Irregular Warfare Podcast - Seizing the Digital Initiative: Zero Trust and Persistence in the Cyber Domain
Episode Date: February 10, 2023Subscribe to the IWI monthly newsletter by going to www.irregularwarfare.org! This episode explores the concepts of zero trust and persistence theory within the cyber domain and features a conversatio...n with two guests: Mr. David McKeown serves as the acting DoD principal deputy chief information officer and Dr. Richard J. Harknett is professor and director of the School of Public and International Affairs and chair of the Center for Cyber Strategy and Policy at the University of Cincinnati. In the discussion, they first define these two concepts—zero trust and persistance theory—before highlighting how they complement each other in practice. They continue by explaining the importance of seizing and maintaining the initiative in the cyber domain and how it would be more helpful to shift to a mindset of persistent campaigns and away from the idea of isolated cyberattacks. They conclude with thoughts on the implications for future cyber strategies. Intro music: "Unsilenced" by Ketsa Outro music: "Launch" by Ketsa CC BY-NC-ND 4.0
Transcript
Discussion (0)
.
Initially, when we started building
the Zero Trust cybersecurity strategy for the department,
we were focused again on our traditional IT and networks.
But then we realized we can't do that.
We've got to go across the board.
These concepts apply to literally everything.
Now granted, the form factors needed and
the changes that need to
be put in place for a weapon system or critical infrastructure might be considerable and nobody's
thought about it, but we've got to go there. We've got to protect that too, because they're
all integrated together and they all provide mission assurance for the warfighter.
But I think what the essence of initiative persistence suggests is we've got to move from sort of a compliance model approach to cybersecurity, you know, in which we check boxes.
My big goal, Laura, is to get rid of cybersecurity money.
Like, if I do that, then I'm going to hang up the hat.
Why? Because what are we doing the other 11 months?
Are we just seeding this space?
Welcome to the first episode of our special Irregular Warfare Initiative project on cyber.
IWI projects explore critical topics impacting the modern practice, policy, and study of irregular
warfare. Led by subject matter experts, each IWI project aims to cultivate interdisciplinary dialogue, showcase unique
insights, and provide a platform for collaboration. My co-host today is Maggie Smith, the director of
IWI Project Cyber. Our guests today explore the concepts of zero trust and persistence theory
within the cyber domain. They begin by defining these two concepts and go on to highlight how
they complement each other in practice.
They continue by explaining the importance of seizing and maintaining the initiative in the cyber domain
and how it would be more helpful to shift to a mindset of persistent campaigns
and away from the idea of isolated cyber attacks.
Finally, they conclude with thoughts on the implications for future cyber strategies.
Mr. David McKeown serves as the acting DOD Principal Deputy Chief Information Officer
and in the dual role of Deputy DOD Chief Information Officer for Cybersecurity and DOD Senior Information Security Officer.
Mr. McKeown has over 35 years of experience in the Department of Defense, having served 27 years in the Air Force and 8 years as a government civilian.
He spent 21 years as an Air Force and eight years as a government civilian. He spent
21 years as an Air Force Cyberspace Operations Officer. He also served as the Director of
Enterprise Information and Mission Assurance for the Army Information Technology Agency,
and most recently led the service delivery staff at the Department of Justice.
Dr. Richard J. Harknett is Professor and Director of the School of Public and International Affairs
and Chair of the Center for Cyber Strategy and Policy at the University of Cincinnati.
He co-directs the Ohio Cyber Range Institute, a statewide organization supporting education,
workforce, economic, and research development in cybersecurity. He has served as scholar in
residence at United States Cyber Command and National Security Agency and continues to provide analysis. He is co-author of Cyber Persistence
Theory, Redefining National Security in Cyberspace. You are listening to a special series of the
Irregular Warfare podcast, a joint production of the Princeton Empirical Studies of Conflict
Project and the Modern War Institute at West Point, dedicated to bridging the gap between
scholars and practitioners to support the community of
regular warfare professionals. Here's our conversation with Mr. David McKeown and Dr.
