The Department of the Air Force faces significant hurdles in implementing the Pentagon’s latest cybersecurity approach, dubbed Zero Trust, and will fail altogether if it continues to lag on key issues, according to its own strategy document.
The final section of the 27-page strategy, quietly published earlier this month by the department’s Chief Information Officer (CIO) Venice Goodwine, is titled “Risks,” and calls out seven issues which could cause problems in the transition to Zero Trust, or even derail it entirely:
- Institutional resistance to the massive cultural shift required
- Lagging development of tools for automated data tagging, labeling and management
- Nascent state of endpoint cybersecurity for non-IT equipment like IoT devices and weapons systems
- A lack of industry open standards leading to proliferation of proprietary solutions and danger of vendor lock-in
- The need for a complete refitting of Air Force data centers which the department can’t afford until 2028
- Operational blind spots
“Delays in these areas risk preventing DAF’s transition to advanced Zero Trust maturity,” states the strategy.
The CIO office declined to make anyone available to Air & Space Forces Magazine for interview, but in a written statement, Department of the Air Force spokesperson Laura McAndrews said Zero Trust is a more challenging transition than prior IT changes because “it is an architectural imperative that touches every device, user, and piece of data in the Department.”
From Castle and Moat to Every Room Guarded
In the traditional cybersecurity model, often compared to a castle surrounded by a moat, once a user logged on and was admitted across the drawbridge, they could wander at will inside the castle. A hacker able to steal the username and password of even the most humble employee would have effectively free reign inside the network.
In Zero Trust, every room in the castle is guarded. Getting across the drawbridge only gets you inside the rooms you have permission to enter. A hacker impersonating an employee will only get access to the data and resources the employee would have.
But that requires every single piece of data in the Air Force enterprise to be sorted and labeled, so that it is clear how sensitive it is and who needs access to it, explained Chris Hughes, president and cofounder of Aquia, a cybersecurity consultancy that has done work for the Air Force.
“The data has to be tagged to dictate who can access it under what circumstances,” said Hughes, a former Air Force staff sergeant.
Given the staggering scale of the task, he said he wasn’t surprised the work was lagging. “It’s going to be very, very daunting to go about implementing a robust data tagging and labeling strategy and to keep it up to date,” he said, “Because so much [data] is being created so quickly, changed, interacted with, modified, across the entire Air Force enterprise. It’s just a daunting task.”
But the scale and speed of the data is only part of the problem, according to Patrick Arvidson, who was the National Security Agency’s technical director for weapons and space cybersecurity prior to retirement in 2022, and has been consulting in the private sector since.
“I love my brothers and sisters in the federal government, but many of them are perfectionists in the cybersecurity area,” Arvidson said. “They want the 100 percent solution instead of the 80 percent solution. And that is crippling.”
Perfectionism, said Arvidson, is a cultural issue in the federal government and particularly troublesome for Zero Trust.
“One of the cultural shifts that has to happen is understanding that with Zero Trust, or anything else that we’re getting on to, it’s okay to have an 80 percent solution. Let’s plan for the 80 percent and then manage the other 20 percent,” he said. “Because you’re never going to get the 100 percent solution.”
Institutional Resistance to Change
The mention of institutional resistance to change as “the greatest risk to this strategy” is Hughes’ favorite part of the document, he told Air & Space Forces magazine.
“That institutional inertia which they called out … is most certainly the biggest risk to any modernization effort. Not just Zero Trust, but any modernization effort in a large bureaucratic enterprise,” he said. “It’s in the nature of both humans and large bureaucracies. We’ve got this environment in the government, in particular, where they’re very risk-averse.
“Change can make people uncomfortable. Maybe they’re used to the way they operate, or they’re used to a certain workflow, or they’re used to using certain products, and you want to change that. That may make them feel uncomfortable, or even threatened, if they’ve built expertise in the way things are traditionally done.”
Spokeswoman Laura McAndrews acknowledged that Zero Trust involved centralizing decision-making about the network and the broader IT environment. “It is a fundamental change of the span of control away from individual programs towards enterprise capabilities,” she said, adding that resistance was common in organizations “where services of common concern deliver the promise of expanded functionality and greatly reduced cost at the cost of giving up some autonomy.”
The changes are also happening as programs are “in the middle of their execution cycle, which can be very challenging for enablement and adoption of enterprise services,” she said.
Dangers of Vendor Lock
Long term, experts said, the lack of industry-wide standards for cybersecurity functions like event logging or incident reporting is likely to be one of the most severe problems, because it means Air Force managers might quickly find themselves trapped with a single vendor or even a particular combination of vendors.
“There is no true plug-and-play environment,” Arvidson said, “and if there’s no plug-and-play environment, you have no competition, because I bought a product and now I can’t get rid of the product, because I can’t swap it out, because everything on it is customized and I’ve built my network around it.”
He said even bringing in additional products from different vendors could paradoxically worsen the vendor lock problem, because every new product brought in requires custom integration, representing a sunk cost which would be lost by switching to a new vendor.
“Let’s say my product’s doing fine and I bring in a secondary product, and I invest money into integrating that, and I bring in a third or fourth or fifth product, over the next few years. Then I’m stuck. I can’t swap the base layer out because that’s what all the other products are integrated with, but I can’t even swap out one of the secondary products except at great expense because they’re all custom integrations.”
Even technologies built to allow interoperability are not themselves standardized, he said, giving as an example proprietary Application Programming Interfaces or APIs, which allow applications to communicate with each other through a specially designed gateway.
“The API system right now is completely proprietary,” he said, “Industry is not standardizing on it because it’s not profitable to standardize on it. They’ve built their products their way, right? Integrations are a moneymaker.”
Arvidson said the problem would take strong leadership from the federal government to fix.
“If you really want to actually leapfrog this forward, pull everybody together in a room and say, ‘Guess what?’ We are going to make a standardized API for the federal government that every product’s got to meet,” said Arvidson. “And then after that, it will roll downhill fast, because once you start to see the prices drop because you’re flexible and you can swap products in and out, things will open way up.”
Zero Trust would potentially enable huge cost savings by allowing Air Force managers to “collapse the networks,” Arvidson said.
Currently, an Air Force base will have three networks: unclassified, secret and top secret. Each will have its own routers and switches, even its own cabling, as well as its own desktop or laptop computers. But once secret or top secret traffic leaves the base, it travels across commercial networks, protected by strong encryption.
“What if I could do the same on the base?” explained Arvidson. “What if, instead of a [unclassified] NIPRNet, a [secret-level classified] SIPRNet and the [top secret] JWICS, I just run everything on one network, and I can get rid of 80 percent of my IT infrastructure. … All this is about leveraging technology to free up resources.”
Blind Spots
But Zero Trust has its blind spots, too, argues Arvindson. “Look at the MoveIt attack” which exploited a flaw in file-sharing software to steal data from law firms, accountants, and other large businesses, he said. “The bad guys didn’t move [across the network], the data moved to them. They sat out on an API gateway and let the data move from cloud to cloud, and took the data that way.”
“Now if your data is encrypted in transit, like the military’s, then they won’t be able to access it, which is awesome. I don’t want my adversaries to be able to read my plans and projections. But if the adversary just decides to encrypt that data again, like a ransomware attack, we can’t access it either. They’re denying us the data. They still meet their objective, right?
“And the zero trust approach doesn’t fix that,” he concluded.