"A bit of malicious code can be just as effective as a few tons of TNT."
Think Cylons. Or, if you really want to go old school, think Heinlein's The Moon is a Harsh Mistress. I hope that the DOD is addressing the potential for AI spoofing. Also hoping it won't take a WW2 or two to do so.
It's been apparent to me after holding a TS clearance for more than 52 years with SCI access for half that, is that beyond the IT focus that you are speaking to, we have gotten away from the foundational concept of:
"NEED TO KNOW"
Maybe it was the post 9-11 drive to "tear down walls that prevented info sharing" or the whole "Jointness Uber Alles" mindset, but too many people collect too many tickets and badges for programs they have no earthly reason to need other than ego.
Bradley Manning, a PFC in A-stan had no reason to have access to classified Dept of State cables regarding eavesdropping on the German PM for example. Why some ANG E3 needed SCI info on Ukrainian 155mm stocks? is a 155mm hung on an F-35 now?
If it takes one world war to get security working that seems way too long but it might be okay. If it takes two world wars, I won't matter. There won't be anything left to protect.
Pick one "agency" and do a proof of concept, learn from that. I know nothing about how data is organized and secured in the siprnet - how long would it take to do zero-trust at one agency? At which agency do you start? Does it require hardware - special laptops with no USB ports and keycard readers? If yes, can they go with COTS or does everyone have to have their own acronym? Maybe it would be best to have air gaps between agencies - that would keep that PFC from looking at DOS cables.
About "need to know", "who decides?" If the originator decides, maybe they don't know enough to make a good decision - they include too few people. That is the classic case - if you don't tell anyone, then you get no value from the information. If you tell too many people, the target hears about it and changes stuff so the information half-life drops to nothing and maybe your source ends up in cement overshoes. Seems to me that we pretend to have compartmentalization but the compartments include way too many people - the "information sharing" problem.
How about a central authority? Kim Philby was one step from running the British Secret Intelligence Service and a long term spy for Russia.
IT sysadmins do NOT need to have the credentials to decrypt information stored on their servers.
9/11 has increased the need for moving info out of compartments, but maybe be should return to those prior tenets.
Like the sign at Intel School in San Diego said, "Intelligence, the worlds second oldest profession, with morals and standards just slightly better than the first".
Zero trust also applies to those who provide us information, either via approved 'leaks' or news reports. It applies to talking heads and pundits reporting on the war in Ukraine.
Trust is earned the long way. Unless a know a source well, I'm going to go ahead and assume
Compartmentation. We keep trying to push the One Big System that does everything. Which is vulnerable. Compartment things. Put them on separate systems.
We've also got a distribute population that includes people who need to access controlled information from home. There's strides being made, but DoD information systems edifice is so big, and has so many access points, security can be almost impossible.
Otherwise, yes, get back to compartmentalization. If we can start there, the damage from leaks can be reduced.
How do you not trust anything, and require verification of everything, yet not paranoia yourself into paralysis? In a bureaucracy, against a mindset of needing written instructions to do anything at all, high on CYA and never taking initiative, zero trust sounds all-too-ready to be everymans' excuse to do nothing.
If software "engineering" was as rigorously taught, controlled and credentialed as other engineering fields, as it should and inevitably will be, these severe problems would be significantly less.
For example, we don't expect live vehicle traffic be used to test structural integrity and safety of bridges. But that's largely exactly what we're doing with software.
Change is coming but let me tell you, DoD and govts in general are not keeping up or educated widely enough.
Anybody that understands the true state of DOD networks knows how fantasy land zero trust is. DOD classified nets are balkanized into millions of local networks completely isolated from each other. It takes an act of god to even connect two disparate classified networks, let alone control them all from one zero trust system. People think SIPRnet is "THE" classified DOD network, they are legion and none of them talk to each other.
I retired nearly 40 years ago. Before desktop/laptops, mobile phones, internet, social media, & detachable storage. Back then information transfer had to be done by couriers and dead-drops and face-to-face.
These days, the idea that a breach can be contained is hubris; it will be to its users before it’s discovered.
Security will have to start at the front end and limiting access is the most basic defense.
I look at that flow chart and it seems already too complex with too many inputs.
Even back in the day, the Pentagon / Syscom product was the process. No change today it seems..Death by PowerPoint.
"A bit of malicious code can be just as effective as a few tons of TNT."
Think Cylons. Or, if you really want to go old school, think Heinlein's The Moon is a Harsh Mistress. I hope that the DOD is addressing the potential for AI spoofing. Also hoping it won't take a WW2 or two to do so.