Richard Harknett. Mr. David McKeown, Dr. Richard Harknett, thank you so much for being with your
Regular Warfare podcast today. We're excited to begin our special series on cyber issues
in collaboration with Maggie's
project. Thank you, Laura, and thank you, Maggie, for having us here today. I look forward to the
discussion. Appreciate what you all do and enjoy the podcast that you produce and look forward to
being able to contribute. I'll jump in and just echo those sentiments. It's a really great
opportunity to engage with you and your audience and looking forward to the conversation. So I want to begin today with just laying the basic framework of
what we're going to talk about. And if you could just please tell us about cyber persistence theory
and what zero trust and competition in the cyber realm really means and build that foundation for our audience of
what we're going to talk about today, please. In a nutshell, Laura, cyber persistence theory
is a break in the way we have thought about studying cyber insecurity and overall international
and national competition through cyberspace. Academic literature for a bunch of decades was really focused in on cyber
war rather than strategic competition, which is where most of the action is. And so the theories
that were trying to explain what was going on in cyberspace were sort of traditional coercion
theories. And not surprisingly, we kind of landed on the thing that had worked all through
the Cold War, the deterrence theory. And so that same kind of academic orientation permeated the
policy and strategy side. And up until the DOD 2018 cyber strategy, we were really almost
exclusively talking about deterrence and how do we try to convince the other side to stop attacking us. And so fast
forward, cyber persistence theory basically suggests that there's an explanation for why
almost all of the key activity that we're seeing at the state level is below the threshold of war.
And that is in fact driven by the structure of the space itself. It's interconnectedness, the fact that
we're dealing with an environment of constant contact, not episodic or potential contact,
but if you're in interconnected space, you're in constant contact with everybody, not just your
allies and adversaries, but your citizenry and your business and everything else. When you look at this
technology, what's unique about it is that it's simultaneously the terrain in which we're
maneuvering across and the means, right? So the code is both means and terrain. And unlike other
domains, you know, we've got water and a ship, right? We've got air and an airplane. And we make that differentiating between means and the terrain. But in this case, these things are intertwined. And what that has produced is just in a space that is constantly in flux.
terrain and the means which we maneuver across that terrain has actually adjusted since we started this podcast. There's some new version of some new software connecting through some
new process to some potentially new hardware. And David's challenge is, if he started this
podcast trying to defend a certain space, and by the end of this podcast, it's a different space.
So how do you actually do that in practice? Well, we argue in cyber persistence
theory with my co-authors, Emily Goldman and Mike Fischerkeller, that we have to accept that
fluidity. And what I'll talk a little bit later, and I think this is why CPT actually aligns with
zero trust, is we got to stop talking about offense v defense and recognize that it's about initiative. But security
has to be redefined in who has the initiative because this space is so fluid and we're shifting
back and forth all the time. And so the theory provides a structural reason why that's happening
and then lends itself to translating into new doctrine, which persistent
engagement is now recognized at the joint level, and operations. So from my perspective, I agree
wholeheartedly about the discussion of cyber terrain. And we have a vast cyber terrain,
ever-changing, ever-growing. It is very difficult to cover the waterfront and defend all of that
in a good, comprehensive manner.
Zero trust for me when I was a defender in the Pentagon.
Obviously, advanced persistent threats are ever more creative every day trying to get on our networks.
We had several instances where foreign adversaries got a foothold on our network. They got through our perimeter defenses and lingered for a great amount of time undetected. And once
we did detect them, in a lot of cases, we didn't really have the history of where they went on our
networks and what they did. And we could be talking about a gap of 18 months here. So at the time,
I was seeing how Zero Trust concepts, and they really are concepts, there's no one product that
delivers Zero Trust. It's an integration of products and processes and trained individuals that will get after this problem to
defend the cyber terrain that's covered by Zero Trust. We're not going to have in the department
or in the federal government one big Zero Trust umbrella. It's very much sort of driven enclave
by enclave. But the concepts are pretty straightforward. Bottom line
is we have seven pillars that we're using. We focus on the data, the user, the device,
the application and workloads, the network, logging everything and doing analytics over that,
and then orchestration and automation of events and automatic responses to those events. Without all of that in place,
it becomes very difficult for us to detect these advanced adversaries. The cleanest network
inspection that I ever saw, two weeks later, somebody clicked on a phishing email and they
were pwned. So good hygiene is a good start, but it's not going to stop everything
and we've got to be ready.
So what this environment that I'm talking about
with zero trust with those seven pillars,
once we stand that up and we integrate all of that,
we have a better fighting chance
of detecting adversary activity earlier
and responding and eradicating them off of the network.
We don't right now intend to hunt beyond the boundaries
of what we've built there in that zero trust enclave.
But what we find in there for enemy tactics,
techniques, and procedures can be quickly shared
with those who have the authorities to go out and take action
and also help the other defenders.
We can share those things across the board.
So I think it's a game changer conceptually.
What I really love about this topic, bringing David and Richard together,
is that a lot of the discourse that we have when we talk about cybersecurity
and the security studies literature, it really focuses on either being on offense or defense
and what the balance between those two are. And a lot of that discussion
revolves around offense being kind of the decisive flavor of cyberspace. But in reality, none of that
really matters if you don't have mission assurance. And when we talk about mission assurance,
the National Institute for Standards and Technology really gets into this definition that talks about this process to
protect or ensure the continued function and resilience of the capabilities and assets.
