Jeff and Tina, the recently-retired avatars of the Department of Defense’s annual Cyber Awareness Challenge, would probably be very upset if they saw a new report on DoD’s efforts to tighten up its cyber hygiene game.
What's cyber hygiene, you ask? It's not giving your laptop a bubble bath; it's more like keeping your passwords strong, identifying potential phishing attacks, and keeping software up-to-date.
While it sounds basic, cyber hygiene is no joke: 90% of cyberattacks could be defeated by implementing basic cyber hygiene and sharing best practices, the DoD's principal cyber advisor said according to the report from the Government Accountability Office.
Despite the importance of cyber hygiene, GAO found that there are huge gaps in the Pentagon's implementation of three of its cyber hygiene programs.
The military hasn’t fully implemented those programs, GAO found, and DoD isn’t keeping good track of its efforts overall. That’s a problem, GAO said, because cybersecurity is a group effort.
“We view this as a culture-over-technology issue,” said Joseph Kirschbaum, director of GAO’s Defense Capabilities and Management Team, on a GAO podcast about the report.
Kirschbaum, who oversaw the report, explained that taking precautions against cyberattacks are a lot like taking precautions against viruses: you wash your hands, you cough in your elbow, that sort of thing. But for it to work properly, everyone has to get in the habit of doing it.
It's all about “the culture of remembering to do those things,” he said, “making sure your family is doing those things, that’s the hygiene portion.”
So what does all this mean for you, a service member, DoD civilian or contractor? It means all that time you spent with Jeff and Tina over the years may have been partially in vain.
The Cyber Awareness Challenge is meant to keep the DoD workforce up-to-speed on cybersecurity best practices, but in many cases the military is not keeping track of who has completed the training, who has not, and who has been barred from network access because they haven’t completed it.
That’s not good, GAO explained, because it means the military doesn't know who could be using their networks who might think 'phishing' is something you do at the lake on the weekends.
That could put everybody at risk, like the time in 2015 when a phishing attack on the Joint Chiefs of Staff email servers resulted in the system being shut down for 11 days while cyber experts rebuilt the network, affecting the work of roughly 4,000 military and civilian personnel, GAO said.
“DoD policy states that all individuals with network access must complete training to retain access,” GAO wrote. If not, then users “may take actions that lead to or enable exploitations of DoD information systems.”
The Cyber Awareness Challenge is meant to provide that training, but here are some flaws GAO found that prevent it from being more effective:
- The Army and Defense Finance and Accounting Service did not have data on how many users had taken the cyber awareness challenge in fiscal 2018
- Six out of the 16 DoD components GAO surveyed (including the Air Force, Navy, Marine Corps and European Command) did not have complete information on the number of users who did not complete cyber awareness training
- Eight out of the 16 components did not track the number of users whose network access had been revoked for not completing the required training.
The Navy protested GAO’s findings, saying that there is “no value for large organizations like the Navy, with over 600,000 users, to track and report these data at the headquarters level.” GAO responded by pointing out that multiple DoD policy and guidance documents require recording training compliance, including the Department of Navy Cybersecurity Policy. So take a seat, Navy.
One would think that, of all DoD components, the Defense Advanced Research Projects Agency would follow cybersecurity policy to the 'T.' But as it turns out, DARPA doesn't even require its users to take the cyber awareness challenge, GAO said.
While DARPA does have its own training program, GAO said the program didn’t address all the requirements identified in a DoD staff manual or by the cybersecurity training topics identified by DoD’s Cyber Workforce Advisory Group .
So that’s great to hear, because it’s not like DARPA is working on any essential national security projects or anything.
In the loop
The Cyber Awareness Challenge wasn’t the only area where GAO found DoD’s cyber hygiene practices lacking. DoD has been working on two other efforts since 2015: the DoD Cybersecurity Culture and Compliance Initiative (DC3I) and the Cybersecurity Discipline Implementation Plan (CDIP). However, GAO found that many of the tasks have not been completed on time because nobody in DoD is keeping track of them.
