The Department of Defense puts a lot of effort into cybersecurity but still has some significant holes in its structure, some of them dating back a decade, according to a report issued earlier this month by the department’s Inspector General (IG).
Although the DoD has shored up its network security by implementing some of the past recommendations to close vulnerabilities, its efforts to manage cybersecurity risk are still lacking, according to the report, which cited some 266 recommendations, a few going back as far as 2008, that have gone unattended.
The IG’s latest annual report, mandated under the Federal Information Security Management Act, summarizes 20 unclassified and 4 classified reports issued by the DoD oversight community and the Government Accountability Office (GAO) from July 2017 through June 2018. With regard to risk management, the biggest weakness the IG found was with information technology governance, which allows an organization to inform management of cybersecurity risks and monitor regulatory, legal, risk, environmental, and operational requirements. Without it, “DOD cannot assure that it effectively identifies and manages cybersecurity risk as it continues to face a growing variety of cyber threats from adversaries such as offensive cyberspace operations used to disrupt, degrade, or destroy targeted information systems,” the report said.
The full report released by the IG’s office includes several redacted sections, including one in which it apparently lists subcategories in DoD processes that need to be addressed. “Without adequate controls in those subcategories,” the report said, “the DoD cannot ensure that all of its systems, devices, personnel, and vulnerabilities are identified and managed; that all DoD information is protected from unauthorized access; or that all DoD Components are prepared to react to a disruption in system availability.”
The report compares the DoD’s cybersecurity status against the National Institute of Standards and Technology’s Cybersecurity Framework, which lays out standards, guidelines, and best practices for managing cybersecurity risk. There are 266 “open recommendations” that have not been acted on going back 10 years.
The IG found weaknesses in four of the framework’s five functions for managing risk. The biggest number of weaknesses were related to governance, appearing under the Identify function, which concerns managing risks to systems, people, assets, data, and capabilities, the report said. Other functions where the report identifies weaknesses are under Protect, Detect, and Respond. The Recover function came through with a clean sheet.
The report wasn’t all bad. The IG noted areas of strength in the DoD’s systems, as well as cases where recommended actions have been taken. But it says that its assessments of the “DOD oversight community and GAO reports indicate that the DOD still faces challenges in managing its cybersecurity risk.” In addition to governance, the report said the DoD needs to continue focusing on asset management, information protection processes and procedures, identity management and access control, security continuous monitoring, detection processes, and communications.
And taking care of some of those older recommendations might be beneficial. The report doesn’t get into specifics about cyber vulnerabilities, but, in general, they tend not to just go away. In fact, unpatched vulnerabilities are among the favorite targets of hackers. A Ponemon Institute study last year found that almost 60 percent of data breaches suffered by organizations over the previous two years could trace the breach back to a known, but unpatched, vulnerability.
The IG report says that the DoD must focus on improving its IT governance in order to address the weaknesses, and to effectively manage risks in order to protect its heavy reliance on cyberspace to support global military operations.