And this can include personnel, it can include equipment, it can include facilities, networks,
information, and the systems on which that information resides. So can you get back to
how you started with cyber persistence theory and how really it gets to the roots of what mission insurance is?
we could put castle walls around, you know, that we could build moats around. And by definition,
right, by relying on coercive threat to say, I'm going to shape the other side's decisions, rather than actually actively going out and defending ourselves, we argue in the book,
we were ceding the initiative to the other side. Well, that's critical if, in fact, security rests
on initiative in this space, that you can't fully defend, but you defend in the moment. We're seeing Ukraine play that out in certain levels, right? But the whole idea of initiative persistence, aside from this process of identification, protection, detection, respond, recover, which is critical to doing this at the mission assurance level, it all rests on anticipation.
We have to anticipate. So the zero trust strategy that came out in October actually says
we have to proactively stay ahead of all threat actors and hostile environments.
That's the essence of initiative persistence. Persistence is recognizing the fluidity. And
your operators are probably listening to this podcast and going, yeah, like they're just figuring this out. I mean, this is the reality. But it takes us academics
and big national strategy levels time to catch up to that reality. But that reality says that,
again, as David indicated earlier, right, that terrain is constantly in flux. So I can't,
I can't premise my strategy on a presumption of being perfect.
I got to actually premise my strategy on the idea that the adversary is in and that the adversary is not going away.
And I would, again, just sort of tweak, you know, we emphasize it's a big difference between strategic competition and conflict.
between strategic competition and conflict, right? And that adversaries right now are making a big choice, a strategic choice to stay in that competition space. Why? Because they can
actually shift relative power without going to war. They don't need to blow stuff up in order
to undermine our economic viability, our military capability and overmatch, our institutional democratic
authority. These are where these cyber operations and campaigns have been going.
So if you accept that argument, then it is not sufficient for us to just get better at resiliency
and defense. But we actually have to go that one step further and try to create models at the operational level and then authorize it to anticipate actually can get back into our system at a rate and speed
and scale and scope that we can actually take vulnerabilities away before they are actually
exploited. That's the coin of the realm. So I would add to David's massive charge,
this other layer, but I think that other layer drives everything. And where we, I think, agree
in the book, we spend a whole first chapter talking about Thomas Kuhn and paradigm changes.
Zero trust is a paradigm change at the organizational and technical level. So
there's a commonality of where we are moving in trying to deal with cyber insecurity. We're
realizing there's a discontinuity that we have
to bring about. We have to change the way we've been doing things in a dramatic, not an incremental
way. Yeah, all of that was very, very insightful. And I agree with all of it 100%. I'll just add a
few more things there. Mission assurance, of course, is why we do cybersecurity. It's one
of the elements. I mean, something could be taken out kinetically, a park could break, of course, is why we do cybersecurity. It's one of the elements. I mean, something could be taken
out kinetically, a park could break, of course, all those kinds of things could also impact
mission assurance. But mission assurance does have a cyber component. What we're trying to do
within the department is teach folks that it is important for resiliency and assuring their
mission. Just went to a very good exercise, which ANS,
the Acquisition and Sustainment portion of OSD held yesterday on a very specific weapons system
where they tabletopped a cascading set of events. They looked at all the components of a system and
put them in a model and did red team, blue team to show that it can be very impactful what can be
done in cyber. And you could start over in this system. And yes, it's not your main, most important
system, but it has connections to this next system. And eventually, you've severely impacted their
mission through cyber vulnerabilities. We have in the department a strategic cybersecurity program. ANS is the lead
for that. We have NSA engaged in doing assessments of all the different weapons systems platforms
out there that we believe are important and looking at this from a cyber perspective so that
we can get after these cyber vulnerabilities and ensure the missions for the warfighter out there in regard to cybersecurity.
Historically, what you're going to see, though, is there are thoughts like, well, this is a closed network.
The adversary can't get in there.
Not true.
Well, it's a weapons system and it's not tied to the traditional networks.
And we find that, yes, inevitably, they likely are.
And then, you know, critical
infrastructure, you know, everybody turns a blind eye to that. But if you don't have power on a base,
you know, most of the other stuff isn't going to work. So all of those things are critical and
intertwined. And the vast majority of them are included in that cyber terrain that we're looking
to protect. And initially, when we started building the Zero Trust
cybersecurity strategy for the department, we were focused again on our traditional IT and networks.
But then we realized we can't do that. We've got to go across the board. These concepts apply
to literally everything. Now, granted, the form factors needed and the changes that need to be
put in place for a weapon system or critical infrastructure
might be considerable and nobody's thought about it, but we've got to go there. We've got to protect
that too, because they're all integrated together and they all provide mission assurance for the
warfighter. So then how do you translate this approach to an organization full of non-cyber
folks? Is it educating personnel on the nuances between offense and defense,
and their part as a whole? Is this moving beyond cyber awareness training or annual training, which has become a fixture for many folks and really a box clicking exercise for some?
