Intel CIOs Tout Zero Trust Efforts for Cyber Defenses

Intelligence agency IT leaders emphasized stronger cybersecurity through zero trust implementation, expanded threat information sharing and close cooperation across agencies to defend against cyber threats.

One of the key initiatives briefed at the DoDIIS conference in Omaha, Nebraska, Tuesday is the Defense Intelligence Agency’s new cybersecurity inspections it stood up as part of the Defense Department’s Joint Worldwide Intelligence Communications System (JWICS) modernization.

“We look at the health of the cybersecurity environment that agencies are connecting to JWICS. That goes through everything from as deep as red teaming to looking at the current state of infrastructure … and providing a risk assessment based on those findings,” said DIA CIO Douglas Cossa. “[The inspections are an] opportunity to identify what are the advancements we need to make in cybersecurity health.”

Cossa cited the Security Coordination Center, jointly run by the Office of the Director of National Intelligence (ODNI) and DIA, as one way that the Intelligence Community communicates cyber threats throughout the IC and patches the exploitable vulnerabilities.

The panelists cited joint efforts like these as critical parts to collaborative cybersecurity.

“We have to remember that there should be no ego in this game. We have to make the phone calls. We have to look for the signatures,” said ODNI CIO Sue Dorr. “It’s this partnership, it’s this community that makes 100% of the difference.”

“As soon as you know about these things, you need to share that information so that you can begin to fix it,” said National Geospatial-Intelligence Agency CIO Mark Chatelain. “It’s collective action to defend our critical infrastructure.”

National Security Agency Chief Financial Manager Jennifer Kron, who previously served as deputy CIO, said information sharing outside of the IC is especially critical with the Defense Industrial Base and other government agencies.

“We’re only as strong as our weakest link. That’s why NSA invests so much in not only continually upping our own pace, but sharing that with our partners, not only on the stage, but in the audience,” said Kron. “The bad thing is, we’re all in this together. A risk to one, it’s a risk to all. But the good thing is, we’re all in this together.”

IC elements are working on implementing zero trust to bolster cybersecurity in a constantly changing environment. Kron said NSA’s network security and identity management systems are always evolving.

“The zero-trust journey is one that we’ve been on for quite a long time,” said Kron. “We implemented ‘secure the enterprise, secure the network,’ which are essentially what we talk about as zero trust today. I know what it took for us to do that, having watched it from different roles. [It took] enormous intensity and investment and continuous focus year after year. That was just to get us to what we think is good enough.”

CIA Deputy CIO Ryon Klotz said zero-trust implementation is setting standards for security.

“Developing a common understanding of baseline of basic maturity model for zero trust allows us to commonly evaluate where we are on the various pillars of zero trust and then target investments to enhance the maturity across [the IC],” said Klotz.

Chatelain said zero trust is a fundamental change to how agencies treat risk and cybersecurity and is critical to defending against insider threats and external adversaries.

“Zero trust is a very important initiative, and I think it’s is going to really have a major effect also on the way that we do cyber defense because we recognize that we’re moving from more network-centric defenses to data-centric defenses,” Chatelain added. “If you assume that the network is compromised, you’re in a much better position.”