Space is a ‘critical part’ of DOD’s move to zero trust, CIO says
The Department of Defense must take space into consideration while developing a zero-trust security framework across its enterprise, CIO John Sherman said Thursday.
The DOD‘s evolving mission in space defense with the recent standup of the U.S. Space Force will be inherently digitally focused. And as the U.S. competes more with near-peer adversaries like China and Russia, securing and defending assets in space from cyberthreats is a growing concern for Sherman, he said at AFCEA NOVA’s Space Force IT Day.
“I want to extend [zero trust] to not only when you think terrestrial domain and kind of traditional networks,” he said. “I think the space piece has got to be a critical part of this discussion. And I look forward to engaging the Department of the Air Force and our Space Force colleagues as we see how this can be applied.”
Sherman said the adoption of a zero-trust framework is a top priority for his office, adding that the topic is “very much prominent right now with the president’s [cybersecurity] executive order of last year.” He highlighted the Defense Information Systems Agency’s Thunderdome program and the move to Microsoft Office 365 as “examples of what a zero-trust framework can look like for the entire Department of Defense.”
And there’s no reason space should be thought of any differently, Sherman said.
“How does zero trust relate when we’re talking about things in orbit? I think it relates in many ways,” he said. “As you look at the entire segment, from the space segment down to the ground, there’s plenty of opportunities for us to microsegment, to think differently about access, about multifactor authentication, about not trusting any piece of that in a way that we have in the past and assuming a very sophisticated adversary is trying to get to our most precious data and dataflows on there.”
Sherman said the department is dealing with a host of technical debt after it spent much of the past decade “kick[ing] the can down the road a bit” while conducting operations in Iraq, Afghanistan and the Middle East. Encryption is one area in particular that “we have to get after with alacrity now,” Sherman, if the U.S. is to maintain its defense prowess.
“Cybersecurity has to be considered a survivability imperative, just like chaff, flares, armor or other capabilities,” he said. “And as we get to on-orbit capabilities, which get into other types of classifications, you can let your imagination run in terms of other types of defensive things we have to have. Cyber cannot be an option anymore.”
Sherman also hopes the Cybersecurity Maturity Model Certification (CMMC) — which was recently transferred to Sherman’s oversight — will “help raise the waterline” for the security of defense information handled by DOD’s industrial partners. And while contractors may be concerned by the costs imposed by CMMC, Sherman said it’s more costly to deal with the consequences of not being secure.
“You know what else costs money: exfiltration of data you and your company have spent blood sweat, tears, and a lot of money to develop that’s going to end up on a weapon platform in Shanghai or outside of Moscow,” Sherman said. “We’re not gonna let that happen on our watch. This is basic hygiene to raise the water level to make sure we can protect our sensitive data so when our service members have to go into action, they’re not going to have an unfair position because our adversaries have already stolen key data and technologies that will put them at an advantage.”