BALTIMORE — The recent leak of national security documents would have been easier to find and stop had the U.S. Department of Defense already instituted the most recent cybersecurity practices often called zero trust, based on Pentagon Chief Information Officer John Sherman.
The disclosure of the classified reports, allegedly spearheaded by a 21-year-old member of the Massachusetts Air National Guard, has prompted a tough take a look at the department’s information-security practices. The breach included insights in regards to the ongoing Russia-Ukraine war.
Sherman on May 3 said a zero-trust approach “sure as heck would’ve made it quite a bit more likely that we might have caught this and been in a position to prevent it on the front end.” Prying eyes and ears are each an external threat — considering China, Russia and other nations — and an internal hazard.
“That is something we’ve grappled with for years,” Sherman said on the AFCEA TechNet Cyber conference in Baltimore. “We had the Snowden disclosures nearly 10 years ago. We’ve had other unlucky events here.”
Edward Snowden was a former American intelligence contractor who in 2013 made public the existence of worldwide surveillance dragnets. The U.S. government deemed him a traitor; he was later granted Russian citizenship.
Zero trust is a unique paradigm for cybersecurity, one which assumes networks are at all times in danger or already jeopardized, requiring constant validation of devices, users and their digital reach. Sherman previously likened zero trust to believing “nobody or no thing.”
The Pentagon in November published its transition strategy, with eyes set on widespread implementation by fiscal 2027. Defense officials have said the timeline is difficult but doable.
Sherman’s remarks on the AFCEA conference echo those made by Navy Chief Technology Officer Don Yeske, who in April told C4ISRNET the tenets of zero trust would have aided the department detect suspect behavior.
“You start from the purpose of assuming your network has been compromised, and if it hasn’t been compromised, that compromise is inevitable,” Yeske said on the virtual C4ISRNET Conference. “Insider threats light up like a Christmas tree when that’s your approach.”
The Pentagon last month announced it will conduct a comprehensive review of its policies and procedures. Sherman and Ronald Moultrie, the undersecretary of defense for intelligence and security, amongst others, are involved.
Initial results of the audit are expected inside 45 days.
C4ISRNET reporter Courtney Albon contributed to this text.
Colin Demarest is a reporter at C4ISRNET, where he covers military networks, cyber and IT. Colin previously covered the Department of Energy and its National Nuclear Security Administration — namely Cold War cleanup and nuclear weapons development — for a every day newspaper in South Carolina. Colin can also be an award-winning photographer.