Yeah, Laura, I mean, there's always education within training. But I think what the essence
of initiative persistence suggests is we've got to move from sort of a
compliance model approach to cybersecurity, you know, in which we check boxes. My big goal, Laura,
is to get rid of cybersecurity month. Like if I do that, then I'm going to hang up the hat. Why?
Because what are we doing the other 11 months? Are we just ceding this space to everybody else?
So the challenge we have, if you accept that this is a persistent environment that is structurally
driven and that there's just too much opportunity below the threshold of war to shift power,
that adversaries are not going away, and they're going to get more clever with their TTPs,
are not going away and they're going to get more clever with their TTPs and the technology is shifting all the time. So I know that the zero trust says, hey, let's go to a risk-based kind
of approach. And maybe David can talk more about that. And I think that's the right direction.
But to your point, Laura, it's not just a mindset shift. It's not just a starting point of concept. It's how do we actually train
so that we can persist in resilience, in defense. And the reason we need to do that is because we
have to get onto an anticipatory footing. We can't keep playing whack-a-mole. We can't keep
just reacting. If I cede the initiative to the other side, I am losing.
Because as David indicated before, I get into a particular system, that system may not be
that important.
So on the private sector side, we have that story, it's the big target hack.
I get down to literally taking swipes of credit cards at target checkout counters because
I went through their
HVAC system. I hacked their HVAC supplier. But that's a great example. We don't even know if
that's what they were looking to do. But once you're in, that also creates space for creativity.
That's why we can't think of this just purely as intelligence. Usually in an intelligence approach,
it's like, I've got a target. I need to go and get those files and I'm going to exfiltrate them.
But when we think about this through a strategic competition space or frame, it's, I want to gain access to David's systems. I want to persist there in part because
I don't know what I'm looking for, but I'm going to go and try to find it. So there can be a lot
of intentionality, but there also can be a lot of just sweeping. And if you look at some of our peer pacing threat, you know, in the case of China,
what they're doing in terms of algorithmic agency, their computer base is as good,
if not better than ours. They've got the math. We've got the math. But they've got access to
behavioral data that we don't. And so their systems are training better than ours right now.
data that we don't. And so their systems are training better than ours right now. Now,
whether they can leverage that, but there are some structural issues going on that we need to understand that we don't dominate this space. We may have superiority in certain things,
but we need to go and seize this space back. But some of these local governments that have
to contribute to this, the four of us on this podcast, we're like quadruple the size of their IT department. So we're going to have to figure
out, you know, how do we actually do this new training and actually implement it. So the
implementation side of this is going to be a tough nut to crack. I wanted to follow up with Dave on
that specific point. And how do you bring this outside of the IT department, right? How do you
kind of make this a universal knowledge base and universal issue? And how do you bring this outside of the IT department, right? How do you kind of make this a universal knowledge base and universal issue?
And how do you avoid making the network so secure or making the access to that network
onerous to where somebody who's not as well informed is going to take shortcuts and be
like, well, I don't want to reset my password every month or something like that.
You know, I don't want it to have so many characters.
I want to use Telegram or WhatsApp because I know that and it's easier.
Yeah, I'll answer that and also talk about the, you know, Cybersecurity Month.
I think I agree with that statement that we should get rid of it.
You know, when I was on active duty, the question was asked, who's responsible for security?
Just plain old security.
And your answer is everyone.
for security, just plain old security? And your answer is everyone. For cybersecurity, we haven't necessarily done as good a job as proselytizing that across the board where everybody feels like
cybersecurity is their job. In terms of the strategic cybersecurity program that I was
talking about where we're looking at vulnerabilities and weapon systems, I've basically stated that we
have an I believe problem. So you can provide all the
training in the world. You can put these tabletops in front of folks. And until they actually see
a hack or some of their data lost or one of their weapons systems or a power plant go down,
they have a problem believing that, you know, what we're telling them is a reality. It's like
ghost stories. And that is part of the equation,
not just shoving like training
and zero trust is gonna make you better.
It is talking about these relevant stories.
Part of the reason why we have so much traction
on zero trust in the department
is because of SolarWinds.
There's a global event.
Everybody's like, well, how do you combat that?
And while we can combat that,
we can't stop it entirely with zero trust,
but we're going to be able to detect it quicker
and respond faster and eradicate them off the network
a lot sooner than we could have
just using perimeter defenses
and the castle and moat type of methodology.
So I think that's important
that we keep pointing people to examples of like, see, if you don't take cybersecurity seriously, this can happen.
