New IG Report Says US Military Lags in Cybersecurity
By Wes O’Donnell
Managing Editor, In Military and InCyberDefense
The Department of Defense Inspector General’s office recently released a report detailing serious lapses in cybersecurity across multiple military agencies. The IG examined 20 unclassified and four classified reports to determine if previous recommendations had been addressed.
Out of the 159 different recommendations to improve cybersecurity, the DoD followed only 19. The report found broad holes in very basic cybersecurity measures ranging from asset management and information protection to access control.
Lapses in Cybersecurity Fundamentals Alarming to DoD
The DoD is heavily dependent on cyberspace to support its continuing operations, making lapses in basic cybersecurity fundamentals alarming. The report noted that as of September 2018, there were 266 open cybersecurity-related recommendations that dated as far back as 2008.
Perhaps most concerning was that the largest number of identified weaknesses in the heavily redacted report fall under the “Governance” category. Without proper governance, the DoD cannot ensure that it uses policies, processes and procedures to effectively identify and manage cybersecurity risks. Focusing on the “Governance” issues will create a better framework to protect other critical infrastructure assets.
This report is another blow to the DoD. In October 2018, the Government Accountability Office found that U.S. weapon systems developed between 2012 and 2017 have “mission critical” cyber vulnerabilities. Currently, many high-tech weapon systems are still easily hackable with very basic tools.
Cybersecurity Problems Put Troops at Risk
It’s not just expensive weapon systems that are vulnerable. Weapon systems like ballistic missiles and front-line troops have one thing in common: their data is very easy to hack, the passwords are poorly protected and computer terminals are not programmed to automatically log out users.
The IG report also highlighted the fact that Army hospitals are at extreme risk where relaxed security methods make medical records easily accessible. Healthcare records, whether DoD or civilian, remain a high-value target for hackers around the world. In many cases, individual medical records are more valuable than any other single piece of demographic data.
How We Can Improve Government Cybersecurity
After World War II, the U.S. government tied up official documents in folders with red tape. Today, red tape is the term used for the complex procedures and rules that make it difficult to achieve progress in a bureaucracy. By focusing on governance and streamlining information management and reporting, we can take the first steps to ensuring that our nation’s data is secured.
The IG states that cybersecurity failures are a leadership problem in the military bureaucracy. Acting Secretary of Defense Patrick Shanahan must be brought up to speed quickly on the DoD’s cyber-related shortcomings in the wake of former Defense Secretary General James Mattis’ resignation in December.
America’s near peer-level adversaries are perfecting robust offensive cyber operations for maximum information disruption. If the U.S. is to continue its role as the world’s sole economic and military superpower, the DoD needs to take steps immediately to address the IG’s information security concerns.