Disclaimer: I am not a zero-trust architecture or cybersecurity expert. My background and experience have always been focused on the human side of the equation. In the Army, I was a Measurement and Signatures Intelligence (MASINT) collection and analysis NCO. Additionally, my Master’s is in Peace Operations Postconflict Reconstruction Policy. My opinions and perspectives in this article are my own and possibly the ramblings of an exhausted father and madman about applying the COIN Doctrine for Zero Trust.
Modern warfare has evolved rapidly while at the same time never changing. Technological innovations, tactical employment practices, weapon systems capabilities, and logistics have matured significantly among US forces in the post-9/11 era. Times have changed again.
Near-Peer/Peer and Non-Nation States
Near-peer/peer/non-nation state entities have expanded the threat domain in which we operate into the cyber-physical domain at a breakneck pace. Consequently, the threats extend well beyond our enterprise business systems, banking and financial systems, and big tech companies. Therefore, for the DoD, Software is Eating the Battlespace. Moreover, our combat effectiveness, survivability, and ability to shoot, move, and communicate will entirely rely on our military’s fielding of secure cyber-physical systems, communications, software, and weapons. Subsequently, the DoD CIO, each service branch, and 4th Estate agency CIOs are working very diligently to apply the DoD’s Zero Trust Strategy and the ZT Reference to provide guidance and standards across the Department to adopt cutting-edge cybersecurity. Furthermore, there are significant challenges to implementing this at scale, and a majority lies in the human domain.
Meeting Commo & Cyber Teams Where they are
Current cybersecurity practices apply layers of defensive practices that closely mirror the Defense-in-Depth doctrine. We do not limit cybersecurity to the medieval castle and Clausewitz-era warfare. A more appropriate analogy may be the US doctrine of the Korean War. DoD systems often rely on perimeters, access controls, network defense, and malware/antivirus systems to sense and respond to external attacks.
We traditionally aligned key terrain and areas of interest to our network perimeter, protected it with firewalls, other cybersecurity solutions, workstations, and software application-level security with anti-virus and malware scanning tools, and accounted for the human terrain of insider threat and access control abuse. Furthermore, we more or less treated our computer systems like large CONUS bases, Forward Operating Bases (FOBs), or static defensive positions. We focus primarily on external threats and preventing unauthorized access with defensive postures. When breaches occur, we implement capabilities to sense and respond quickly.
Furthermore, force Protection Conditions/ Alert levels were changed to counter additional threats. Being a Fobbit myself during my Iraq deployment, I will attest that the security controls created a sense of comfort, and complacency did exist. For the most part, we were comfortable knowing that people within the compound were supposed to be there and mainly free to operate. Our computer systems have been handled in essentially the same manner.
The Army recognizes three forms of defense—
- Defense of a linear obstacle.
- Perimeter defense.
- Reverse slope defense.
The strategic environment has continued to evolve, and the nature, location, tactics, and means of applying force have changed.
Unexpected Parallels – Zero Trust Implementation and DoD Counterinsurgency Doctrine
Suppose we compare the security and potential complacency that evolved within the FOB perimeter defensive approach. Assuming that everyone’s legitimate credentials in the compound were supposed to be there. In that case, Zero Trust changes the paradigm completely.
Using roles-based access controls, PKI certificates, and passwords to secure networking and compute infrastructure can detect, isolate, and recover from DDoS or other frontal attacks. Still, today’s cybersecurity threats are becoming exponentially more complex and adaptive. Cloud, open source expansion and systems integration from cloud to the edge have eliminated the traditional perimeter. Our dynamic threat environment resembles that of a city patrol responsible for the security of a designated sector.
The latest US Army Doctrine Field Manual for Operations FM 3-0 describes the concept of Security as the following:
A-15. Security enhances freedom of action by protecting and preserving combat power while reducing friendly vulnerability to surprise. Every Army formation is responsible for its own security. The application of the principle of security does not suggest over-cautiousness or avoidance of risk but rather the unwillingness to cede any advantages to the enemy unnecessary. Security is closely related to the operational imperative that friendly forces operate under the assumption that they are under observation and always in contact with enemy forces. Security relies on gaining and maintaining enemy contact on friendly terms, and it is directly related to the principle of surprise. Preventing surprise by maintaining contact with enemy forces enhances security and denies them opportunities to seize the initiative.
A-16. At the strategic level, security requires active and passive measures to protect Army forces from espionage, subversion, and strategic intelligence collection. At the tactical level, it is essential to protection and the preservation of combat power. Security results from the protective measures commanders take to prevent surprise, observation, detection, interference, espionage, or sabotage.
Concepts from US Army/ USMC COIN Doctrine and their mapping to Zero Trust
- Every Soldier, a Sensor
- Adversaries have different concepts of time horizons from our forces; the use of sleeper cells or nascent factions is always a threat
- Indirect conflict, the use of feints, and asymmetrical warfare are the norm; seemingly large-scale force-on-force engagements are likely fake, but the use of highly public events and terrorism by small groups against prominent targets is a genuine concern.
- Disciplined and skilled application of sound military tactics is crucial, even the effective use of perimeter defense, offensive tactics, and engineering of stationary defensive positions and barricades
Lessons learned from our history and experience fighting protracted COIN campaigns:
- This is a proactive engagement. Leaders must thoroughly plan, enable, and implement practices around containment, static defense, information operations, non-kinetic and military operations, environment shaping, local population support and engagement, and continued presence patrols
- Security and stability in one area do not indicate security or success for the AOR; constant vigilance is essential.
- Don’t Trust, Always Verify
6.5 A counterinsurgency involves simultaneous activities at every echelon. Platoons within a company could be doing different tasks, and companies within a battalion could be doing different tasks, all in support of a battalion’s method of counterinsurgency. Every task involves potential decisions that can have an immediate impact on success or failure. Moreover, these tasks are interrelated. This means that junior leaders will make decisions at the point of effort, relying on mission type orders. This applies to any operational approach taken to defeat an insurgency.
Sometimes, the more you protect your force, the less secure you may be
7-4. Ultimate success in counterinsurgency operations is normally gained by protecting the population, not the counterinsurgency force. If military forces remain in their compounds, they lose touch with the people, appear to be running scared, and give the initiative to the insurgents. A possible path to success could include an increase in outreach programs that focus on protecting the population. Commanders weigh the effectiveness of establishing patrol bases and operational support bases against the security of using larger unit bases. Establishing patrol bases ensures access to the intelligence needed to facilitate operations. Sharing risks with the population reinforces the connections with them that help establish legitimacy.
If a tactic works this week, it might mot work next week; If it works in this province, it
might not work in the next
7-10. Competent insurgents are adaptive. They are often part of a widespread network that communicates constantly and instantly. Insurgents quickly adjust to successful counterinsurgency practices and rapidly disseminate information throughout and insurgency.
Indeed, the more effective a counterinsurgency tactic is, the faster it may become out of date because insurgents have a greater need to counter it.
Thanks for reading.