You know, we have lots of examples of that, of bad guys exfiltrating data from our networks.
But that isn't the whole story from a mission assurance perspective.
The bad guys for a weapons system or critical infrastructure likely aren't going to exfil anything.
They're just going to sit there waiting for the right time to provide some synergistic effect so that the power goes out and we can no longer use our satellite communications or something like that so that they can do kinetic effects, right?
So that's the other piece of it.
You can't see them.
And with the weapons systems, folks, well, how come nobody's of it. You can't see them. And with the weapons systems,
folks, well, how come nobody's attacked it before now? I see all these vulnerabilities.
Nobody's attacked it. I don't think anybody can. I think they can. I think they're just
holding their persistent, waiting for the right opportunity to take advantage of that foothold
that they've gained. Can I amplify what David just said? And I think that's a really, really important point, that the absence of public evidence
is not the absence of actual, not just threat, but gain by our adversaries, right?
This is a very opaque place.
Your special ops folks can appreciate that.
If you're doing this well, your adversary doesn't know that.
And so one of the things that we stressed through the operationalization of CPT into persistent engagement is that we also start to have to move away from the linking of operations for cumulative effect.
But also, when you adopt a campaign frame, solar winds is predictable by actually not
pet ship. It's the same vector that's exploited by the same threat actor, in this case, Russia.
They do it clumsily, poorly, you know, and so there's a lot of
collateral damage back in 2017. And then they got better, right? So I look at SolarWinds,
it's just part of a campaign to use a particular, you know, in this case, third party upload,
right, as a means, and they got better. The question is, can we get better? And thinking about this
more in a campaigning mode, I think is really important. Yeah. And pivoting back to a comment
you made earlier, I think where you talked about anticipating the adversary. Obviously, we use
intelligence. Some of that is live intelligence of events that are happening worldwide. Some of it is our own signals intelligence to understand and anticipate what the adversary
is going to do.
But the way we operate also informs us.
If we have certain techniques and procedures for going about warfighting and campaigning,
what are the chances that the adversary is going to have similar, right?
We should apply those campaign techniques that we would use to our defenses. Like the adversary is probably going to do something
similar to this and we should be ready for that and be able to defend. That gets into another
question that always comes up in my brain when I think about these concepts. So we have traditionally
a bifurcation of offense and defensive operations and the shift towards
zero trust really pushes for the mindset to be adopted that everything's interconnected,
that we need to be constantly vigilant about what's going on. So do you think the offense,
defense, you know, cybersecurity versus offensive hacking type bifurcation is still useful? Or how do you see that shifting
as we move to adopting zero trust? No, it's not useful analytically. I guess,
you know, this is where I get to be professor rather than practitioner, right? But if you're
going to accept the notion of fluidity, and you're going to accept the structure of interconnectedness,
the solution to interconnectedness is not segmentation. Now, I know there are segmented parts of our architecture, but at the macro level, you cannot solve
interconnectedness through segmentation logically, right? You're either in an interconnected space
or you're not. So if we're in an interconnected space, we have to solve interconnectedness.
And that gets solved through synergy, not segmentation. So I look at zero trust,
what David's strategy has, I think it was like number
one or two, or you accept persistence. And then the number two assumption is this got to be a
mindset change across everybody. David just said, and I just would add, everybody has this role
all the time. There's somewhere, someone, and it can be non-state actor as well,
ask Costa Rica right now how they are managing their national health system being taken down by
a criminal gang. This is a nation state who's lost the critical infrastructure for two weeks.
And where do they go? It's not being brought up at the UN. But I would argue that's not crime,
right? That's having a critical infrastructure impact on a countrywide aspect. If you're not seizing your space, if you're not seizing that initiative, you have a problem. And so,
you know, some people, Maggie, have said, well, this is just scale and scope at speed,
right? And so it's hyper basketball. And the problem that I have with
that metaphor is it's still too limiting because the basketball court is changing. The size of it
changes, the configuration changes, the hoop moves. And so the argument that we make in the book
is that the better way to think about this space is not whether I'm playing offense
or playing defense, but whether I have the initiative in anticipating the exploitation
of vulnerability or I don't. If I have the initiative in anticipating the exploitation
of vulnerability, then I'm going to be relatively more secure than the next guy and gal. And I think
zero trust is moving us to an architecture that helps
in gaining that initiative in this space. But if we bifurcate, so when David has somebody breach
his systems, and I actually track those TTPs, and I use that intelligence that I'm gathering
while in fact, I've detected and let them move, and I vector back and use that against the
adversary, was I playing offense or defense? I would submit that the Russians thought they had
the initiative by putting malware on the Ukrainian rail system, and yet we knew it was there,
enclaved it so that it would not be effective. So when tanks roll, 1.2 million Ukrainians are getting on rail systems and getting out
of northern cities.
