CTT Co-Founder Roslyn Layton: Government Accountability Office Report: DoD Cybersecurity Through the COVID-19 Crisis – Part 1

Part 2 of Dr. Layton’s blog will be published on Thursday, April 23. Please check back on that date for more information on the GAO report regarding DOD cyber security.

An estimated 90 percent of cyberattacks to Department of Defense and armed forces could be avoided by its users practiced good “cyber hygiene”, the equivalent to washing your hands for computer systems, according to DOD’s Principal Cyber Advisor.[1] Its new report by the General Accountability Office (GAO)  Cybersecurity: DOD Needs to Take Decisive Actions to Improve Cyber Hygiene explains that the Department of Defense (DoD) has failed to implement its own cyber initiatives on culture, discipline, and awareness from 2015 despite have the time and budget to do so.  The report stresses how the initiatives are part of needed cultural, not technical, improvement.  The GAO provides a timeline of the initiatives and their status.

Good hygiene practices can be as basic and simple as not opening emails from unrecognized senders or clicking or clicking on suspicious links within (called a phishing attack). Another is not to purchase equipment which is known to have vulnerabilities, and moreover to instruct military contractors in these practices. This issue was brought to the fore in a DoD IG July 2019 report showing that some $33 million dollars was spent on equipment which is expressly known to be vulnerable and restricted from purchase, notably the purchase of common place items such as Lenovo laptops and Lexmark printers.  It appears to be caused by lack of training of contractors and recipients of purchasing cards. According to the DoD website, the issue remains unresolved almost a year later. Indeed this issue takes on heightened importance as DoD employees and contracts are working remotely in unprecedented amounts given the COVID-19 crisis.  More generally, the IG found its comprehensive financial and operations audits of DoD, that lack of cyber preparedness is the single most important issue at the Department.

[1] Fiscal Year 2019 Review and Assessment of DOD Budget for Cyber Operations and U.S. Cyber Command: Hearing Before House Armed Services Comm., Emerging Threats and Capabilities Subcommittee, 115th Cong. (Apr. 11, 2018) (statement of Kenneth P. Rapuano, Assistant Secretary of Defense for Homeland Defense and Global Security and Principal Cyber Advisor