Serious Shortcomings in DOD’s Cyber Incident Reporting, GAO Says

The Government Accountability Office found significant deficiencies in the Department of Defense’s cyber incident reporting practices, deficiencies the GAO said prevent the DOD from fully understanding and preventing cyber breaches, according to a report to Congress released Nov. 14.

According to the report, DOD reported 948 “cyber incidents” in 2021, an increase from 812 in 2020. However, DOD has made significant progress in the past few years, from a high of 3,880 recorded incidents in 2015, with more than 12,000 incidents between 2015 and 2021. The report is the latest GAO finding that has criticized the Defense Department’s cybersecurity efforts.

The GAO said the “deployment of defense mechanisms during this time period” since 2015 helped the DOD improve its cybersecurity. For example, the department now has processes to manage all incidents and ones it deems “critical.” But GAO said DOD has yet to fully implement its own plans and still has no consistent guidance for managing cyber incidents across the department and the defense industrial base. The GAO also said DOD lacks appropriate practices for notifying affected individuals whose personal information may be accessed in a cyberattack.

“DOD has taken steps to combat these attacks and has reduced the number of cyber incidents in recent years,” the GAO said in a summary of its 70-page report. “But we found that DOD: Hasn’t fully implemented its processes for managing cyber incidents; Doesn’t have complete data on cyber incidents that staff report; Doesn’t document whether it notifies individuals whose personal data is compromised in a cyber incident.”

The GAO drew on DOD’s own data in arriving at its conclusions. It found that 91 percent of reports did not include information about when the cyber incident was discovered, making it difficult to determine whether threats are being detected quickly. Sixty-eight percent of reports did not include information on the incident’s “delivery vector,” inhibiting the DOD’s ability to shore up its defenses.

In addition to national security and intellectual property that cyber incidents might threaten, the GAO said DOD may be leaving individuals open to identity theft or other risks by not notifying them when their personal information is compromised.

“DOD has not consistently documented the notifications of affected individuals, because officials said notifications are often made verbally or by email and no record is retained,” the GAO said. “Without documenting the notification, DOD cannot verify that people were informed about the breach.”

The GAO also identified problems outside DOD with the defense industrial base, the vast array of private companies that supply and sustain America’s military. While the DOD requires companies to report cyber incidents within 72 hours, about 51 percent of incidents were submitted to DOD after more than four days, according to the GAO. In addition, the information companies provide is often not detailed, and reports are sometimes unclear on whether DOD programs, platforms, or systems were involved.

“Unfortunately, there’s only one thing that is required of the vendors right now, and that’s reporting if they have an incident,” the Department of Defense’s acting principal chief information officer David McKeown said at a Politico event Nov. 16. “There is a little bit of reluctance for a company to share anything with us. If we were to go in and take a look at their network and find out that it is abysmal, they wouldn’t want that information to be leaked out that there’s a problem here.”

The GAO offered a number of recommendations, which it says the DOD agrees with. It charges that the CIO, the commander of U.S. Cyber Command (CYBERCOM), and the commander of Joint Force Headquarters-Department of Defense Information Network assign responsibility for overseeing cyber incident reporting and notification, ensure the DOD has better visibility over cyber incidents, and issue new guidance that has more detailed procedures for notifying leadership of critical incidents. The GAO said DOD should review its practices regarded incidents related to the Defense Industrial Base. Finally, DOD should ensure that individuals affected by data breaches are notified.

“DOD does not have assurance that its leadership has an accurate picture of the department’s cybersecurity posture,” the GAO report said.

Without specifically addressing the GAO report, McKeown acknowledged deficiencies in the DOD cyber incident reporting practices.

“We’ve made progress on our normal networks to try to secure those and secure the data and make sure that those weapons systems that are actually computers are operational in a time of war,” he said. “There’s a lot of work to be done on other things.”