The US Department of Defense is stepping up its cybersecurity efforts with a dedicated Zero Trust office set to open next month, according to a senior official.
Pentagon CISO, David McKeown, said at the CyberCon event this week that the office would report into the CIO, although the senior executive in charge has not yet been named.
Leadership buy-in to Zero Trust has helped to accelerate the opening, which can be seen in part as a response to the SolarWinds campaign in which nine federal government departments were compromised by Russian spies.
“We’ve redoubled our efforts, we’ve fought for dollars internally to get after this problem faster,” McKeown reportedly said.
“We’re standing up a portfolio management office that will … rationalize all network environments out there, prioritize and set each one of them on a path of Zero Trust over the coming five, six, seven years.”
President Biden’s Executive Order on cybersecurity back in May required the head of each agency to develop a plan to implement a Zero Trust architecture within 60 days. The plan should incorporate best practice migration steps as recommended by NIST, as well as “describe any such steps that have already been completed, identify activities that will have the most immediate security impact, and include a schedule to implement them.”
Felipe Duarte, senior researcher at Appgate, argued that Zero Trust is vital for preventing attackers from moving laterally through networks once an initial breach has occurred.
“Only by segmenting the networks and assuming all connections can be compromised you can detect an intruder in your network,” he added.
“Zero Trust needs to be implemented in the core infrastructure. You must profile any device trying to connect in your network, use multi-factor authentication to ensure credentials are not compromised, segment networks creating isolated perimeters, and, most important, only provide access to what a user or a system needs to.”