Training

DOD still needs to work on its cyber hygiene, watchdog finds

"Overall, until DOD completes its cyber hygiene initiatives and ensures that cyber practices are implemented, the department will face an enhanced risk of successful attack," a new GAO report states.

By Jackson Barnett

April 14, 2020

The Pentagon Press Briefing Room before Acting Secretary of the Navy Thomas B. Modly, Commandant of the Marine Corps Gen. David H. Berger and Sergeant Major of the Marine Corps Troy E. Black provide a COVID-19 update for the Marine Corps, at the Pentagon, Washington, D.C., March 26, 2020. (DoD photo by Lisa Ferdinando)

The Department of Defense still needs to sharpen the basic cybersecurity skills of its workforce to defend against the most common and pervasive cybersecurity risks, according to a new Government Accountability Office report.

The report details the department missing several deadlines to implement a variety of cybersecurity initiatives and a critical lack of accountability among DOD leadership for cyber hygiene.

The watchdog recommends that the DOD CIO take action to implement previous recommendations and find better ways of ensuring participation in cyber training. The report said without “decisive action,” the DOD is left with a substantial risk of a successful cyberattack.

“Overall, until DOD completes its cyber hygiene initiatives and ensures that cyber practices are implemented, the department will face an enhanced risk of successful attack,” the report states.

Much of the report is an update on the department’s progress — or lack thereof — on past initiatives and recommendations from other reports. For instance, the DOD has three main cyber hygiene initiatives: the 2015 DOD Cybersecurity Culture and Compliance Initiative, the 2015 DOD Cyber Discipline Implementation Plan, and DOD’s Cyber Awareness Challenge training. All three remain incomplete or have an unknown status due to a lack of oversight, the report found.

There appears to also be a lack of communication between cybersecurity leaders and the rest of the DOD. The department maintains lists of known cyberattack types and best practices to counter them, but “the department does not know the extent to which these practices have been implemented” due to a lack of oversight, according to the report.

“Cybersecurity experts estimate that 90 percent of cyberattacks could be defeated by implementing basic cyber hygiene and sharing best practices,” the report states.

Most of the detailed recommendations are for the CIO’s office and include fully implementing previous recommendations. Other recommendations sit on the shoulders of DOD component agencies that need to develop plans on completing previous initiatives.