The Government Accountability Office (GAO) said in a new report that the Defense Department (DoD) needs to take “decisive action” to improve how it implements basic cyber hygiene practices, and warned that the consequences of failing do so could be serious.
As part of a Senate-mandated review, GAO examined the defense agency’s practices for managing common and pervasive cybersecurity practices under the broad heading of “cyber hygiene,” and found that three DoD cyber hygiene initiatives were either incomplete, or their status was unknown since no entity was designated to report on their progress.
“Overall, until DoD completes its cyber hygiene initiatives and ensures that cyber practices are implemented, the department will face an enhanced risk of successful attack,” GAO said.
DoD’s office of the Chief Information Officer said the department agreed with portions of the report, and “non-concurs with other portions.”
Audit Covers Three Programs
Reporting on results of an audit conducted from January 2019 to April 2020, GAO relayed findings from discussions with DoD officials regarding three department-wide cyber initiatives: the 2015 DOD Cybersecurity Culture and Compliance Initiative; the 2015 DOD Cyber Discipline Implementation Plan; and DOD’s Cyber Awareness Challenge training.
On the first of those initiatives, GAO found that seven of the 11 Cybersecurity Culture and Compliance Initiative tasks due in fiscal year 2016 were incomplete at the time of GAO’s latest report. That initiative includes cyber education and training, integration of cyber into operational exercises, and needed recommendations on changes to cyber capabilities and authorities. DoD told GAO that two of those tasks are “still being actively pursued because the remaining tasks were either implemented or have been overcome by events.”
The initiative requires “requires the commander of U.S. Cyber Command, in coordination with the DOD CIO, to provide quarterly updates to the Deputy Secretary of Defense and the Vice Chairman of the Joint Chiefs of Staff on the progress,” GAO said. The watchdog agency said information from the cyber hygiene initiatives are missing from the reports to DoD leadership. Gen. Paul Nakasone took his post as Commander of U.S. Cyber Command in May 2018, while Dana Deasy took over as DoD’s CIO in May 2018, and was confirmed by the Senate to the position in December 2019.
DoD told GAO that new instructions on cyber workforce education and training will be issued in the coming months. U.S. Cyber Command officials told GAO the department is developing a resourcing plan for scheduled inspections and no-notice spot checks, but the command did not provide an estimate for when the plan would be implemented.
Regarding the second initiative, GAO said the status of seven of the tasks in the Cyber Discipline Implementation Plan – out of a total of 17 tasks in the plan – were unknown since the responsible components outside the DoD CIO office had not reported on their progress, according to department officials cited in the report.
DoD disagreed with the GAO recommendation to appoint someone to oversee implementation of these tasks. “The cyber landscape is constantly evolving,” the agency said, and prioritization of compliance with “lower risk areas that the DoD identified almost five years ago will frustrate the Department’s efforts to keep pace.”
Lastly, GAO concluded that an unknown number of individuals did not complete the Cyber Awareness Challenge, which aims to help the DoD workforce maintain awareness of known and emerging cyber threats and reinforce best practices to keep information and systems secure. Of 16 DoD components, six did not have information on system users that had not completed required training. The Navy, Air Force, Marine Corps, U.S. European Command, and the Defense Media Activity did not collect information on users who did not complete the training in FY 2018, the GAO report says.
DoD partially concurred with GAO, stating that accurate records should be kept. It also noted the Navy indicated it provided the records in question.
Beyond those three initiatives, GAO said that DOD “has (1) developed lists of the techniques that adversaries use most frequently and pose significant risk to the department, and (2) identified practices to protect DOD networks and systems against these techniques.” But, GAO reported, DoD “does not know the extent to which these practices have been implemented,” and “the absence of this knowledge is due in part to no DOD component monitoring implementation.”
At Odds Over Recommendations
Overall, GAO said it made seven recommendations for corrective action to DoD, but found some resistance to at least some of those. Of the seven, DoD concurred with one, partially concurred with four, and did not concur with the other two. “GAO continues to believe that all recommendations are warranted,” the report said.