Countering defence cyber risks via zero trust
Image courtesy Illumio
The perception of risk has changed dramatically in the defence sector in the last decade. Cyberattacks are now a significant threat to national security and the risk is rapidly increasing in today’s geopolitical environment.
As a former Lieutenant Colonel in the United States Air Force, my biggest concern has always been how attackers could exploit interconnected assets within our network. This concern has only intensified for people currently in those positions with the advent of AI and deepfakes, which can easily deceive and disrupt critical operations.
Despite significant progress in defence technologies, there are still significant legacy components within networks today. With the increased sophistication and accessibility of cyberattacks, these systems create an easy pathway for threat actors to breach our walled gardens and potentially threaten national security.
The vulnerability of legacy systems
Military installations mirror the infrastructure of small cities. Defence networks are not just radar or weapon systems. These installations include power grids, water control systems and communication channels.
Some of these systems were designed decades ago, without considering modern interconnected threats. Overhauling or replacing them has been difficult over the years, due to the associated high cost and complexity. Also, as a result, these systems are prime targets for cybercriminals.
For example, a military-grade weapon system might have robust built-in security mechanisms. However, these assets are now operated through Internet of Things (IoT) devices and control systems, which often have the same vulnerabilities as those in commercial settings.
Attackers can exploit these weak links, potentially causing significant disruption. The defence sector cannot afford to ignore the risks these ageing assets pose.
The dependence on third-parties further aggravates the risk. Many third-party suppliers do not adhere to the strict security standards required to protect sensitive defence assets and information. While these suppliers might pass the initial vetting process, new vulnerabilities and zero days can show up anytime.
Recent reports highlighted that the UK Ministry of Defence (MoD) is currently using 11 legacy IT systems at a critical risk level. According to the Central Digital & Data Office, the potential failure of these systems could have a severe impact on the country’s overall defence network.
We have already seen the consequence of such risks in recent incidents. Earlier this year, the MoD experienced a breach in its third-party payroll system. As a result, the account details of over 272,000 armed forces personnel and veterans were at risk.
So, without regular audits and continuous monitoring, these third-party assets could potentially disrupt the defence network and threaten our national security.
In addition to these traditional vulnerabilities, the defence sector now faces new-generation threats like AI and deepfakes. These advanced technologies introduce a different set of challenges to an already complex military network.
The increasing risks of AI and Deepfakes
AI presents both opportunities and threats for the defence sector. While AI can enhance capabilities and act as a force multiplier, it also introduces significant risks.
One of the most concerning risks is deceptive AI, particularly convincing audio and video deepfakes. Deepfake-powered fraud is growing, with incidents involving high-level business decisionmakers becoming more elaborate. In a military context, this threat is even more dire.
Consider a scenario where troops receive a video call from what looks like their commanding officer providing urgent directives, or a missile operator receives deepfake communications about the wrong target. If these directives are fabricated by an adversary, troops could be misled into dangerous situations.
How can personnel confirm they are interacting with their legitimate chain of command? Also, even when deceptions are identified, the potential for doubt can disrupt decisionmaking and slow response times.
Addressing these challenges will require the defence sector to remove explicit trust within its network. Breaches are inevitable in this era of advanced persistent threats. So, the best bet is to ensure that our most critical assets are safe and out of the attacker's reach, even if initial systems are compromised.
This is why zero trust is non-negotiable for the defence sector.
The importance of a zero trust approach in defence
Zero trust has become a key focus in global defence strategies. It operates on the principle that no entity, inside or outside the network, should be trusted by default. This contrasts sharply with traditional security models that often assume internal entities are trustworthy.
The strategy requires continuous verification of all users and devices attempting to access resources. This model demands rigorous authentication, authorisation and validation at every access point, significantly reducing the risk of unauthorised access.
It also removes the risk of lateral movement. Even if a control system or a power station within the defence network is compromised, threat actors won’t be able to make their way into the more critical assets with zero trust in place.
To begin implementing zero trust, defence institutes should map out their entire network, identifying all assets, users and data flows. Understanding the complete landscape is essential for implementing effective access controls and monitoring systems.
Next, the network must be segmented to create isolated environments. This segmentation minimises potential damage from breaches by containing them within smaller, controlled sections.
Strong access controls are fundamental to zero trust. Users and devices should be granted the minimum level of access necessary to perform their functions. This principle, known as the principle of least privilege, limits exposure and reduces the attack surface.
Multi-factor authentication (MFA) should also be mandatory for accessing sensitive systems and data. MFA adds an extra layer of security, making it significantly harder for attackers to gain unauthorised access.
Most importantly, the defence sector must remember that implementing zero trust is not a one-time project but an ongoing process. Organisations must adapt their strategies as new threats emerge and technologies evolve. This continuous improvement approach maintains a high level of security over time.
The critical role of the UK government
The UK government also plays a critical role in encouraging the defence sector to adopt a zero trust strategy. We know that the MoD is preparing to implement a zero trust architecture by 2026, according to its latest cyber resilience strategy. However, its successful implementation hinges on a well-mapped journey.
In the United States, President Biden’s Zero Trust Memorandum and CISA’s Zero Trust Maturity Model provided useful and precise guidance to federal agencies and businesses alike. Both outlined clear directives for improving cybersecurity across federal agencies, demonstrating a committed approach to tackling cyber threats.
The UK government should consider a similar approach. A clear and transparent strategy must be communicated to the public, emphasising the steps being taken to secure national defence systems. The MoD should also set clear directives on how its associated organisations and third-parties should invest in modern technologies, train personnel and adopt best practices in cybersecurity.
Overall, zero trust is not just a strategic choice but a fundamental necessity. Embracing these principles will fortify our defences, ensuring that our critical infrastructure and military operations remain secure. The commitment to zero trust is critical for safeguarding national security and maintaining public confidence in our defence capabilities. The time to act is now.
