older “trusted foundry” system where DOD had oversight over the physical development of the microelectronics. The old system “has failed,” Lewis said.
“We’ve seen a number of examples where the biggest threats that we face often are the insider threat. It’s the people inside the fence line, behind the guards, who we think we’ve cleared,” he said. “They’re the ones that pose the biggest threats to us.”
Now, the DOD assumes none of the microelectronics it buys are fully secure. The intent behind the switch in mentality is to increase security and to allow the DOD to purchase more microelectronic at commercial speed, Lewis said. The aged foundry method was time-consuming and not cost-effective for many suppliers, hampering the fielding of the important technology, Lewis said.
Zero trust catches on elsewhere
Other parts of DOD, like the Defense Information Systems Agency (DISA), have begun to embrace zero trust. The agency recently awarded other transaction agreements on prototypes for identity management and credentialing systems that use zero trust.
The Defense Innovation Board, a group of technology experts and academics that advise the DOD on modernization, recommended the DOD invest in zero trust as an important boost to security.
“DoD is ready for implementation [of zero trust architecture],” a report from the DIB states.
While the Pentagon’s siloed networks have cause modernization headaches, it’s not an issue for zero trust, according to the board. “Zero trust solutions can start within a single organization or cross-organizational application, and rapidly drive all users and devices that interface with that organization or application to come into compliance and register their attributes for authentication and authorization,” according to the report.
However, regulatory challenges and legacy systems still hold some agencies back on using zero trust, according to a recent study.