This month a Government Accountability Office (GAO) report found that the Department of Defense’s (DoD’s) cyber hygiene is critical as threats to its information and networks increase. The GAO report, “DOD Needs to Take Decisive Actions to Improve Cyber Hygiene” noted that the DoD had three cyber hygiene initiatives underway but all of these efforts are incomplete or the status is unknown because no one is in charge of reporting on progress.
Carnegie-Mellon University defines cyber hygiene as a set of practices for managing the most common and pervasive cybersecurity risks. It includes the practices and steps that users of computers and other devices take to maintain system health and also to improve online security. These practices are often part of a routine that can ensure the safety of identity of the user, as well as other details that could be stolen or corrupted.
GAO conducted this study to highlight the shortcomings in DoD cyber hygiene.
“DoD has become increasingly reliant on information technology (IT) and risks have increased as cybersecurity threats evolve,” the GAO report found. “Cybersecurity experts estimate that 90% of cyberattacks could be defeated by implementing basic cyber hygiene and sharing best practices, according to DOD’s Principal Cyber Advisor.”
Big Initiatives, Little Progress
The GAO discussed DoD cyber hygiene and identified three department-wide initiatives that had been undertaken.
The 2015 DOD Cybersecurity Culture and Compliance Initiative (DC3I) set forth 11 overall tasks that were expected to be completed in fiscal year 2026, and included cyber education and training, integration of cyber into operational exercises, and needed recommendations on changes to cyber capabilities and authorities. However, seven of the tasks presented in this initiative have not been fully implemented.
The 2015 DoD Cyber Discipline Implementation Plan had 17 tasks focused on removing preventable vulnerabilities from DoD’s computer networks that could have enabled adversaries to compromise information and systems. Of those 17, the DoD chief information officer was responsible for overseeing implementation of 10 tasks. The DoD deputy secretary had set a goal of achieving 90% implementation of the 10 CIO tasks by the end of fiscal year 2018, yet four of the tasks still have not been implemented. Further, the completion of the other seven tasks was unknown because no DoD entity has even been designated to report on the progress.
The DoD’s Cyber Awareness Challenge training was intended to help the DoD workforce maintain awareness of known and emerging cyber threats, and also to reinforce best practices to keep information and systems secure. As with the other initiatives the progress is largely unknown. In this case, selected components in the department do not know the extent to which users of its systems have completed this required training. GAO’s review of 16 selected components identified six without information on system users that had not completed the required training, and eight more without information on users whose network access had been revoked for not completing training.
To address the shortcomings of DoD cyber hygiene, the GAO offered seven recommendations for executive actions, and each included a call to the Secretary of Defense. These included 1) ensuring that the DoD CIO takes appropriate steps to ensure implementation of the DC3I tasks; 2) ensuring that the DoD components develop plans with scheduled completion dates to implement the four remaining CDIP tasks overseen by DoD CIO; 3) ensuring that the Deputy Secretary of Defense identifies a DoD component to oversee the implementation of the seven CDIP tasks not overseen by DoD CIO and report on progress implementing them; and 4) ensuring that DoD components accurately monitor and report information on the extent that users have completed the Cyber Awareness Challenge training as well as the number of users whose access to the network was revoked because they have not completed the training.
Additionally, GAO called upon the Secretary of Defense to: 5) ensure that the DoD CIO ensures all DoD components, including DARPA, require their users to take the Cyber Awareness Challenge (CAC) training developed by DISA; 6) should direct a component to monitor the extent to which practices are implemented to protect the department’s network from key cyber attack techniques; and 7) should ensure that the DoD CIO assesses the extent to which senior leaders’ have more complete information to make risk-based decisions—and revise the recurring reports (or develop a new report) accordingly. Such information could include DoD’s progress on implementing (a) cybersecurity practices identified in cyber hygiene initiatives and (b) cyber hygiene practices to protect DoD networks from key cyber attack techniques.
The GAO noted of the seven recommendations, DoD concurred with one, partially concurred with four, and did not concur with two.
The DoD partially concurred for recommendation one and added that that two tasks from the DC3I report should continue to be implemented, as the DoD stated, “they are the only two tasks still being actively pursued because the remaining tasks were either implemented or have been overcome by events.”
The DoD partially concurred with recommendation two, but reserved its detailed response for the classified version of the report. The DoD also partially concurred with recommendation four, and recommendation seven but recommendation. It only fully concurred with recommendation five, that the Secretary of Defense should ensure that the CIO ensures that all DoD components including DARPA, require their users to take CAC training.
For recommendation three the DoD did not concur and responded that the cyber landscape is constantly evolving with changes in technology, threats and vulnerabilities. All of that requires the DoD to reassess its cybersecurity priorities. For recommendation six, the DoD’s response was redacted.
GAO has said that it continues to believe that all recommendations are warranted.