Start your day with intelligence. Get The OODA Daily Pulse.
Source Senate Armed Services Subcommittee Hearing on Cybersecurity Architectures | C-SPAN.org
In response to the SolarWinds Orion and Hafnium Microsoft Exchange breaches in the late Winter of 2020/early Spring of this year, the U.S. Senate Committee on Armed Services, Subcommittee on Cyber, held a hearing on April 14th. Entitled “Future Cybersecurity Architectures“. The specific breaches were actually only the context for a larger conversation about (and a general update on) DoD implementation of the recently approved DoD Zero Trust Architecture Framework. Expert witnesses at the hearing included:
Mr. David McKeown is the Senior Information Security Officer/ Chief Information Officer for Cybersecurity at the Department of Defense (DoD). McKeown leads and oversees the implementation of the DoD Zero Trust Framework across the agency.
Mr. Robert Joyce, Director of Cybersecurity at the National Security Agency (NSA) in the newly formed NSA Cybersecurity Directorate, leads the IC’s and DoD’s most technical cybersecurity component and provided the subcommittee with the most technical details on the DoD Zero Trust implementation.
Rear Admiral William Chase III is currently serving as the Senior Military Advisor for Cyber Policy to the Under Secretary of Defense for Policy and the Deputy Principal Cyber Advisor to the Secretary of Defense.
To be honest, the title of this testimony – “Future Cyber Security Architectures” – is what initially caught our research eye, as we are always on the lookout for the best in class thinking at the systems design level. Based on the title, we thought we would be providing the OODA Loop Membership an analysis of some DARPA, NSA, DIA skunkworks, cybersecurity architectures. Next-level stuff, you know?
That the hearing is actually a Senate and DoD deep-dive on Zero Trust Framework implementation? Well, it threw us for a loop. After spending some time with the content, however, we determined that there are some kernels of information of value to our readership. First, the hearing is succinct and worth a listen (while cycling through some other productivity tasks). Don’t worry about taking notes. A transcript and the joint statement by the witnesses are provided at the end of this post.
Second, kudos to Cyber Subcommittee Chair, Senator Joe Manchin, who sets up at the top the public availability of the hearing for the American People, encouraging the expert witnesses to speak in clear accessible language, “devoid of acronyms.” For this author, who admittedly still has a zero-trust learning curve, the tone set by Sen. Machin was refreshing – and important. That the American general public would cue up and binge-watch Congressional hearings on a regular basis…
Finally, Rob Joyce is always interesting. In this hearing, he is recently returned from London, where he was the U.S. representative for cybersecurity in the United Kingdom (UK). His return to the U.S. was prompted by his appointment as Director of the newly formed NSA Cybersecurity Directorate.
“Zero trust will yield zero results without a risk analysis.” – Junaid Islam
A recent zero trust industry survey, based on a broad sampling of cybersecurity and IT professionals, revealed that “most organizations expect to be fully deployed with a zero trust architecture within two years. Initial steps include improving identity and access management, strengthening application access management, and increasing protections for external parties, such as customers and supply chain partners. Technical and resourcing barriers to zero trust currently rate highly. Organizations must deal with a set of barriers to deploying zero trust successfully. The current top-rated barriers deal with technical (e.g., dealing with limitations in legacy systems) and resourcing (e.g., obtaining appropriate financial and staffing resources to do zero trust properly) issues.” (1)
As OODA’s Bob Gourley wrote earlier this year, “The New Enterprise Architecture Is Zero Trust.” As far back as February 2020, we reported on why many security pros lack confidence in their implementation of Zero Trust. No matter how unique, daunting or promising, the survey reinforces that Zero Trust implementations will also have the usual cybersecurity and IT implementation challenges of:
All these elements combine to determine how quickly a solution is implemented, the actual success of an implementation, and/or the perception of success or failure of a project (which is sometimes separate from reality). For cybersecurity projects, there is the additional sorting out of an organization’s cyber risk strategy (if one exists), cyber policies relative to a parent organization, for example, and interoperability with supply chain partners, etc. Again, the list is long. In September, OODA Network Member Junaid Islam argued that “zero trust will yield zero results without a risk analysis” and provides in his OODA Loop post a “modified OODA loop type process to guide your [Zero Trust] strategy development and execution.”
The additional value of this subcommittee hearing and expert testimonials is what is known in research circles as an extreme sampling: “Extreme or deviant case sampling means selecting cases that are unusual or special in some way, such as outstanding successes or notable failures.” (2) What makes the DoD Zero Trust Framework implementation extreme sampling?
