The Department of Defense is behind on several internal cybersecurity initiatives, years after some were expected to be completed, Congress’ watchdog agency has found.
An April 13 report from Government Accountability Office report, titled "DOD Needs to Take Decisive Actions to Improve Cyber Hygiene,” warned that the Pentagon faces increased cybersecurity risk because the department hasn’t implemented basic cybersecurity practices.
“Overall, until DOD completes its cyber hygiene initiatives and ensures that cyber practices are implemented, the department will face an enhanced risk of successful attack," GAO officials wrote.
The watchdog evaluated three Pentagon initiatives: DOD Cybersecurity Culture and Compliance Initiative (DC3I), Cybersecurity Discipline Implementation Plan (CDIP), and cyber awareness training.
The DC3I initiative, which is aimed at boosting cyber training and integrating cyber into operational exercises, included 11 tasks that were expected to be implemented at the end of fiscal 2016. However, the GAO found that seven of those tasks are not yet complete. For example, as of October, some defense organizations haven’t received two cybersecurity training briefs created by U.S. Cyber Command for leadership training that would’ve provided important cybersecurity information, according to the report,
If these documents had been provided, “they may have learned, among other things, how to understand, assess, and interpret cyber-reportable events and incidents and how they affect military operations,” the GAO wrote.
The report also found that the seven remaining DC3I initiatives weren’t completed because the DoD’s Chief Information Officer’s office didn’t take steps to ensure their implementation. Leaders from the Pentagon’s CIO office told the GAO that they weren’t aware of this responsibility, although it has been tasked with the duty since December 2016.
“If DOD CIO does not take appropriate steps to ensure that the DC3I tasks are implemented, the department risks compromising the confidentiality, integrity, and availability of mission-critical information as a result of human error by users on the department’s networks,” GAO officials wrote.
Details about the status of several pieces of the DoD’s Cybersecurity Discipline Implementation Plan, an initiative with 17 tasks focused on eliminating preventable vulnerabilities from Pentagon networks, are murky. Four of the 10 tasks led by the CIO’s office remain incomplete. However, the status of seven others are unknown because “no DOD entity has been designated to report on the progress,” the report said.
Some tasks that lack a lead for implementation include basic cybersecurity hygiene capabilities include disabling links in emails and ensuring cyber incident response plans are documented and properly exercised. As for the four tasks the DoD CIO office didn’t complete, officials told the GAO the tasks are difficult to implement because of the old IT system used by DoD components.
The Defense Department also hasn’t fully adopted its 2018 Cyber Awareness Challenge Training, a program meant to teach the DoD workforce best cybersecurity practices, the report said. However, the DoD found that several components across the department didn’t collect information on the completion rate of the training.
For example, the Army couldn’t provide data on the number of users who had completed the training. Meanwhile, six components, including the Navy, Air Force, Marine Corps and European Command, didn’t collect information on who hadn’t completed the training. Navy officials told GAO that they didn’t see the value in collecting and reporting data to its headquarters.
The GAO also wrote that eight of 16 components evaluated didn’t know how many users had their network access revoked because they hadn’t completed the training.
“If the DOD component heads do not ensure that their respective components accurately monitor and report information on the extent that users have completed the Cyber Awareness Challenge training—as well as have access revoked for not completing the training—the components may be unable to ensure that DOD users are trained in the steps needed to address cybersecurity threats to the department,” GAO wrote.
The department has also identified the 177 cyberattack techniques used by adversaries, prioritized them by level of risk and released cyber hygiene practices to mitigate the most frequent attacks. However, the department doesn’t know the extent to which they are used.
“No component or office within the department has complete visibility of the department’s efforts to implement these protective practices across the department,” the GAO found.
The GAO made seven recommendations to the department, ranging from ensuring that the three cybersecurity initiatives are completed to accurate monitoring and tracking of implementation of different aspects of cyber hygiene.
The department fully agreed with just one recommendation – that all components be required to take the Cyber Awareness Challenge training.
Andrew Eversden covers all things defense technology for C4ISRNET. He previously reported on federal IT and cybersecurity for Federal Times and Fifth Domain, and worked as a congressional reporting fellow for the Texas Tribune. He was also a Washington intern for the Durango Herald. Andrew is a graduate of American University.