16
August 2019 FCW.COM
Cybersecurity
DISA pilots zero-trust networking
The Defense Information Systems Agency is testing zero-trust networking on the Secret IP Router Network with U.S. Cyber Command. DISA officials ultimately want to expand the zero-trust approach, which denies access by default and only permits approved requests, throughout the Defense Department.
“It’s a proof-of-concept pilot,” Director of Operations David Bennett said at a FedInsider event in July. “Zero trust is really about figuring out the data and applications and how to put that together and then try to connect it to the rest of the world.”
He said one of the trickiest issues will be incorporating and managing the internet of things, which he called “a very complicated scenario.”
“DOD didn’t grow up in an IoT world,” he added. “It’s only been recently where we find ourselves buying products that have internet capability.”
Bennett said DISA is trying to understand the risks and challenges that come with IoT, primarily monitoring what a device is doing when it’s not being used for its primary function.
Zero-trust security and IoT are key components of DOD’s recently released Digital Modernization Strategy, which outlines the department’s priorities for ensuring cybersecurity resilience and fostering talent and innovation.
The strategy reads like a long to-do list for DOD, and its goals include tackling key network, cybersecurity, cloud and emerging technology issues, such as 5G and artificial intelligence. DISA’s network modernization efforts are highlighted, including the Joint Regional Security Stacks program. JRSS seeks to improve DOD’s network security posture by analyzing traffic across DOD’s IP networks for cyberthreats.
After weaknesses were identified by a recent inspector general audit, JRSS seems to be back on track, and now DISA officials are hoping to garner industry support for DOD’s move to IPv6.
Bennett said DISA needs industry’s help in removing low-speed time- division multiplexing circuits because telecommunications providers will soon stop supporting TDM. He added that the culture shift rather than the technology will be the biggest challenge.
The 2020 defense authorization bill passed by the House includes a provision that would require DOD to sell its older IPv4 addresses, convert to the IPv6 format and report to Congress on its progress on a process that has been nearly 20 years in the making.
Moving to IPv6 is the last element in a suite of six strategies for the Defense Information Systems Network listed in DOD’s modernization plan. The other strategies are upgrading optical transport, enhancing midpoint security by implementing JRSS and a joint management system, building Multiprotocol Label Switching router networks with quality-of-service and performance monitoring, implementing software -defined networking, and eliminating Asynchronous Transfer Mode and low-speed TDM circuits.
— Lauren C. Williams
A shake-up of the contracting community
James Goepel, CEO and general counsel at cybersecurity consult- ing firm Fathom Cyber, told FCW he has serious doubts that many defense contractors will be ready by Septem- ber 2020. For most companies, the associated costs are less about assets and technology and more about train- ing employees and allocating person- nel to map and formalize internal IT policies. The potential for an initial shock to the federal contracting sys- tem is real.
“I do think that it’s going to hurt us in the short term from a product- availability perspective,” said Goepel, who also teaches cybersecurity at Drexel University’s Law and Business schools. “The government is going to miss out on stuff, and there are going to be companies that go out of busi- ness because of this. But in the end, I think that it may actually be a bet- ter thing for country, unfortunately.”
Metzger doesn’t go that far but said he believes a short-term effect of the framework could be the departure of some companies from the federal contracting space. The impact might be hardest on small and medium-sized businesses that have fewer financial resources and have typically avoided the level of scrutiny directed toward large prime contractors. Still, he said he expects that most companies will shoot for a middle ground that bal- ances cost with business opportunity.
“I think the short-term impact is that companies of all sizes are going to be looking at affordable, effective ways to improve their cybersecuri- ty,” he said. “Nobody knows exactly today what you will need to do to get a security rating score of \\\[1 to 5\\\]. Very few companies are going to strive for a 5...but very few are going to want to have only a 1. I’m thinking that many companies will be targeting their investments and actions to be sure that when the scoring method comes into place they will get at least a 3.” n