The DoD Zero Trust Framework implementation is extreme and, as a result, instructional in that a super-aggressive pilot program was called for in both the 2019 and 2020 National Defense Authorization Act (NDAA), as part of the Mature Cyber Security Orchestration and NSA Integrated Adaptive Cyber Defense (IACD), both in conjunction with private industry. So, unlike most organizations, there is top-down support within DoD for speed, expediency, and a very fast implementation process.
Also, while the DoD budget is not infinite, it comes close. In addition, based on the bona fides of these expert witnesses, internal technical capabilities are clearly not a problem. Finally, The Solarwinds Orion and Hafnium incidents accelerated the entire implementation, as McKeown points out in his testimony to the Cyber subcommittee:
“We have long recognized that zero trust is the defensive capability best situated to counter the current and future tactics, techniques, and procedures utilized by our adversaries. These recent events have led us to accelerate the implementation of our zero-trust framework. Zero trust represents a paradigm shift in how we design our networks that significantly decreases the potential efficacy of adversary attacks.”
This DoD implementation is devoid of all the forces of inertia that cybersecurity and IT professionals grapple with when trying to act with any urgency or expediency in many organizations. We are not naive: DoD has its own internal political levers and inertia, to be sure. But based on their mandate and the need to accelerate their pilot program, the ‘extreme sampling’ characteristics make this pilot program a worthwhile use case – devoid of the organizational frictions and behaviors through which we all have to usually navigate.
Mr. McKeown also mentioned something of interest, in passing, during his opening statement :
“DOD has been laying the foundation for the implementation of the zero trust framework across the Department of Defense Information Network (DODIN). This is a significant effort but one we have no doubt we can achieve. Through our current effort to accelerate this implementation, we will leverage our recently approved zero trust reference architecture as a blueprint to integrate existing and new cyber defense capabilities that are critical to enabling zero trust.”
“As we continue to transition to the cloud, we will ensure that these environments are built from the ground up utilizing our zero trust architecture. “Cloud One and Platform One, developed by the Air Force, are prime examples of environments with “native zero trust design.”
While this hearing did not provide us with the DARPA, NSA, DIA, “Next-level” cybersecurity architectures we were expecting, this notion of “native zero trust design” is promising. Be on the lookout for further OODA Loop analysis in a future post.
Hearing | Hearings | United States Committee on Armed Services: Future Cybersecurity Architectures
Testimony on Future Cybersecurity Architectures (senate.gov)
Joint Opening Statement Future Cybersecurity Architectures.pdf
Department of Defense (DOD) – Zero Trust Reference Architecture
If SolarWinds Is a Wake-Up Call, Who’s Really Listening?
The New Enterprise Architecture Is Zero Trust
Zero Trust Will Yield Zero Results Without A Risk Analysis
Why many security pros lack confidence in their implementation of Zero Trust
https://oodaloop.com/archive/2021/06/04/junaid-islam-on-zero-trust-architecture
Now more than ever, organizations need to apply rigorous thought to business risks and opportunities. In doing so it is useful to understand the concepts embodied in the terms Black Swan and Gray Rhino. See: Potential Future Opportunities, Risks and Mitigation Strategies in the Age of Continuous Crisis
The OODA leadership and analysts have decades of experience in understanding and mitigating cybersecurity threats and apply this real world practitioner knowledge in our research and reporting. This page on the site is a repository of the best of our actionable research as well as a news stream of our daily reporting on cybersecurity threats and mitigation measures. See: Cybersecurity Sensemaking
OODA’s leadership and analysts have decades of direct experience helping organizations improve their ability to make sense of their current environment and assess the best courses of action for success going forward. This includes helping establish competitive intelligence and corporate intelligence capabilities. Our special series on the Intelligent Enterprise highlights research and reports that can accelerate any organization along their journey to optimized intelligence. See: Corporate Sensemaking
This page serves as a dynamic resource for OODA Network members looking for Artificial Intelligence information to drive their decision-making process. This includes a special guide for executives seeking to make the most of AI in their enterprise. See: Artificial Intelligence Sensemaking
From the very beginning of the pandemic we have focused on research on what may come next and what to do about it today. This section of the site captures the best of our reporting plus daily daily intelligence as well as pointers to reputable information from other sites. See: OODA COVID-19 Sensemaking Page.
A dynamic resource for OODA Network members looking for insights into the current and future developments in Space, including a special executive’s guide to space. See: Space Sensemaking
OODA is one of the few independent research sources with experience in due diligence on quantum computing and quantum security companies and capabilities. Our practitioner’s lens on insights ensures our research is grounded in reality. See: Quantum Computing Sensemaking.
In 2020, we launched the OODAcast video and podcast series designed to provide you with insightful analysis and intelligence to inform your decision making process. We do this through a series of expert interviews and topical videos highlighting global technologies such as cybersecurity, AI, quantum computing along with discussions on global risk and opportunity issues. See: The OODAcast