That hunt forward operation sees the initiative from the adversary and the adversary is not
able to exploit a vulnerability that may have actually been directly part of their military
plan.
That's a pretty big effect.
David, I want to ask if we have to shift a mindset
about how we do cybersecurity, bring people out of the IT department and thinking about it as
integrated into their everyday-to-day, what type of pushback did you receive on that?
Not a lot of pushback for the traditional networks, as I talked about. Kind of pushing
on an open door, really, because everybody
was looking for a better solution to what we had in place with the perimeter defenses. We could see
that for the most advanced adversaries, that really wasn't cutting it. So a lot of support for it in
that regard. I think as far as weapon systems and ICS SCADA systems, critical infrastructure, you know, we're still on that journey to get people to believe that the bad guy could be in that and could have a bad effect on that. how do we not be draconian and selecting specific tools or establishing an enterprise service that
everybody has to adopt, right? Because we know that there are antibodies throughout the department
to doing that. So you'll see in our strategy that we instead worked on capabilities and activities
that you could really build your own as long as you can integrate them all together
and achieve the zero trust effect. That's all we really care about is that you achieve zero trust,
not that you've implemented a specific tool and it's all locked down in the proper manner.
A lot of our inspections to date have been sort of compliance-based. Did you configure these tools
right? But not really focused on did we achieve better cybersecurity
overall. So as we roll out Zero Trust, we do intend to, as people build their own,
implement the capabilities and the activities. We want to kick the tires on every one of those
through red teaming, and then some sort of persistence as well to make sure that everything
stays configured and is operating
as a unit and doing all the things that we want from a zero trust perspective. So, you know,
working through all of that, getting everybody on board as teammates, giving them a voice in
creation of the strategy and how it's going to be implemented. I think we've had a good approach
there. And because we did that versus just top down, here's what we're going to do. I think we've had a good approach there. And because we did that versus just top down, here's what we're going to do. I think we've had a lot more success. And we're even reaching out to many of the cloud service providers. They're on board for the first time ever. Early on, like there were all these edicts coming out. There was EO 14-028, NSM-8. There were other guides coming out that said, implement zero trust. Everybody was confused.
What does that mean, right?
All the vendors are saying, I'm zero trust and I'm zero trust.
But really, no, it's an integration and an effect that we're trying to achieve here.
So us doing the strategy and defining 91 activities that you have to implement and
they're testable activities gave a target for everybody to shoot toward
to implement and say, yes, I have reached targeted zero trust.
That was a huge point of contention early on because people were putting this zero trust
stamp of approval on their own thing and saying, I've done zero trust.
Well, no, we've now gone back and said, this is really what we're looking for.
So if you can demonstrate that, we'll give you your seal of approval.
But right now, we don't think that what you have there is quite adequate. But overall, it has been going
extremely well. Very happy. We've shared it internationally as well as we are trying to push
NATO to adopt some zero trust policies of their own. It really is like pushing on an open door
mostly as we go forward on this. Dave, I'm glad you brought up the cloud service providers
because my question when you're trying to create
this holistic cybersecurity strategy for Department of Defense,
when you're dealing with something like the internet
and not just DoD-specific intranets,
but when you're looking at the internet as a whole
that relies so much on private architecture
or open architecture that transcends boundaries or is controlled by
large multinational corporations. How do you have to get their buy-in, or is it possible without
including that openness of the internet to have a cohesive strategy?
They were very happy as well to have something to shoot against. And from the beginning,
we've been very open to
anybody sort of critiquing what we've included in our recipe. And for the most part, the vendors
have been very cooperative. One vendor invested a significant amount of money in their own R&D
to develop solutions that meet our zero trust target architecture. So I haven't really encountered much problem with that.
I think what we're doing
is leading the whole federal government
and it is going to benefit
once we have these cloud service providers
deliver solutions that are consumable
and meet the target.
It's going to be a great thing for everyone.
And I think that will even leave the boundary of the United States and cascade into other countries because they'll see the effectiveness
of this and want to adopt it. So I think we are driving a really great initiative here,
and I'm very happy and proud to be a part of that. So that's really good to hear that we're
getting that kind of vendor response. I think that's absolutely critical because as you
pointed out, so much of it's being driven from the private sector. The leverage point, of course,
is contracts there. So folks will come into compliant due to the desire to land those
contracts. And I think the more that DoD leverages that mechanism, they can actually be a cybersecurity propagator across the national economy. There's another layer there, though, and that's people called big tech, which may not be so concerned about a Pentagon contract. Right. And they, too, though, are, takeaways for me in the Russian-Ukraine conflict that we need to address both through state and DOD is we actually have now examples of independent private sector actors having operational, tactical, and maybe even strategic effect in war. They're direct decisions, right? So they're not
enabling state capacity. They're actually an independent actor. So Starlink makes a decision
to support the Ukraine government, and that's had significant impact. And so as we think about the
terrain that we started this conversation off with, and the idea that we need to anticipate, we need to think through anticipating those relationships.
