The Government Accountability Office (GAO) found that the Department of Defense (DOD) has failed to fully implement three separate initiatives to instill better cyber hygiene across the Pentagon and its component agencies. This report necessarily throws into question how well the DOD can ride herd on its component agencies and service branches to force the use of basic processes to ensure cybersecurity.
The GAO explained the policy background for ensuring the highest levels of cyber hygiene:
As DOD has become increasingly reliant on information technology (IT) systems and networks to conduct military operations and perform critical functions, risks to these systems and networks have also increased because IT systems are often riddled with cybersecurity vulnerabilities—both known and unknown. These vulnerabilities and human error can facilitate security incidents and cyberattacks that disrupt critical operations; lead to inappropriate access to and disclosure, modification, or destruction of sensitive information; and threaten national security.
The GAO worked from Carnegie-Mellon University’s definition of cyber hygiene because “[a]ccording to DOD officials, there is not a commonly-used definition for cyber hygiene in DOD doctrine.” Consequently, the GAO worked from Carnegie Mellon University’s Software Engineering Institute’s definition of the term to mean “a set of practices for managing the most common and pervasive cybersecurity risks faced by organizations today.”
The GAO noted “DOD officials identified three department-wide cyber hygiene initiatives: the 2015 DOD Cybersecurity Culture and Compliance Initiative (DC3I), the 2015 DOD Cyber Discipline Implementation Plan (CDIP), and DOD’s Cyber Awareness Challenge training.” The GAO found incomplete implementation:
- The Culture and Compliance Initiative set forth 11 overall tasks expected to be completed in fiscal year 2016. It includes cyber education and training, integration of cyber into operational exercises, and needed recommendations on changes to cyber capabilities and authorities. However, seven of these tasks have not been fully implemented.
- The Cyber Discipline plan has 17 tasks focused on removing preventable vulnerabilities from DOD’s networks that could otherwise enable adversaries to compromise information and systems. Of these 17, the DOD Chief Information Officer is responsible for overseeing implementation of 10 tasks. While the Deputy Secretary set a goal of achieving 90 percent implementation of the 10 CIO tasks by the end of fiscal year 2018, four of the tasks have not been implemented. Further, the completion of the other seven tasks was unknown because no DOD entity has been designated to report on the progress.
- The Cyber Awareness training is intended to help the DOD workforce maintain awareness of known and emerging cyber threats, and reinforce best practices to keep information and systems secure. However, selected components in the department do not know the extent to which users of its systems have completed this required training. GAO’s review of 16 selected components identified six without information on system users that had not completed the required training, and eight without information on users whose network access had been revoked for not completing training.
Moreover, the GAO stated beyond those initiatives “DOD has
(1) developed lists of the techniques that adversaries use most frequently and pose significant risk to the department, and
(2) identified practices to protect DOD networks and systems against these techniques.
And yet, the GAO found the DOD “does not know the extent to which these practices have been implemented…[and] [t]he absence of this knowledge is due in part to no DOD component monitoring implementation, according to DOD officials.” The GAO concluded that “until DOD completes its cyber hygiene initiatives and ensures that cyber practices are implemented, the department will face an enhanced risk of successful attack.”
Overall, the GAO determined
…the department faces challenges implementing the DC3I and CDIP because the DOD CIO has not taken appropriate steps to ensure that the DC3I tasks are implemented, DOD components have not developed plans with scheduled completion dates to implement the remaining four CDIP tasks overseen by DOD CIO, and the Deputy Secretary of Defense has not identified a DOD component to oversee the implementation of the seven other CDIP tasks and report on progress implementing them.
The GAO asserted that “[b]y improving oversight through implementing the DC3I tasks, DOD components developing plans with scheduled completion dates to implement the remaining four CDIP tasks that the DOD CIO oversees, and identifying a DOD component to oversee implementation of the seven other CDIP tasks and report on progress implementing them, the department can be better positioned to safeguard DOD’s network by removing preventable, well-known vulnerabilities.”
The GAO made seven recommendations to the DOD:
- The Secretary of Defense should ensure that the DOD CIO takes appropriate steps to ensure implementation of the DC3I tasks. (Recommendation 1)
- The Secretary of Defense should ensure that DOD components develop plans with scheduled completion dates to implement the four remaining CDIP tasks overseen by DOD CIO. (Recommendation 2)
- The Secretary of Defense should ensure that the Deputy Secretary of Defense identifies a DOD component to oversee the implementation of the seven CDIP tasks not overseen by DOD CIO and report on progress implementing them. (Recommendation 3)
- The Secretary of Defense should ensure that DOD components accurately monitor and report information on the extent that users have completed the Cyber Awareness Challenge training as well as the number of users whose access to the network was revoked because they have not completed the training. (Recommendation 4)
- The Secretary of Defense should ensure that the DOD CIO ensures all DOD components, including DARPA, require their users to take the Cyber Awareness Challenge training developed by DISA. (Recommendation 5)
- The Secretary of Defense should direct a component to monitor the extent to which practices are implemented to protect the department’s network from key cyberattack techniques. (Recommendation 6)
- The Secretary of Defense should ensure that the DOD CIO assesses the extent to which senior leaders’ have more complete information to make risk-based decisions—and revise the recurring reports (or develop a new report) accordingly. Such information could include DOD’s progress on implementing (a) cybersecurity practices identified in cyber hygiene initiatives and (b) cyber hygiene practices to protect DOD networks from key cyberattack techniques. (Recommendation 7)