U.S. Department of Defense Cyber Hygiene: Audit Raises Concerns
The U.S. Department of Defense (DOD) has yet to fully enact three key initiatives and has thus far failed to execute a number of suggested tasks to improve its overall cyber hygiene, the Government Accountability Office (GAO) said in a recent audit.
“DOD has become increasingly reliant on information technology and risks have increased as cybersecurity threats evolve,” the GAO wrote in the April 2020 document, entitled Cybersecurity: DOD Needs to Take Decisive Actions to Improve Cyber Hygiene. The GAO conducted the audit from January 2019 to April 2020.
The report evaluates the extent to which DOD has implemented key cyber hygiene initiatives and practices and to what degree senior DOD leaders received information on the department’s efforts to address these initiatives and cyber hygiene practices. Failing to complete the recommended tasks could result in grave consequences. Roughly 90 percent of cyber attacks could be “defeated by implementing basic cyber hygiene and sharing best practices,” the DOD’s principal cyber advisor said. “Until DOD completes its cyber hygiene initiatives and ensures that cyber practices are implemented, the department will face an enhanced risk of successful attack,” GAO said in the report.
GAO’s audit investigated progress on tasks from three DOD-wide initiatives: the 2015 DOD Cybersecurity Culture and Compliance Initiative; the 2015 DOD Cyber Discipline Implementation Plan; and, DOD’s Cyber Awareness Challenge training.
With the first initiative, Culture and Compliance set 11 overall tasks expected to be completed in fiscal year 2016. It includes cyber education and training, integration of cyber into operational exercises, and recommendations on changes to cyber capabilities and authorities.
Seven of these tasks have not been fully implemented.
In the second initiative, the Cyber Discipline plan has 17 tasks focused on removing preventable vulnerabilities from DOD’s networks that could otherwise enable adversaries to compromise information and systems. Of these 17, the DOD Chief Information Officer oversaw 10 of them. The Deputy Secretary’s expectation was a 90 percent implementation of the 10 CIO tasks by the end of fiscal year 2018.
Four of the tasks have been implemented. Completion of the remaining seven tasks was unknown because the DOD did not submit a report on the progress.
The Cyber Awareness training is intended to help the DOD workforce “maintain awareness of known and emerging cyber threats, and reinforce best practices to keep information and systems secure.” GAO review of the 16 selected training and awareness components found six without information on system users that had not completed the required training, and eight without information on users whose network access had been revoked for not completing training.
In addition to the tasks tied to the three initiatives, DOD has developed lists of the techniques that adversaries frequently use and pose significant risks, and identified practices to protect DOD networks and systems against these techniques. However, DOD does not know the extent to which these practices have been implemented.
GAO is making seven recommendations to DOD, spanning:
- Cyber hygiene initiatives are fully implemented.
- Entities are designated to monitor component completion of tasks and cyber hygiene practices.
- Senior DOD leaders receive information on cyber hygiene initiatives and practices.
Of the seven recommendations, DOD pushed back on some of them. The department concurred with one, partially concurred with four, and did not concur with two. GAO said it “continues to believe that all recommendations are warranted.”