New report shows how governments are still failing to prioritize cybersecurity

As the threat of cyberwarfare has escalated, one might be forgiven for thinking that it would be a high priority for governments, but a new report from the US Government Accountability Office (GAO) suggests that’s far from the case. The report highlights grave and systemic shortcomings in the attempts by the Pentagon to make cybersecurity a strategic priority.

The GAO looked specifically at three initiatives designed by the Department of Defense (DoD) to test whether the Pentagon was successful in placing cybersecurity at the heart of its operations. Sadly, it appeared to be lacking in so many areas.

For instance, the DoD was found to have not completed the specific training and awareness activities it had aimed to accomplish, with the success of other initiatives largely unknown because they weren’t being tracked. The authors concede that their report doesn’t assess the technical elements of the DoD’s cybersecurity capabilities, they nonetheless believe the poor performance of such a crucial agency in America’s national defense is worrying.

Securing against threats

The report highlights that it’s impossible to eliminate the risk of all threats, but risks can be managed, and while they accept that many of the strategies and plans implemented by the DoD are good, there remains considerable concern that the plans are not being pursued with sufficient diligence. This is especially evident in domains that aren’t even being assessed. As the old maxim goes, you can’t manage what you aren’t measuring, so it’s possible that significant blind spots exist in the agency’s cybersecurity plans.

The report explores three initiatives in detail. The first of these is the 2015 Cybersecurity Culture and Compliance Initiative, which set out 11 education goals for the coming year. Of these 11 goals, the report found that just four of them were completed.

The second initiative was the 2015 Cyber Discipline plan, which outlined 17 goals around the detection and elimination of preventable vulnerabilities from the networks operated by the DoD by the close of 2018. Of these 17 goals, the report suggests that just six had been met, with another four still pending. The remainder were largely unknown as the DoD had failed to track their progress.

This lack of assessment of progress was a common cause for criticism in the report, which highlights the lack of updates on initiatives, or even apparent accountability for them. The authors reveal that there is a startling lack of understanding as to just who has done what, and what the results were. Indeed, they claim that there is even a lack of awareness as to who has access to their network, and whether those that do have undertaken the appropriate security training.

Lack of diligence

Despite this, the GAO suggests that this lack of diligence is in itself not surprising, and they outline seven areas that the DoD can focus on should they wish to improve, with all of these recommendations relating to the completion of existing initiatives and better oversight on the projects they undertake.

In fairness, the DoD themselves agree with some of the recommendations, although they have said that some of the legacy programs are now outdated and therefore shouldn’t be pursued as part of current defense initiatives. They argue that the bulk of their resources should be devoted to areas that they identify as high risk in the current time, rather than monitoring compliance with lower risk areas that were identified five years ago.

Nonetheless, the GAO stands by their report, explaining that despite the goals being set a number of years ago, they were goals that relate to key foundational skills and concepts, and are therefore less time-specific than goals involving specific pieces of technology or software. If anything, they argue, these underlying processes are even more important now as the threat landscape changes so rapidly.

They suggest that it’s not enough to be able to identify and attack problems, which they say the DoD are good at. Where they need to improve is the follow-through, with the culture and processes within the department key areas for improvement. Indeed, the GAO believe these to be basic cybersecurity best practice.

“GAO is making seven recommendations to DOD, including that cyber hygiene initiatives be fully implemented, entities are designated to monitor component completion of tasks and cyber hygiene practices, and senior DOD leaders receive information on cyber hygiene initiatives and practices,” the report concludes.