This episode features award winning broadcaster and host of Fed Gov Today, Francis Rose, joined by John Sahlin, Vice President of Cyber Solutions at GDIT and Randy Resnick, Director of the Zero Trust Portfolio Management Office at the Department of Defense. Together, they discuss the importance of collaboration and innovation in developing an effective zero trust strategy.
This episode features award winning broadcaster and host of Fed Gov Today, Francis Rose, joined by John Sahlin, Vice President of Cyber Solutions at GDIT and Randy Resnick, Director of the Zero Trust Portfolio Management Office at the Department of Defense. Together, they discuss the importance of collaboration and innovation in developing an effective zero trust strategy.
Visit us at: www.gdit.com
Follow us on social:
LinkedIn: www.linkedin.com/company/gdit
Instagram: @generaldynamicsit
YouTube: @generaldynamicsit
Facebook: www.facebook.com/GeneralDynamicsIT/
00:00:00:00 - 00:00:02:02
00:00:02:02 - 00:00:08:12
Unknown
Welcome to Voices of Innovation GDIT’s Technology Podcast, Delivering insights into our work
00:00:08:23 - 00:00:13:17
Unknown
and leading edge technologies like AI Cloud, cyber and quantum.
00:00:14:04 - 00:00:23:23
Unknown
Here we dive into the minds of our experts and explore the latest in technology, innovation and creating a culture that drives performance. I'm your host, Tim Gilday,
00:00:24:03 - 00:00:26:09
Unknown
Senior Director for Emerging Technologies, and
00:00:26:16 - 00:00:28:16
Unknown
and I'm very excited about today's topic
00:00:29:02 - 00:00:33:08
Unknown
because it delves into an ever present issue in our lives and the missions that we serve.
00:00:33:13 - 00:00:54:03
Unknown
This episode features award winning broadcaster and host of Fed Gov today, Francis Rose. Joined by John Sahlin, Vice President of Cyber Solutions at GDIT and Randy Resnick, Director of the Zero Trust Portfolio Management Office at the Department of Defense. Together, they discuss the importance of collaboration and innovation in developing an effective zero trust strategy.
00:00:54:03 - 00:00:54:09
00:00:54:09 - 00:00:55:19
Unknown
Let's jump in.
00:00:58:05 - 00:01:16:19
Unknown
Gentlemen, welcome. It's great to see you. Randy, welcome to you first. Thank you. As I mentioned, to talk to John about this and he was very explicit about the fact that you're focused on making sure that you're meeting the mission requirements of zero trust and not just checking off a whole bunch of items on the list of controls.
00:01:16:19 - 00:01:40:08
Unknown
90 some, I think. How are you going about doing that? How are you assessing success? If checking the boxes is not the way that you want to do that? Well, when we first. Thank you. Thank you for the question. Thanks. It's good to be here. When we came up with the definition of zero trust, we realized that the equipment that makes up the infrastructure for zero trust has to be integrated.
00:01:40:09 - 00:02:01:09
Unknown
So once you start integrating equipment with the diversity of the vendors that are out there, you start getting to an understanding that there's no way that the government could continue to dictate the type of items we need because they're not individual items anymore. It's not like I need to buy a firewall, I need to buy an endpoint thing or I need to buy a gateway.
00:02:01:09 - 00:02:34:07
Unknown
It's not that anymore. So we started thinking, okay, we spent 30 years doing it the old way. It hasn't really worked. It hasn't kept up with the TTPs of the adversary. So instead, why don't we try a different thing? Why don't we say the outcome that we want to achieve in zero trust for us in the DOD? It's stopping the adversary dead in the tracks and then work backwards and allow industry to innovate on that concept, which allows for a tremendous amount of innovation.
00:02:34:07 - 00:02:58:18
Unknown
And that's exactly what we've seen in the last two years. So we think we have a winning idea. Industry likes it a lot because we're not telling them what to do anymore. It's not a checklist, but in a way, we're describing what needs to get done in terms of the 91 activities for for our target. But how to go about doing it and which products need to be weave together and integrated.
00:02:58:23 - 00:03:26:12
Unknown
That's up to them. We just want the outcome. How do you how do you respond to that? That's what industry has been asking for, for everything for forever. As long as I can remember, it's music to my ears. I love it. And we've had this conversation before. You know, I sometimes come off as a little heretical when I say this, but, you know, I firmly believe that that cybersecurity, particularly zero trust.
