Recent malware found in U.S. military networks on Guam could signal how China plans to disrupt military mobilization in the event of a conflict, but it’s also a call to speed up cybersecurity preparations, a top defense cyber official said.
China’s “living off the land” techniques suggest a “theory of disrupting military mobilization, but also sowing chaos in the United States and for the United States military,” Mieke Eoyang, the deputy assistant secretary of defense for cyber policy, told reporters Friday at the Defense Writers Group. “It is the second piece of that—the sowing chaos—that would cause harm to the American people that we find an anathema. That is not something that we, the United States military, would do to deliberately harm civilians with no military nexus there.”
The Pentagon expects adversaries to disrupt military mobility, but the “living off the land” techniques, which use tools that are built in to a system or network to evade detection, could unduly harm civilians, she said: “Our obligations under the laws of armed conflict would require us to have some kind of military necessity in the operations that we would conduct…And so we have some real concerns about what that activity might mean.”
But China’s use of those tactics is also a call for broad adoption of zero-trust management tools “to better monitor and log network activity to be able to identify things that look anomalous, and be able to figure out if that’s in fact, just something weird, or that’s actually malicious activity on their networks,” Eoyang said. “So we would really encourage people to lean forward into being able to do identity and access management, anomaly detection and those types of things.”
The Defense Department wants to fully implement zero-trust architecture by 2027. It’s been touted as a way to prevent insider threats, and is also named as part of the Pentagon’s overall cyber strategy, which was updated this month. The refreshed document names zero trust as a way to “frustrate future malicious cyber activity” and as a bedrock for expanding cyber capabilities.
It could also be essential to relaying classified information on the battlefield—as well as on bases and among offices in the Pentagon.
The Army recently proved that during a recent multinational military exercise called Talisman Sabre in the Pacific region. More than a dozen countries and 34,000 troops participated.
“We actually fielded this in a live classified environment. And we were using it to manage access to planning documents, file shares, chat rooms, things like that,” John Sahlin, General Dynamics Information Technology’s vice president of defense cyber solutions, told Defense One.
The technology displayed at Talisman Sabre is part of GDIT’s Everest Digital Accelerator program and was the first time the company was able to demonstrate it in an operational environment, with joint services and international mission partners.
“The most important thing that we were able to demonstrate at this exercise was the ability zero trust gave us the flexibility to share mission data in theater,” Sahlin said.
During the exercise, maneuver commanders could make tactical decisions and manage data—including how, when, and with whom, he said: “It’s more than just slapping a lock on data and keeping it protected. The data has no inherent value, if I can’t use it, to execute a mission.”
With that recent success, Sahlin wants to take the tech further into more complex environments, with mission applications, and taking in data from operational technologies, such as sensors.
Zero trust, he said, is about providing dynamic access based on behaviors, in addition to a person’s role, clearance, job, and identity.
“Because even though you’re a [system administrator] you don’t really need to be opening intelligence analysis documents. So why are you even reading that report even though you have access to the system, so I’m going to start locking down your access because your behavior is inconsistent with what I would expect of you,” he said.