The Department of Defense’s (DoD) efforts to defend the cybersecurity of critical infrastructure in the U.S. require a stronger implementation strategy in its collaboration efforts with the Department of Homeland Security (DHS), according to an audit by the Office of the Inspector General (OIG).
Since 2010, the DoD and DHS signed three interdepartmental memorandums to define the terms of their collaborated efforts to respond to and deter cyber threats against critical infrastructure in the United States, such as improving the coordination of each department’s respective efforts regarding the nation’s cybersecurity and clarifying the roles and responsibilities of each agency for enhancing the government’s readiness to respond to cyber threats.
The audit found that DoD officials planned and executed the 2010 and 2015 memorandums regarding cybersecurity and cyberspace operations. DoD officials also conducted some activities to implement the 2018 memorandum. However, the Joint DOD-DHS Cyber Protection and Defense Steering Group (CPD SG) did not create an implementation strategy to ensure all activities of the 2018 memorandum are executed.
The CPD SG co-chairs developed the 2018 memo to promote interdepartmental engagement, and they do not consider an implementation plan necessary. But if or when differences arise between the co-chairs or other members, the lack of an implementation strategy could hinder the level or timeliness of assistance requested and provided.
Additionally, without an implementation strategy, DoD officials may not provide the necessary level of assistance to the DHS to conduct joint operations to protect critical infrastructure for states, local government, tribal government, and territorial governments and jointly defend military and civilian networks from cyber threats.
“The 2020 SolarWinds Orion cyber incident, which affected both federal and private agencies, proved the importance of being prepared for possible cyber threats,” the audit reported.
Although the 2020 incident was not directly related to the lack of an implementation strategy, it showcased the importance and criticality of the DoD’s and DHS’s ability to respond to various cyber threats. According to the audit, this effort would significantly improve by implementing a plan to accomplish shared goals detailed in the 2018 joint memorandum.
The OIG recommended that the Deputy Secretary of Defense and the Chairman of the Joint Chiefs of Staff direct the DoD and DHS co-chairs of the Joint DoD-DHS CPD SG to develop and approve plans of action and milestones for each line of effort. And to track activities executed and identify gaps that limit the DoD and DHS in fully implementing all lines of effort in the 2018 memorandum.