WASHINGTON — Hackers backed by the U.S. Department of Defense will attack networks run by Amazon, Google, Microsoft and Oracle to better understand zero-trust cybersecurity in commercial cloud environments.
So-called red teams of ethical hackers from the National Security Agency will test the digital strength of the four cloud service providers, or CSPs, starting in the spring. The Defense Department in December selected the companies for its $9 billion Joint Warfighting Cloud Capability, a follow-up to the failed $10 billion Joint Enterprise Defense Infrastructure arrangement.
“We’re going to have the NSA red team, and perhaps even service red teams, attack,” Zero Trust Portfolio Management Office Director Randy Resnick said at a Jan. 19 event hosted by Billington Cybersecurity. “That would be a realistic adversary attack, a controlled attack, and we would determine whether or not the red teams could get and exploit data.”
The operation — of mutual agreement and not a requirement tied to the JWCC deal — will inform how the Defense Department proceeds with zero trust. It could also prove the vigor of the cloud providers and lay the foundation for future zero-trust-enabled storage and computing.
Unlike older cybersecurity models, zero trust assumes networks are always at risk or are already comprised. The new paradigm, as a result, is inherently distrustful and requires constant validation of users, devices and general access.
Resnick previously described the concept as enhanced home security: “We have identified the items of value within the house, and we’ve placed guards and locks with each one of those items inside the house, as well.”
Amazon, Google, Microsoft and Oracle each told the Defense Department they could instate at least basic levels of zero trust, according to Resnick.
“To our satisfaction, at least on paper, they said to us that all of them could meet target-level zero trust and that many of them could approach almost the entirety, if not the entirety, of full zero trust, which we’re calling advanced,” Resnick said.
“What we plan on doing,” he added, “is actually testing their assertions.”
Zero trust implementation comprises a little more than 150 activities, which were detailed in the Defense Department’s related strategy, published in November.
The Pentagon hopes to institute the lower threshold, 91 activities, by 2027. The department has since 2015 experienced more than 12,000 cyber incidents, according to a Government Accountability Office evaluation.
“Our objective in the DoD … is to stop the adversary from exploiting our data,” Resnick said Thursday. “In order to to do that, our North Star was to stop, contain, frustrate, limit lateral movement of the adversary. That’s our success point.”
An addendum to the Defense Department zero-trust strategy is in the works, following a cybersecurity summit involving the U.S. and its intelligence-sharing Five Eyes partners Australia, Canada, New Zealand and the U.K.
Colin Demarest is a reporter at C4ISRNET, where he covers military networks, cyber and IT. Colin previously covered the Department of Energy and its National Nuclear Security Administration — namely Cold War cleanup and nuclear weapons development — for a daily newspaper in South Carolina. Colin is also an award-winning photographer.