At the Department of Defense (DoD), emphasizing a zero-trust security model is helping the agency overcome common security mishaps, Director of Defense Research and Engineering for Modernization Mark Lewis shared.
Lewis explained that the Pentagon is no longer looking at making the components themselves trusted. Instead, “what we’re looking at doing is establishing the infrastructure and the standards so that we can trust what comes out of whatever microelectronic components that we’re using,” he said at a June 30 Hudson Institute event.
When an agency only relies on a few trusted sources, a disruption in the supply chain can interrupt access to necessary tech. “If you’ve only got one or two trusted sources then suddenly, if those sources disappear, stop manufacturing for whatever reason, well obviously it interferes with the supply of those components into the Department of Defense,” Lewis explained.
Securing at the component level can also create a false sense of security. For example, Lewis said that component level security does not account for the possibility of insider threats or other vulnerabilities that may go overlooked.
“When you go down the path of a full trusted facility, you run the risk of frankly fooling yourself into thinking you got secure capabilities when in fact you don’t,” he cautioned. “You can often miss the biggest vulnerability.”