Five years ago, the Department of Defense set dozens of security hygiene goals. A new report finds that it has abandoned or lost track of most of them
THE UNITED STATES federal government isn’t known for robust cybersecurity. Even the Department of Defense has its share of known vulnerabilities. Now a new report from the Government Accountability Office is highlighting systemic shortcomings in the Pentagon’s efforts to prioritize cybersecurity at every level and making seven recommendations for shoring up DoD’s digital defenses.
The report isn’t a checklist of what DoD should be doing to improve cybersecurity awareness in the abstract. Instead, GAO looked at three DoD-designed initiatives to see whether the Pentagon is following through on its own goals. In a majority of cases, DoD has not completed the cybersecurity training and awareness tasks it set out to. The status of various efforts is simply unknown because no one has tracked their progress. While an assessment of “cybersecurity hygiene” like this doesn’t directly analyze a network’s hardware and software vulnerabilities, it does underscore the need for people who use digital systems to interact with them in secure ways. Especially when those people work on national defense.
“It’s everyone’s responsibility to understand their part in cybersecurity, but how do you convince everyone to follow the rules they’re supposed to follow and do it consistently enough?” says Joseph Kirschbaum, a director in GAO’s defense capabilities and management team who oversaw the report. “You’re never going to be able to eliminate all the threats, but you can manage them sufficiently, and a lot of DoD’s strategies and plans are good. Our concern is whether they’re doggedly pursuing it enough so they’re able to do the risk management.”