00:03:26:12 - 00:03:54:22
Unknown
But but in general, it's not about compliance. It's not even really about I.T. It's about meeting the mission objectives. That's right. And your focus on the outcomes, your focus on stopping the adversary is is exactly right. Because for me, as a as a system developer, as a system builder, I would much rather have use cases. Tell me what you're trying to achieve.
00:03:55:00 - 00:04:17:09
Unknown
Don't give me a bunch of shell statements. And this approach is is perfectly in line with that. Tell me what the outcomes are. Tell me what activities we're trying to achieve and how we're trying to stop the the adversarial types. And let's just go after it. And I don't think you've ever heard of that concept prior to zero Trust.
00:04:17:11 - 00:04:49:14
Unknown
Not in certainly not in federal. Certainly not in federal. It's very much a Silicon Valley of, you know, agile development user story driven concept. And I love that because that's there are so many proof points of the effectiveness of telling me What? Don't tell me how. Right. How do you in the department and you in industry consider that concept when you're doing things like pushing it out to the tactical edge?
00:04:49:14 - 00:05:13:07
Unknown
Another thing that John and I talked about it doNis Yeah, so we are describing the problem at the tactical edge. Basically a lot of people think of zero trust as only at the enterprise level. Imagine this is we're in a room this size, but it's packed with air conditioners, dehumidifiers, you know, that's how people think of enterprise.
00:05:13:09 - 00:05:34:23
Unknown
But in the tactical edge, depending on the service that you are, if you're the Navy, it might very well be a submarine. If you're in the Marines. It's an individual or a team rolling in the mud down for Sajjad C2. It will be all of those. It will be all right. Right. It'll be the signals. So everybody has a different story of what the tactical edges.
00:05:35:01 - 00:06:03:01
Unknown
And so for zero trust, that becomes very complex because depending on the device that you using at the tactical edge, it may or may not be able to have the storage or an operating system even that you need for zero trust. That's number one. Number two is zero. Trust fundamentally needs or requires an identity of the user of the people that you communicate with of other devices.
00:06:03:03 - 00:06:37:04
Unknown
And so if you are completely disconnected, that's what the tactical edge really means. They call it DDL. If by chance the Internet goes down and you're completely disconnected and you have a ZT infrastructure, how do you continue to communicate and do your mission? You know, we don't want to not allow the mission to continue. So we need to think about innovative ways to bring down what is absolutely required and cache it locally or to do other innovative things that industry brings to bear.
00:06:37:04 - 00:07:03:11
Unknown
Because I'm describing as the government or the XDR-TB form of the problem and I'm saying this is the problem. Give me a solution for that, for the outcome that I need to get. Yeah. And so we're looking at all kinds of different solutions. You know, I don't want to name products and such, but they're existing and a lot of companies are developing or building new product to fulfill this this, this requirement.
00:07:03:13 - 00:07:36:01
Unknown
And that's exactly what the DOD wants to see. We want to see a diversity of equipment that performs in the toughest situations. John, about the edge you wrote recently, as it becomes particularly critical as you move down to the tactical edge, how so? And why is that? What what multiplies that as one gets closer to the edge? Well, I think something that that Randy said is really important here when we talk about Tactical edge, which is the tactical edge is different depending on the service in the mission.
00:07:36:03 - 00:07:58:21
Unknown
It could be at the individual human level, it could be at the platform level, something like a submarine or a ship. It could be a deployed unit or it could be, you know, the army looks at the division as their unit of action for a core or from a from a unit of action to peel down to the tactical edge at some levels.
00:07:58:23 - 00:08:28:12
Unknown
Each of those face different challenges. They all have different missions to some degree. And the piece parts that comprise that zero trust solution, like Lagrone was saying, at the individual level, you're not going to have the storage and computing capacity that you will at a platform level or vehicle level or certainly at the division level. So that's where it becomes important to understand that one size does not fit all.
00:08:28:14 - 00:08:54:04
Unknown
And you have to think about zero trust in terms of I like to look at it in terms of capability bricks. I don't necessarily need the entire the entire set to do everything at the Enterprise and push that down to every tier of tactical. So understanding what the right set is for each tactical mission is important. And I think that's why it's so important to look at that.
00:08:54:08 - 00:09:18:03
Unknown
So in cybersecurity, what John just said is so important and why what he said is so true. When you're in a tactical environment, you can think of the data that you're exchanging as limited in terms of its sensitivity. It's not up to me to decide how long that sensitivity is, but I can tell you it doesn't need to be stored or saved for 30 years.
