Aaron Weis needs little introduction. The technology maven built a reputation through years spent as a chief information officer and business leader in the private sector at small and midsized companies, before becoming a senior advisor to the Department of Defense CIO in 2018. He had overseen technology divisions of multibillion-dollar organizations before, but nothing quite prepared him for his next assignment: CIO of the Department of the Navy, where he had final decision-making power on the DON’s yearly $11 billion technology budget.
In his nearly four years in the latter role, Weis was also principal staff assistant to the secretary of the Navy for information management, and he was the recipient of four Wash100 Awards, the government contracting industry’s most prestigious honor. He won his fifth in 2024 for his work at his new job: managing director of technology at Google Public Sector, where he came aboard in March 2023.
We last spoke to Weis in a video interview soon after he moved to Google and we were eager to catch up with him now that he’s settled into his responsibilities. We learned about his refreshed perspectives on the cyber landscape, an exciting project he’s helping to oversee at the company and much more.
GovCon Wire: In our last conversation, you evangelized about zero trust. How is it going continuing to advocate for that and what is Google doing to help realize more widespread acceptance of the strategy?
Aaron Weis: Google is the originator of zero trust, a fact that many people don’t realize. In 2009, Google was compromised by bad actors from China in an incident known as Project Aurora. This attack affected several large technology companies at the time. In response, Google took significant action, investing years and billions of dollars to completely rearchitect how they deliver services. They established a framework that is now fundamental to zero trust, focusing on five key elements: user trust, device trust, application trust, network trust and data trust. The intersection of these elements forms the core of the zero trust model that’s widely adopted today.
This approach was groundbreaking in 2009. Google’s internal effort to reimagine its security infrastructure was called BeyondCorp, and it was largely completed by the early 2010s. In 2015, when another compromise attempt was made by the same bad actor, several technology companies were impacted, but Google’s new security architecture prevented any impact on their systems. This real-world test validated the effectiveness of BeyondCorp and underscored Google’s leadership in zero trust security.
The influence of Google’s zero trust model has since extended beyond the company, with the U.S. Department of Defense adopting similar principles. Recently, Google collaborated with the DOD on mapping exercises and red-teaming activities to test its zero trust controls. The results were highly favorable. While DOD leadership has yet to make a public statement, the feedback was overwhelmingly positive.
Today, Google continues to lead the way in zero trust, helping other organizations, including government entities, adopt these critical security measures. Given the vast scope of the government’s IT environment, implementing zero trust is a significant challenge, but Google’s experience over the past 15 years makes it a key partner in this transformation.
GCW: What do you think is the biggest threat facing U.S. cyber systems today, and what can be done to protect against that threat?
Weis: A significant challenge for government organizations is their reliance on legacy infrastructure. Legacy systems are where many vulnerabilities reside due to outdated on-premises systems and data centers that are often not patch-current. Despite the perception that cloud adoption is widespread, only a small fraction of the U.S. government’s infrastructure has moved to the cloud—estimated at under 15 percent for both the DOD and civilian agencies. The majority of government infrastructure remains rooted in legacy systems, making it difficult to defend against modern cyber threats.
The scale of this challenge is immense. Government IT environments, such as the DON’s 700,000 Navy and Marine Corps endpoints, illustrate the magnitude of the issue. When factoring in the broader scope of the DOD, the total climbs to nearly 3 million endpoints. Expanding to include civilian government agencies, the figure grows even larger, potentially reaching 6 to 7 million endpoints. Each of these endpoints relies on an intricate web of on-premises networks and data centers, further complicating the challenge of modernization.
Adding to the complexity are the concentric rings of the defense industrial base and civilian contractors that support government operations. These networks introduce millions of additional users and devices, all of which must be secured. Without modernizing this legacy infrastructure, efforts to implement zero trust are unlikely to succeed. While zero trust is an essential strategy, it cannot be fully realized if the foundational infrastructure remains outdated and vulnerable. The path forward requires a comprehensive approach to modernization that addresses both internal and external threats.
GCW: What’s a recent cyber or tech project at Google that you’re particularly excited about?