For example, DC3I was supposed to have been completed in 2016, but seven of the 11 tasks required have not been fully implemented. Many of the CDIP tasks were supposed to be 90 percent complete by the end of fiscal 2018, but four of the 17 total have not been completed on time, while another seven have not been completed because no DoD entity was assigned to keep track of it.
GAO also blamed DoD’s Chief Information Officer for much of the implementation gap, since CIO is in charge of implementing many of the tasks that should have been done by now and informing senior leadership of DoD’s progress.
Senior leaders currently receive a Cyber Hygiene Scorecard and a Cyber Landscape Report. While the DoD Chief Information Officer says those two reports are sufficient for informing leaders on cybersecurity topics, GAO pointed out that the reports do not provide information on 53 of the 69 risk-management indicators required by the Office of Management and Budget.
“If the DoD CIO does not assess the extent that the missing information could improve senior leaders’ ability to make risk-based decisions—and does not follow up to revise the recurring reports or develop a new report—senior DoD leaders will not be positioned well to make effective and risk-based decisions and manage cybersecurity risks,” GAO said.
Among DoD CIO's other excuses were: it was not aware it was responsible for implementing many of those tasks; the computer systems were too old to keep up with cybersecurity policy; or that culture-related hygiene objectives are difficult to measure. To which GAO responded:
- DoD policy says CIO is actually responsible for these tasks
- Legacy systems in DoD are a well-known problem, which is why agencies should “carefully plan for their successful modernization.”
- “While the DC3I's culture-related objectives may be difficult to measure, the extent to which assigned DoD components have taken actions to implement the DC3I tasks is measurable.”
So, like GAO told the Navy, take a seat, DoD CIO.
It's not all bad, but it could be better
To be fair, the military is doing a lot of good work when it comes to implementing cyber hygiene practices. For example, DoD moved 11,000 of its web servers into so-called 'demilitarized zones,' which essentially filter web traffic through systems within firewalls that screen the traffic before allowing access to DoD networks. That reduces the risk of malicious traffic reaching the web servers, GAO wrote.
“I want to be fair to the department, they are taking a great deal of action related to cybersecurity across the board and cyber hygiene in general,” Kirschbaum said in the podcast.
At the same time, the military’s cyber efforts are hamstrung by a lack of accountability for tracking its cyber hygiene efforts and ensuring that users are up to date on best practices.
For example DoD told GAO that some of the tasks DoD said it would implement in 2015 as part of DCI3 and CDIP have been eclipsed by changes in technology and vulnerabilities, but DoD did not provide any evidence of such changes, GAO said.
“We agree with DoD that the department should reassess cybersecurity priorities in light of changes in technologies, threats and vulnerabilities,” GAO wrote. However, DoD "had not determined whether [CDIP] tasks remain valid or aligned with the current cybersecurity threat environment, that the vulnerabilities associated with these seven tasks were mitigated or addressed,” or that a senior-level official had signed off on canceling the steps.
Furthermore, GAO pointed out that the CDIP steps DoD said were outdated were still consistent with basic cybersecurity standards established by DoD guidance, and DoD itself was even planning to apply the standards to certain defense contractors in future contract awards to protect DoD information.
Take a seat, as it were.
GAO gave DoD seven recommendations, which Kirschbaum lumped into two broad categories. First, he said DoD should look at cyber-related issues from a department level so that there’s “an appreciation” for cyber risks, “even if it’s minor issues that can be dealt with at lower echelons,” he said on the podcast.
Second, DoD must change its culture so that the every member of the workforce, from the senior leaders on down, understands the importance of practicing cyber hygiene.
“As we’re finding, a great percentage of the time, major cybersecurity vulnerabilities come from within … the unwitting people not following the right hygiene practices,” Kirschbaum said.
Of GAO’s seven recommendations, DoD concurred with only one, partially concurred with four others, and did not concur with two more. That leaves the implementation of some of the hygiene practices uncertain. Still, Kirschbaum stressed the importance of getting everyone onboard.
“Cyber’s always going to be technical, it’s going to be hard to understand for a lot of people,” he said. “But culture, process, training, individual and collective vigilance is where the key to success lies.”