Army preparing to take zero trust to tactical edge
Col. Michael Smith, the director of the Army’s functional management office for zero trust and director of the unified network task force, said an ongoing gap...
The Army is bringing the concepts that make up zero trust to the tactical edge, and it will not be easy.
The tactical environment includes operational technology, weapons systems and typical IT systems, and all of them work in a disrupted, disconnected, intermittent and low-bandwidth environment.
Col. Michael Smith, the director of the Army’s functional management office for zero trust and director of the unified network task force, said the first step to bringing advanced cyber capabilities to the tactical edge is performing a gap analysis.
“We’ve completed our enterprise gap analysis. We are currently working on our tactical edge zero trust gap analysis. We did not have 12-to-18 months to do this analysis so we’re going to perform this in a very deliberate manner very expeditiously,” Smith said in an interview with Federal News Network during the recent Army TEMS conference. “Hopefully, within a couple of months, we will have a very good product that is very definitive on where we need to apply some resources within a tactical space.”
The tactical environment brings a whole set of challenges not seen in the more typical IT or base environment.
Smith said this includes the connection to mission partner environments and having multiple combatant commands accessing data and systems. It also means adding zero trust capabilities to operational technology or control systems, that traditionally have been standalone technology, and many of which are based on older technology.
And then there are weapons systems and how the Army can apply ZTA principles to these capabilities without making them more complex or slower to use.
“We’re going to take a look at a subset of weapon systems and a subset of control systems to identify the basic architectures that applies to those components. Once we identify that, we will identify the gaps and will push that guidance out to the larger commands that house those control systems and or weapon systems,” he said. “It will be up to them to really apply the zero trust principles in that fashion.”
Army reviewing cyber spending priorities
One way to reduce the timeline to complete the gap analysis, Smith said it take advantage of the approaches the Army used during its enterprise gap analysis. He said it’s a matter of aligning the pillars of zero trust to the existing capabilities in the infrastructure and seeing where they don’t line up.
“I think the best way to put this as zero trust is journey, we’re never going to be at 100%. We’re never going to have a 100% zero trust architecture. It’s going to be a continuous process. Even beyond 2027, things are going to evolve, adversary threats are going to evolve. The key to the gap analysis is really divestment of capability that doesn’t meet zero trust principles and or investment capability. That’s what we’re looking to do,” he said. “To get to that, we have to figure out where we are spending our resources. We’re going to need to align resources. If we have to invest in new technologies, that’s been the challenge on the enterprise side, and that’ll be the challenge in the tactical space as we move into it. We are so embedded with systems that have been applied over the last five to 10 years, they’re very difficult to take out of the architecture and place something new in because they’re already integrated. So to integrate a new solution is going to take time. But it’s really applying the resources that can fund those and sustain those over time.”
The Army recently took another big step toward implementing zero trust on the tactical edge. The Army’s I Corps to successfully demonstrate the first-ever zero trust at the edge capability at Talisman Sabre 2023, a multinational military exercise run biennially by the Australian Defence Force and U.S. Indo-Pacific Command.
General Dynamics IT and Fornetix conducted a specific set of exercises designed to enable rapid, secure and seamless data sharing between global mission partners.
GDIT says this was the first-ever demonstration of a zero trust capability in the field to support denied, disrupted, intermittent and limited (D-DIL) operations, such as contested battlefield environments with limited or no internet connectivity.
Army to use cyber red teams
DoD’s zero trust strategy, released last November, laid out 45 capabilities across seven pillars with a deadline to reach an initial baseline of cybersecurity by 2027.
Within those 45 capabilities are 152 specific activities that will measure military service or defense agency performance and effectiveness.
Smith said the Army is going through an internal analysis of all 152 activities to verify what current technology already achieves the task or if new or updated technology is necessary.
“Once we complete an internal Army assessment, we’ll follow on with the red team and external entity doing the same thing in our environment when we don’t know,” he said. “The Army will do our internal assessments. But we will have external to the agency red teamers, just to be very transparent, to ensure that we have the same look as another expert team.”
Smith added all of these efforts are part of how the Army is maturing its zero trust architecture. He said a lot of cyber capabilities are not integrated currently and the Army continues to mature some foundational technologies like identity and access management and end point security tools.
“We have the appropriate conditional data access controls for our data and applications. At that point, we’re able to do end-to-end visibility and actually are testing those capabilities. Right now the Army’s architecture is not to a fully integrated point. To do that, we need a little more time,” he said. “I think we’re really in the beginning stages of just piloting with some tactical formations. We’re really trying to combine that effort out of PEO Soldier with PEO C3T’s ICAM effort so they feed the same Army ICAM systems, and so they’re compatible and interoperable. We really are just at a nascent effort to take in operational requirements to get away from Common Access Cards in a tactical space, and use something that’s more simpler and faster for soldiers in specific roles to use.”