Earlier this year, a member of the Massachusetts Air National Guard with top-secret security clearance leaked national security documents to the social media platform Discord. The documents, which quickly spread to other platforms, contained sensitive information about military operations by the U.S. and NATO in Russia, including details regarding anticipated weapons deliveries, per the New York Times.
Weeks after, Pentagon CIO John Sherman said with certainty that a full implementation of the DoD’s Zero Trust strategy would have prevented the leak. Indeed, the leak demonstrates the fact that Zero Trust is no longer optional, but is instead the bare minimum. To remain proactive, aware, and fully secure, agencies need a strategy layered with additional solutions.
The Pentagon’s Zero Trust strategy
Zero Trust has been top-of-mind for the Department of Defense for some time now, as evidenced by the aggressive zero-trust strategy unveiled by the agency last November. The goal is for the entire agency to operate on Zero Trust architecture by 2027. To that end, the DoD released a detailed execution roadmap in January, which spelled out not just the capabilities in question, but a timeline for implementing them.
The Biden Administration’s National Cybersecurity Strategy, released in 2023, also emphasizes the importance of Zero Trust principles to counter threats “both inside and outside traditional network boundaries.” In the wake of the Pentagon Discord leak, DoD CISO David McKeown noted that insider risks—those with “legitimate authorization and access”—remain one of the biggest cybersecurity challenges out there.
Moving beyond Zero Trust
As insider risks persist, alongside the potential for bad actors to gain network access, agencies must consider how they can strengthen their cybersecurity postures beyond a Zero Trust approach. Even with a “never trust, always verify” mindset in place, things can fall through the cracks. To that end, employing the principle of least privilege, multi factor authentication (MFA), and content disarm and reconstruction (CDR) can add extra layers of protection.
To start, the principle of least privilege goes hand-in-hand with zero-trust principles. As the name suggests, the principle of least privilege ensures users only receive access to the least amount of sensitive information needed to do their job. In the case of the Discord leak, it’s worth questioning whether the insider truly required access to the sensitive documents he ended up leaking.
MFA reinforces basic security practices by ensuring a user is who they say they are through the combination of what a person knows (a password), who they are (a biometric) and what they have (a device). By verifying identity, MFA helps to ensure the right person can access the right data, while at the same time providing an audit trail in the event of a leak.
Meanwhile, content disarm and reconstruction (CDR) applies Zero Trust principles to data. Instead of trying to detect malware, CDR strips all files down to their essentials before reconstructing them, as the name implies, in a clean manner. This prevents bad actors from successfully embedding undetectable malware into complex code.
The bottom line
It’s no secret that cybersecurity is a challenging and ever-changing domain for the federal government. The recent Pentagon leak is just one example of the risks that arise when insufficient cybersecurity measures are in place. In addition to fully implementing its Zero Trust strategy, the DoD must layer in solutions like MFA and CDR to protect critical systems and data. The principle of least privilege also coincides with the philosophy of Zero Trust.
The bottom line is that Zero Trust, while important, isn’t the finish line for cybersecurity, but instead represents the bare minimum, particularly as threats evolve.
Mindy Gilbert is Vice President, Product Management and Operations, at Forcepoint, an Austin, Texas-based company that develops computer security software and data protection products and services.