00:09:18:05 - 00:09:46:07
Unknown
So that being said, you could lighten the load of zero trust, but still absolutely over design. What you require and still allow that communication to happen. Still protecting the data much longer than really the data classification needs to be saved. Sometimes it's minutes, sometimes it's hours, a weeks. But whatever it is that has to be decided with the data owner.
00:09:46:09 - 00:10:10:10
Unknown
But we need to build devices, zero trust devices that at least protect at the at what it needs to do, which might mean less than 91 activities to achieve zero trust. Because, again, these devices are lighter, they're more nimble. They have to operate perhaps in a disconnected. So they need to still work, but not at the rigor of an enterprise level.
00:10:10:12 - 00:10:39:14
Unknown
And so we're trying to find that balance point. That's a great conversation we're having in the DOD and people are starting to resonate with it. What's your sense of where that conversations going, where different organizations or groups of people are on in that conversation? So that conversation is maturing and inside the DOD, ATP, Moe. We've come to the conclusion, just as we have, we call it the fan chart, this 91 and the 152, it's become infamous.
00:10:39:15 - 00:11:05:18
Unknown
But the question becomes, do we need a fan chart, an additional fan chart for DDL or and or do we need an additional fan chart for OTT devices or do we need a fan chart perhaps for weapons systems? So we've had this conversation the Portfolio Office has with the Joint Staff and all kinds of other services in and out of the building.
00:11:05:20 - 00:11:42:21
Unknown
All three that I just mentioned are very, very important. However, when we first began the program, we focused on the I.T because that was the elephant in the room. So I think we conquered the way to do zero trust in it. And that's what everybody sees the present day. And the strategy was written that way. But the other three fan charts I think need some development and I've committed to having my team do that this rest of the fiscal year and beyond and perhaps come out with a more official fan chart a year plus from now, not to mandate anything in the next few months because we're not there yet.
00:11:42:23 - 00:12:08:13
Unknown
But at least think through the technology, talk to subject matter experts in the field and vendors very important. And to find out exactly where the right level is and even the activity names might have to be changed because things in OTI might not be anything close to the activities in it. They may be some different things, so we have to customize it.
00:12:08:19 - 00:12:25:01
Unknown
So that's why I'm saying I think we I think we need to customize because these are vectors of attack. You need to have zero trust on them at some level and we can't ignore it. So I think that's something that we need to do going forward, and that's how we would solve that problem. John, I think I jumped on top of you.
00:12:25:01 - 00:12:55:16
Unknown
You wanted to make a point and I followed on to Randy too little too quickly. No, no, no, not at all. The the differences between I.t and oti make the zero trust concept, particularly at the tactical edge a facet meeting question because the way the ot sensors, devices, Internet of things, we start bringing in drones, remotely piloted vehicles, bring all of this in.
00:12:55:17 - 00:13:25:21
Unknown
They behave and they they behave differently from traditional i.t systems. They don't all have the same capabilities. Some of these sensors like a thermostat, which could be a which could be an entry point, right? If if I'm if I'm an adversary, I'm not going to go in hot and hard on, on the most hardened entry point. I'm going to try to come in and flank you from your least protected device.
00:13:25:23 - 00:14:03:11
Unknown
And that's what we see a lot of in those O.T devices. They don't have as much capabilities in some cases. So thinking about those nuances in how the outside of the house works with the i.t side of the house is where zero trust allows us to, I think, improve our overall security posture over a network centric kind of old school security model of of perimeter security because it's those those little entry points that often get lost in the in the shuffle.
00:14:03:12 - 00:14:26:12
Unknown
All right. So that collaboration, John of I.t. And oti takes me to another point that you wrote about recently, and that is you phrase it this way, the importance of getting out of the lab and into the field. How do you perceive organizations in government not to pick on Randy and his team at DOD? How are people doing at doing that though, at operationalizing these ideas, these technologies, these concepts?
00:14:26:12 - 00:14:46:12
Unknown
And that's that's why it's so important to get out of the lab and into the field. You can only do so much in the lab. I, I love I love labs. I love tinkering as much as any as much as any engineer, as much as any nerd. Like we said at the beginning, it's all driven by use cases and we can only define the use cases that we can based on our imagination.
00:14:46:18 - 00:15:16:02
Unknown
We put this technology, we put these capabilities out in the hands of the operators, in this case the warfighters, and they're going to stun us with how they would employ this capability and how they would use it. And that's the real value of getting in in the field. And we've had some really interesting successes with field exercises like Talisman, Saber and Young and last year where we were working with a common Army First Corps.