It's been apparent to me after holding a TS clearance for more than 52 years with SCI access for half that, is that beyond the IT focus that you are speaking to, we have gotten away from the foundational concept of:
"NEED TO KNOW"
Maybe it was the post 9-11 drive to "tear down walls that prevented info sharing" or the whole "Jointness Uber Alles" mindset, but too many people collect too many tickets and badges for programs they have no earthly reason to need other than ego.
Bradley Manning, a PFC in A-stan had no reason to have access to classified Dept of State cables regarding eavesdropping on the German PM for example. Why some ANG E3 needed SCI info on Ukrainian 155mm stocks? is a 155mm hung on an F-35 now?
The whole mindset needs to be inverted.
I tend to dig in, sorry.
If it takes one world war to get security working that seems way too long but it might be okay. If it takes two world wars, I won't matter. There won't be anything left to protect.
Pick one "agency" and do a proof of concept, learn from that. I know nothing about how data is organized and secured in the siprnet - how long would it take to do zero-trust at one agency? At which agency do you start? Does it require hardware - special laptops with no USB ports and keycard readers? If yes, can they go with COTS or does everyone have to have their own acronym? Maybe it would be best to have air gaps between agencies - that would keep that PFC from looking at DOS cables.
About "need to know", "who decides?" If the originator decides, maybe they don't know enough to make a good decision - they include too few people. That is the classic case - if you don't tell anyone, then you get no value from the information. If you tell too many people, the target hears about it and changes stuff so the information half-life drops to nothing and maybe your source ends up in cement overshoes. Seems to me that we pretend to have compartmentalization but the compartments include way too many people - the "information sharing" problem.
How about a central authority? Kim Philby was one step from running the British Secret Intelligence Service and a long term spy for Russia.
IT sysadmins do NOT need to have the credentials to decrypt information stored on their servers.
Need to know is the basic reason for access.
9/11 has increased the need for moving info out of compartments, but maybe be should return to those prior tenets.
Like the sign at Intel School in San Diego said, "Intelligence, the worlds second oldest profession, with morals and standards just slightly better than the first".
Zero trust also applies to those who provide us information, either via approved 'leaks' or news reports. It applies to talking heads and pundits reporting on the war in Ukraine.
Trust is earned the long way. Unless a know a source well, I'm going to go ahead and assume
Everything is an op.
I have a list of 51 people whose security clearance needs to be revoked immediately.
Once worked for an Army MG who truly was worth his salt…he told our team once that “trust is hard to earn, but can be violated in an instant”…
In other news, McGrath is going to be on the Congressional committee on the future of the Navy! Congrats and thank goodness! https://breakingdefense.com/2023/05/congress-lags-in-setting-up-its-own-future-navy-panel/
Compartmentation. We keep trying to push the One Big System that does everything. Which is vulnerable. Compartment things. Put them on separate systems.
We've also got a distribute population that includes people who need to access controlled information from home. There's strides being made, but DoD information systems edifice is so big, and has so many access points, security can be almost impossible.
Otherwise, yes, get back to compartmentalization. If we can start there, the damage from leaks can be reduced.
Brilliant. And imperative. And RWR said, "Trust, but verify."
Note: Not related but it's May 10th, so a fullbore story from that day in the air over Okinawa 1945. LTC Klingman passed away back in 2004. https://www.marines.mil/News/News-Display/Article/584583/story-of-bob-drummer-pilot-legend/
How do you not trust anything, and require verification of everything, yet not paranoia yourself into paralysis? In a bureaucracy, against a mindset of needing written instructions to do anything at all, high on CYA and never taking initiative, zero trust sounds all-too-ready to be everymans' excuse to do nothing.
If software "engineering" was as rigorously taught, controlled and credentialed as other engineering fields, as it should and inevitably will be, these severe problems would be significantly less.
For example, we don't expect live vehicle traffic be used to test structural integrity and safety of bridges. But that's largely exactly what we're doing with software.
Change is coming but let me tell you, DoD and govts in general are not keeping up or educated widely enough.
Anybody that understands the true state of DOD networks knows how fantasy land zero trust is. DOD classified nets are balkanized into millions of local networks completely isolated from each other. It takes an act of god to even connect two disparate classified networks, let alone control them all from one zero trust system. People think SIPRnet is "THE" classified DOD network, they are legion and none of them talk to each other.
I retired nearly 40 years ago. Before desktop/laptops, mobile phones, internet, social media, & detachable storage. Back then information transfer had to be done by couriers and dead-drops and face-to-face.
These days, the idea that a breach can be contained is hubris; it will be to its users before it’s discovered.
Security will have to start at the front end and limiting access is the most basic defense.
I look at that flow chart and it seems already too complex with too many inputs.
Even back in the day, the Pentagon / Syscom product was the process. No change today it seems..Death by PowerPoint.