The Pentagon’s cyber malaise: Zero trust deadlines translate to zero urgency

At a time when the Chinese Communist Party (CCP) has brazenly confirmed the targeting of the operational technology (OT) that underpins our military’s global reach, the nomination of Kirsten Davies as the Department of Defense Chief Information Officer arrives not a moment too soon. As the CCP becomes increasingly unconcerned with concealing its intent in targeting our homeland, Secretary of Defense Pete Hegseth must empower the CIO to dismantle institutional complacency and morass that’s plaguing the department. To do so, the CIO must work aggressively and directly with combatant commanders to secure the OT assets our military depends on to project power across every theater of operation. Despite the current silence of the physical battlefield, the clock ticks loudly as the CCP prepositions across our critical infrastructure networks — ensuring we will no longer have a first-mover’s advantage when deterrence fails, and the kinetic war begins.

This bombshell revelation came just as the Department of Defense floated a “soft” deadline of 2035 to achieve Zero Trust (ZT) cyber protections for the same operational technology in weapons systems. The Pentagon’s Zero Trust portfolio director, Randy Resnick, described the DOD’s challenge in alarming terms: “We are far away. I’m suggesting fiscal [year 20]35 and beyond. That might actually be a 10-year effort or more.” This admission is not deterrence, but an open invitation for adversaries to ignore the Geneva Conventions and coerce Americans with existential threats. We are in a hot cyber war today, not in 2035. Our adversaries are attacking our water and power systems now. So why is the Pentagon telling our adversaries they have 10 years to penetrate our OT, disrupt mission-critical assets, and prevent weapons from launching and hitting their targets?

The secretary of defense and combatant commanders are prioritizing urgent lethality to immediately deter an adversary. We don’t have the luxury of time where “soft” deadlines introduce more risk to our global missions, weakening the deterrent credibility of the entire U.S. military. With global strife raging, we need this leadership in all programs, including the cyber protection of OT. However, when Pentagon leaders assess “no easy feat” with estimated capabilities “far away,” the message to adversaries is clear: We’re unprepared and unwilling to act quickly to counter this specific cyber threat… and that must change.

Zero trust means zero excuses.

The CIO must ensure that the next Zero Trust Strategy for Operational Technologies provides clear implementation guidance and mandatory compliance requirements. This means all stakeholders, along with deadlines and measurable cyber-related Key Performance Indicators (KPIs) tied to readiness and warfighter capability. Moreover, command leadership must be held accountable for these outcomes. Our adversaries are planning to utilize cyberattack vectors to compel national capitulation by disabling weapon systems, denying critical defense assets, and jamming communication pipelines. We need a sense of urgency and accountability to mitigate this risk to Golden Dome (once it comes online) and our forward-deployed forces.

The new CIO must work with all levels of command to alter the calculus in adversary cyber decision-making. No more “soft” goals and “far-off” timelines. We need a wartime footing inside the Pentagon’s cyber leadership, which means an operational sprint in which:

• COCOMS must demand defensive cyber capabilities for their OT assets from U.S. Cyber Command.
• Military cyber defenses must be extended to defend critical infrastructure.
• OT vulnerabilities must be accounted for in the department’s Information Assurance Enterprise Vulnerability Management Program (VMP).
• DOD’s Cyber Operational Readiness Assessment (CORA) criteria must include OT.
• A program of record must be established with effects-based goals and substantial funding for the rapid deployment of proven security tools already in use by private industry.
• OT protections must be prioritized in acquisition and sustainment programs.
• OT cyber protections must be integrated directly into operational availability metrics.

Zero trust isn’t a compliance exercise, it’s a warfighting necessity.

It’s time to stop admiring the challenge of implementing ZT for OT and get serious about cyber protections and resilience required to project power globally. When the CCP embeds malware in weapons systems, telecom networks, fuel systems and ammunition plants, as well as port cranes, rail systems and other critical assets, it is preparing for conflict with sabotaging activities. The Chinese have confirmed their intent and don’t care about strategies, data calls, or fan charts. If we accept a decade-long timeline, they will hurt our ability to deploy and fight effectively. The Defense Department must respond with urgency now with near-term risk mitigations, or our warfighters will be switched off just when our country needs them the most.

Lucian Niemeyer is an Air Force veteran, former professional staff member on the U.S. Senate Armed Services Committee, and former assistant secretary of defense who also served in the White House Office of Management and Budget. He currently leads the non-profit organization, BuildingCyberSecurity.org.

Tatyana Bolton is the executive director of the Operational Technology Cybersecurity Coalition, a principal at Monument Advocacy, and former policy director of the Cyberspace Solarium Commission. She has also served at the Department of Defense (DoD), the Cybersecurity and Infrastructure Security Agency (CISA), and Google. She currently serves on the Advisory Board of Berkeley’s CLTC and the Cybersafe Foundation, and as a senior advisor to CSC 2.0.