00:15:16:04 - 00:15:31:19
Unknown
I mean, great feedback from the from the operators and from the warfighter on. Yeah, it's nice that you did this in the lab. That's not really the way we would do this. And that's the value. What do you see as far as getting this out there to put it in the hands of the people who will use it?
00:15:31:19 - 00:15:55:09
Unknown
And it's not, to be fair, just warfighters. It's not just the tip of the spear. It's the entire enterprise of the department. Right? Yeah. And it goes beyond that. Yeah. So in order to do all of this, I think that we're talking about we have to, we have to change the way in my mind. We need to change the way industry works with amongst themselves.
00:15:55:11 - 00:16:28:15
Unknown
I mentioned earlier that we needed this integration thing going on that not any one company really could deliver full zero trust at the target level. This 91, you need a minimum of a bunch of companies. Let's say five could be more where you have to integrate your products together and that's not so easy. So having companies work together normally as frenemies now, whereas before they were competitors, is really antithesis to the business plan of yes.
00:16:28:15 - 00:16:51:04
Unknown
Yesterday. So I've encouraged vendors privately and publicly in some of the talks I've given that you have to start working together because the Department of Defense is not going to do the integration anymore. We failed at that. We're not good at that. We fight wars, battles. We aren't really that good. We're not experts in the products that we're integrating.
00:16:51:07 - 00:17:16:04
Unknown
The vendors are. So we would rather have the vendors work the hard problems out, which includes patching and get a secure configuration per our design based on the outcome we want. And really all we want is to install it and then have a patching schedule and allow us to move our data, our users or whatever into this new environment.
00:17:16:06 - 00:17:36:13
Unknown
So that I think is the future. In order to do that, we need to get vendors working together. So when we do that, it's not only the DOD that's going to benefit. I've been talking the portfolio office has been talking to the Fed staff community. They have their strategy for zero trust. They're going at a different pace. That's fine.
00:17:36:15 - 00:18:08:07
Unknown
But it will when you squint your eyes, you'll see the DNA of the DOD strategy visit inside. When you look at what the ICI is doing, same exact thing. And over the last two years, since the portfolio office has been formed, we've been contacted by the five Eyes, our allies in Indo Paycom Naito and others. So they all are starting on their zero trust journey.
00:18:08:09 - 00:18:30:17
Unknown
The DOD is far ahead of everybody else in the thinking process, and they're asking for our documents and for help. And so as long as they're an ally, you know, we're leaning forward and doing what we can to strengthen not only their networks, but obviously we're on a very fast pace to strengthen ours. John, we have a little bit less than a minute left.
00:18:30:19 - 00:19:02:01
Unknown
What are you telling the people that you work with in government that they should be paying attention to over the horizon a year from now or two years from now, that maybe it's not something they need to deal with today, but is something that that they should be aware of that's coming down the pike. I think that what I usually tell them is start now, make some progress and learn as much as you can, because we can't predict what our adversaries are going to be doing, what their TTPs are going to be doing a year from now, five years from now.
00:19:02:07 - 00:19:25:22
Unknown
And I think that collaboration is is necessary. It's critical, but it's critical to get started. And I love what you said, Randy, about, you know, working together in collaboration. And Amanda, you know, probably fired for saying this, but I agree with you. You know, Mike handled this wrong with that. Michael was my candle doesn't burn brighter by putting out someone else's.
00:19:25:22 - 00:19:37:02
Unknown
And I think that that working with our frenemies is important. Working with our competitors is critical. And let's just let's get at it. Yeah. And let's not forget the did. They'll benefit as well. That's right.
00:19:37:02 - 00:19:40:10
00:19:40:09 - 00:19:46:17
Unknown
A huge thank you to Fed Gov Today, along with Randy Resnick and John Sahlin, for sharing their expertise with us.
00:19:47:13 - 00:19:58:13
Unknown
One takeaway that stood out to me from today's discussion is how critical collaboration is in integrating diverse cybersecurity solutions into a coherent zero trust strategy, especially at the tactical edge.
00:19:59:01 - 00:20:10:22
Unknown
If you enjoyed today's episode, please be sure to share on your social channels. Make sure to subscribe to Voices of Innovation on your preferred podcast platform and visit GDIT.com/podcast to learn more.
00:20:11:00 - 00:20:14:02
Unknown
Until next time, I am Tim Gilday signing off.
00:20:16:19 - 00:20:22:13