Weis: Red teaming under zero trust initiatives has been a game-changer and Google’s approach emphasizes “show, not tell.” Instead of relying on slides and presentations, Google demonstrates real-world functionality in action. This approach has been especially effective when working with certain high-security government agencies exploring innovative ways to leverage commercial cloud infrastructure. These agencies are looking to move beyond traditional, isolated “gov clouds” to a more dynamic and secure approach.
Historically, about 10 to 14 years ago, the government requested specialized “gov clouds” built specifically for government use—separate from commercial cloud infrastructure. While this approach initially made sense, it has since revealed several limitations. Gov clouds often lag behind their commercial counterparts in feature updates, sometimes by a year or more. As a former government CIO, I experienced this firsthand, constantly pushing cloud providers to achieve feature parity. The delay in updates also meant that vulnerabilities could persist longer in gov clouds creating a potential security risk. Additionally, maintaining separate versions of the cloud required cloud providers to develop and manage two distinct codebases further complicating patching and maintenance.
Adversaries are aware of these gaps. Knowing where gov clouds are located and that they often operate on down-level versions, threat actors have a more predictable target. In response, some government agencies have shifted their focus toward leveraging the scale, parity and advanced capabilities of the larger commercial cloud. These commercial clouds benefit from consistent patching, zero trust principles and access to the latest security innovations.
A concept gaining traction is “hiding in plain sight” or utilizing the vast, diverse infrastructure of commercial clouds. Instead of operating within isolated, easily identifiable gov cloud environments, agencies are exploring how to blend into the larger commercial cloud’s vast footprint. This allows them to benefit from the security, redundancy and power of commercial cloud providers’ global infrastructure which operates at a higher pace of innovation and security.
Google is working with forward-thinking government stakeholders to explore and operationalize this concept. It’s an exciting shift that signals the next evolution of cloud use for the government—a move away from traditional, siloed gov clouds to a more agile, secure and powerful use of commercial cloud infrastructure. This evolution promises to be disruptive but ultimately transformative for how government agencies think about cloud security and modernization.
GCW: You are a co-lead on Google’s DOD Strategy, can you share about your involvement in that and the progress there?
Weis: It’s incredibly exciting, especially given my prior experience at the Pentagon. I was honored to co-lead the development of Google’s Department of Defense strategy. This effort is significant not only for the government but also internally for Google, as it allows us to pivot and meet the DOD’s unique needs effectively.
The DOD has the largest mission set in the world, operating on a global scale. They need to function seamlessly from the “flagpole to the foxhole,” or more simply, across every level—from the tactical edge to command centers and everything in between. To do this, they need to operate in mobile environments, within the cloud, and securely transfer information from any point to another almost instantaneously. Google is uniquely positioned to support these requirements. We are among the very few companies in the world capable of delivering this ecosystem of planet-scale capabilities.
Only a handful of companies worldwide can match this level of capacity, and Google is one of them. Our focus is on helping the DOD think in terms of massive ecosystems, global capabilities and information transfer solutions. More importantly, Google is positioned as a global original equipment manufacturer, creating an innovative ecosystem that the government can leverage. This includes enabling an extensive network of partners that work with the government, providing tools that allow them to build tailored solutions easily and effectively.
This approach marks a shift from Google’s traditional product-centric approach to a solution-oriented strategy aligned with how the DOD operates. Speaking from experience, as someone who worked in the DOD, a product-centric approach does not resonate. If a salesperson had come into my office at the Navy and pitched a specific product rather than presenting a solution to our challenges, I would have asked them to come back with a problem-solving approach. The DOD needs partners who offer solutions—not just products.
Our mission is to engage the DOD by demonstrating how our extensive capabilities and ecosystem can address their challenges and meet their needs, along with those of their partners. It’s a complete shift in how Google approaches this sector, and it’s genuinely exciting.
Recently, we presented this strategy to Google Public Sector’s board of directors, and the response was overwhelmingly positive. The next step is to take this framework, operationalize it and put these solutions into the hands of the DOD. This moment marks a pivotal point where we can actively help the DOD and meet them where they are. This is an exciting time, and we’re eager to see our work transform how the DOD tackles its critical missions.
Discover more about how Google Public Sector can support your mission.
