GAO, DOD Spar Over Cyber Hygiene Findings

The Pentagon has taken some positive steps to keep out cyberattacks, but it’s unclear how consistently those measures are enforced across the vast department, according to a new Government Accountability Office report.

“As DOD has become increasingly reliant on IT systems and networks to conduct military operations and perform critical functions, risks to these systems and networks have also increased, because IT systems are often riddled with cybersecurity vulnerabilities—both known and unknown,” the April 13 report said. “These vulnerabilities and human error can facilitate security incidents and cyberattacks that disrupt critical operations; lead to inappropriate access to and disclosure, modification, or destruction of sensitive information; and threaten national security.” 

The military has multiple efforts aimed at bolstering cybersecurity, including the much-parodied Cyber Awareness Challenge training course, the Cybersecurity Culture and Compliance Initiative, and the Cyber Discipline Implementation Plan. But GAO found DOD has not achieved several of the goals laid out as part of those programs, potentially jeopardizing the military’s ability to keep its people and weapon systems safe.

GAO issued seven recommendations ranging from schedule oversight to reporting standards to help track how many people have not completed the training they need to use military networks. Senior DOD leaders need a fuller picture of the department’s cybersecurity so they can make better decisions about how much risk to take on, the report argued.

The Pentagon has listed 177 cyberattack techniques that threaten its networks, and its response to each depends on how often an issue pops up and if DOD can detect it. 

“The department has established cyber hygiene practices to mitigate most of the frequently occurring techniques and those that the department identified as the highest priority,” according to Defense Information Systems Agency and Joint Force Headquarters—DOD Information Network officials.

Vulnerable, aging information technology infrastructure can stand in the way of cyber hygiene, as can human error. Some preventive measures are as simple as teaching people not to click on a suspicious link. Others require slightly more work, like setting and routinely changing secure passwords, or actively monitoring a network for intrusions.

While some parts of DOD have taken actions like installing software that removes hyperlinks from emails and putting email behind a firewall to protect the network, it’s unclear how consistently those practices are used. GAO found that the Defense Advanced Research Projects Agency does not require its employees to take the Cyber Awareness Challenge, a game that teaches players to stay safe in the digital realm.

“While DARPA developed its own training program, we found that this training program did not address all of the requirements identified in a DOD staff manual or the cybersecurity training topics identified by the Cyber Workforce Advisory Group,” the report said. “DARPA officials recognized that its cybersecurity training was not equivalent to the DOD’s Cyber Awareness Challenge training program. … DARPA designs its courses to be concise to allow their personnel to focus on accomplishing the agency’s mission and that users can obtain additional information from references cited in the course materials.”

GAO worries that if DARPA and other DOD components don’t abide by the same training standards, it further exposes the department to attack or infiltration.

DOD pushed back on some of the watchdog’s findings, saying it would be too burdensome to collect data on who was locked out of the network because they had not finished cyber hygiene training. Pentagon officials also argue that undisclosed new developments have nullified certain tasks related to cybersecurity awareness and training, which GAO disputed.

“The cyber landscape is constantly evolving with changes in technology, threats, and vulnerabilities. This requires DOD to reassess its cybersecurity priorities,” Pentagon officials said in written responses to GAO. “To require that all of this new strategic direction and prioritization be overridden to monitor compliance with lower-risk areas that the DOD identified almost five years ago will frustrate the department’s efforts to keep pace with the changing tactics, techniques, and procedures of our adversaries and the evolving changes in technologies.”