The new GAO Report stressed the importance of such behavioral elements over technical requirements, for example creating a culture of cybersecurity awareness, which is delivered through training, monitoring, and spot checks. Additionally, the DoD Initiatives called on the IT leaders of the military branches to be held responsible for failing to meet the goals. It does not appear accountability requirements have been implemented.
Technical elements are also important and the report noted that the following deficiencies at DoD. Some of those elements include:
- Removing system software which do not have configuration updates
- Ensuring that hyperlinks are disabled in Outlook email clients and on mobile devices
- Ensuring physical security of network infrastructure
- Ensuring internal setup of networks is physically and logically separated from external networks
- Reporting all commercially provided internet connections to DoD’s unclassified network (a key issue as people are working from home)
- Ensuring cyber incident response plans are exercised and documented (something that would seem important to have done BEFORE COVID-19 hit)
Key Quotations from GAO Report:
- “The Cyber Awareness training is intended to help the DOD workforce maintain awareness of known and emerging cyber threats, and reinforce best practices to keep information and systems secure. However, it is not know to which DoD user have completed this required training.”
- “While DoD has developed lists of the techniques that adversaries use most frequently and pose significant risk to the department, and identified practices to protect DOD networks and systems against these techniques, it does not know the extent to which these practices have been implemented. The absence of this knowledge is due in part to no DOD component monitoring implementation.”
- “Overall, until DOD completes its cyber hygiene initiatives and ensures that cyber practices are implemented, the department will face an enhanced risk of successful attack. It also observed that department leadership does not regularly receive information on the other two initiatives and on the extent to which cyber hygiene practices are being implemented.”
- “Such information would better position leaders to be aware of the cyber risks facing DOD and make more effective decisions to manage such risks.”
DOD has become increasingly reliant on information technology (IT) and risks have increased as cybersecurity threats evolve. Cybersecurity experts estimate that 90 percent of cyber attacks could be mitigated by implementing basic cyber hygiene and sharing best practices, and it is imperative that the Department of Defense take the steps necessary to mitigate cyber risks as their workforce conducts operations outside the confines of their offices. Taking the steps to mitigate cyber risks means working outside of the technical infrastructure of the Department, and implementing a cultural shift in cyber-preparedness at the DOD. This shift begins and ends with accountability, and CTT applauds the work of the GAO in highlighting the areas in which the Department is lacking cyber-hygiene and acceptable network security standards.