GAO: Pentagon's Cyber Hygiene Programs Come Up ShortAudit Finds DoD Would Benefit From Better Security Training
The U.S. Defense Department needs to improve its cybersecurity training programs for civilian and military employees to reduce the risks that common security incidents pose, a new audit from the Government Accountability Office finds.
The GAO audit finds that the Defense Department's cybersecurity team has wanted to implement training on better cyber hygiene practices for several years, but the Pentagon and its leadership have missed numerous deadlines to fully implement this effort. The government watchdog's report also found a lack of accountability within the DOD's leadership on implementing better security training and awareness for its employees.
The DOD has not fully implemented three of its key initiatives and practices aimed at improving cyber hygiene, the audit shows. This means that the Pentagon is falling short of being able to manage even the most common and pervasive cybersecurity threats and risks, the report concludes.
"Overall, until DOD completes its cyber hygiene initiatives and ensures that cyber practices are implemented, the department will face an enhanced risk of successful attack,” the report states.
The three Defense Department cyber hygiene initiatives that GAO examined include the 2015 DOD Cybersecurity Culture and Compliance Initiative, the 2015 DOD Cyber Discipline Implementation Plan, and DOD's Cyber Awareness Challenge training program.
In its audit, the GAO made seven recommendations:
- Require the CIO office to take responsibility for implementing cybersecurity education and training;
- Create a timeline to complete all the tasks within the various cyber hygiene training plans and focus on removing preventable network vulnerabilities;
- Assign an office within the Pentagon to oversee the implementation of tasks within the cyber discipline plan that are not already supervised by the CIO;
- Make sure that all employees take the cyber awareness challenge training;
- Ensure that DOD leadership tracks workers who have been denied network access as a result of not completing the training;
- Create a division that monitors the progress of cyber hygiene practices;
- Have the CIO provide complete information on cybersecurity practices to DOD leadership to ensure leaders make risk-based decisions.
In its response, the DOD only fully concurred with one recommendation made by the GAO - to ensure that all employees complete the cyber awareness challenge training.
In its other comments, the DOD says, for example, that it could not assign an office to oversee the implementation of certain tasks not overseen by the CIO's office because the threat landscape affecting the Pentagon is constantly changing. It also notes that it has already developed a classified list of the top cyber threats facing the department.
DOD also says in its response that because users are denied network access for a variety of reasons, collecting data on those denied access for not completing the annual training would be "extremely burdensome."
A DOD spokesperson did not immediately reply to a request for comment on other steps the department plans to take as a result of the audit’s findings.
The biggest challenges that the DOD faces when it comes to improving its cyber hygiene are measuring progress and ensuring accountability through the Pentagon's leadership, says Simone Petrella, CEO of cybersecurity training firm CyberVista and a former Defense Department employee.
"What's lacking is a structured way to measure and track the implementation of all these initiatives," Petrella tells Information Security Media Group.
The GAO audit notes that the DOD leadership is not fully aware of which security practices protect its networks from attacks and which of these initiatives have been fully implemented.
With better training and security awareness, the Pentagon's leadership would be in better position to assess its cybersecurity risk, the report notes.
Cybersecurity experts estimate that basic cyber hygiene practices can help defeat 90 percent of attacks, according to DOD's principal cyber adviser, who oversees cybersecurity practices within the Pentagon, the report notes. But the report found that many basic initiatives had not been tracked.
For example, the DOD has not reported on the extent to which hyperlinks in emails have been disabled, a measure that can help prevent phishing attacks, the report finds.
The GAO report also says DOD’s CIO did not take steps to ensure that training courses were implemented, and that the department's leadership was not aware of their responsibility to oversee those tasks.
"Much of the findings of the GAO report cite the responsibility of the DOD's CIO office in providing oversight, and it appears a good chunk of the failings come down to unclear reporting and accountability," Petrella says.