Right. So it kind of broke in the U.S. favor that Microsoft decided to be supportive of moving to the cloud and made that decision really quickly.
Starlink, which is run by one guy.
run by one guy. This is a serious implication because, and I wonder, David, do you want to react to it or not, is as I'm thinking about, you know, you're building out this architecture
and you're changing this and you start to get vendor compliance, but now you got this other
actor out there, right? And it's always been out there, but, you know, their independence
was okay in competition. But back to your point of maybe about mission assurance,
essentially, Ukrainian mission assurance has been dramatically affected by a private sector
decision, right, an independent private sector decision. And so operating in cyberspace is just
getting more and more fascinating and complex, because this used to be the province of states,
you know, independent decisions at that scale. So that to me is another variable. And I wonder
whether, David, that fits into the vendor modality beyond or, you know, how do we manage those kinds
of actors? I'm struggling, you know, thinking through that myself. Yeah, definitely touched
this over the last year, year and a half. And I appreciate, you know, the through that myself. Yeah, definitely touched this over the last year,
year and a half. And I appreciate, you know, the work of Starlink and their efforts in Ukraine.
Bigger picture, though, I think they struggled with authorities internationally. When we build
something, a weapons system platform, we don't have to go through a lot of the asking permission country by country to whether or not we can put a spot beam there or whatever.
Starlink had to deal with all of that and sort of getting permissions for when their satellites could be on and when they could be off.
Very interesting problem set.
They are hoping to build something for us.
It's called Star Shield that using our authorities as the Department of
Defense don't have to ask for permission for that. If we need it for one of our missions,
for mission assurance, that spot beam will be on where it needs to be and providing support to us.
Interestingly, too, that platform will be more cyber resilient in general, purposely built and
fielded with much stronger cybersecurity
capabilities. And again, to benefit resiliency and our mission assurance.
Gentlemen, as we begin to conclude our conversation, what are the broad implications
for practice and policy? And really specifically with policy, it's great we have cyber and
cybersecurity strategies out there now. but how do we keep those
strategies up to date and relevant when the speed of policy and the speed of technical innovation
are so out of whack yeah i think goes beyond even policy i mean there's been downward direction you
know from president from congress that we do this i think to get everybody's buy-in, though, is to start showing results.
Clearly, what the tipper was for SolarWinds was companies that were employing zero-trust principles to begin with and seeing anomalous behavior on their network by looking at logs,
which is the same kind of construct that we're trying to build here.
So what we need to do is demonstrate through effective measures exactly the impact that Zero Trust is having.
Demonstrate it.
We can do it through red teaming.
We can also do it with just looking at the number of incidents that we've had, number of things that we've uncovered using it over time.
I think that's key to selling it is demonstrating that it is working.
it is demonstrating that it is working. I would echo that as well, Laura, in terms of implementation of persistent engagement and defend forward. If you look at recent press reports
about the national strategy that the Biden administration is imminently going to release,
and then some of the discussion of what DOD cyber strategy is, and there's been unnamed officials
saying that we're not moving off of persistent engagement. We strategy is, and there's been unnamed officials saying that
we're not moving off of persistent engagement. We're actually going to be doubling down on it.
I think that comes from empirical evidence that we're actually starting to gain space.
There was an interesting quote, someone who said, look, I was concerned about this. I thought it
was more aggressive and offensive and that this was going to be destabilizing.
And it hasn't been.
And why is that?
It's because being active is not aggressive.
And being active and anticipatory is not, in fact, offensive.
To get back to your distinctions, Maggie, right?
So if I can actually anticipate vulnerability exploitation at the malware production level, yes, that means
that I'm on the other side of the fence and I'm sitting in an adversary's network, but I'm not
bricking it. I'm not destroying it. In fact, I'm being persistent and then coming back and taking
that vulnerability away in what looks like David's just patching. So you want to label that defense or offense,
I don't really care. You know, I think it's better that we seize the initiative,
and we use that to create better security. And that's the ultimate thing, right? Are we reducing
cyber insecurity, so that we can actually achieve mission. And ultimately, I think this notion of persistence is also starting
to permeate. If you look at how the DOJ dealt with the Huffnium attack, I mean, a really
significant enterprise level breach, and they use this obscure Rule 41 to go in to private sector
networks and actually patch. And what was fascinating to me was that there
was no uproar over this. Like everybody kind of understood, yeah, government had the scale
and we had to get it out in front of criminal exploitation of that. You know, that's a DOJ
version of initiative persistence, right? And CISA's new strategy, well, their first strategy,
you know, talks about being on the front foot.
They don't use the language specifically of initiative persistence, but if you read that
document, that's all it is.
And so I think we're seeing more and more of USG start to understand where security
rests and that we've been sitting on the sideline for way too long and allowing our
adversaries to operate with a little too much
freedom and being able to push back on that and then gain that ground and hold that ground.
And that's to David's point about persistence, not just being able to train so that we're good
to go today, but figuring out how do we build training and all of our operations so that we're
good tomorrow as well. That's all heading
in the right direction. So what does this mean for future research then? And what role do you
see academia as playing in the future of these ideas? I'll just throw out one option and that's
we've got to actually get better empirical data for academics at the operational and behavioral
level. And that's really hard. So David can see
it. When I wear a different hat, I can see it. In a regular context of doing replicable research,
we don't. And what we've been relying on is primarily after action reports from
cybersecurity companies. There's a little problem with biased data. There's also a recognition that
we're still in a range where you're dealing with average 180 days after breach to detection. So you're not actually seeing the operational moment of that interface, whatever you want to call it, offense, defense, or initiative being challenged. We don't have that. And so I think one of the things that we're going to be doing at the Ohio Cyber Range Institute is breaking out an experimental methodology around training that we'll be doing across the state,
so that while we do train, we actually draw data from that that we can use on the research
side. So I think we have to just start to open up the aperture of how to study this. And we got to,
I think, start asking the questions of,
okay, so if we're in a persistent environment,
what does that mean across the scale
of everyone being there all the time?
I would piggyback on that and say that
I kind of come from the school of hard knocks over here.
So I don't know what normal academia would do,
but it seems like teasing out
how we could integrate the offense
and defensive side requires more study.
And then, as I said earlier,
the measures of effectiveness of our defense
would be a good area to research.
And the efficacy of any given piece of our equation,
you know, we've got the 91 activities,
you know, how much does each one
of those kind of add to the overall success? Because we don't have infinite amount of dollars.
What are the most effective pieces of this puzzle that we should be implementing? And you can't buy
everybody's products and integrate them all. So how do we measure that effectiveness, not only of
the zero trust model itself, but individual tool sets.
Mr. David Kuhn, Dr. Richard Harknett, thank you so much for being with the Regular Warfare
podcast today. I know as a non-cyber person myself, I learned a lot. And Maggie, thank you
for bringing this special series to the Regular Warfare podcast and sharing this with our audience.
So thank you all. Thank you, Laura and Maggie, and also to Dr. Harknett. Definitely enjoyed the
conversation today. I hope your listeners enjoy it. And if you have any follow-up questions,
certainly we at the Department of Defense are open to follow-up questions and we'll be happy to
respond. Yeah, let me echo that as well, Laura and Maggie. You know, when you first thought about it,
cyber persistence theory and zero trust,
how are those two going to connect?
This was a brilliant connection
and Ms. McEwen really enjoyed the interaction,
but also want to thank you
and your leadership for what you're doing
because it is really truly tracking us
into a more secure space.
And equally, if there's anybody
who wants to follow up,
be happy to here
through the University of Cincinnati.
And also just to most of your listeners that are on the practitioner side, If there's anybody who wants to follow up, be happy to here through the University of Cincinnati.
And also just to most of your listeners that are on the practitioner side, thanks for everything that you do to keep us secure.
Thank you again for joining us for this first installment of our special series on cyber.
We release a new episode every two weeks. In the next episode, Ben and new host Julia discuss the National Defense
Strategy with Dr. Corey Shockey and Brigadier General Chris Burns. Following that, Ben and
Adam talk mission command and IW with Lieutenant General Xavier Brunson and retired Australian
Major General Mick Ryan. Be sure to subscribe to the Irregular Warfare podcast so you don't
miss an episode. The podcast is a product of the Irregular Warfare Initiative.
We are a team of all volunteer practitioners and researchers
dedicated to bridging the gap between scholars and practitioners
to support the community of irregular warfare professionals.
You can follow and engage with us on Facebook, Twitter, Instagram, YouTube, or LinkedIn.
You can also subscribe to our monthly e-newsletter
for access to our content and upcoming community events.
The newsletter signup is found at irregularwarfare.org.
If you enjoyed today's episode, please leave a comment and a positive rating on Apple Podcasts or wherever you listen to the Irregular Warfare podcast.
It really helps to expose the show to new listeners.
listeners. And one last note, all that you hear in this episode are the views of the participants and do not represent those at Princeton, West Point, or any agency, the U.S. government,
or the Department of Defense. Thanks again, and we'll see you next time.