A new report from the Government Accountability Office finds significant deficiencies in how the Pentagon collects and uses cyber incident reporting data from the defense industrial base required under Defense Department policy.
Information systems used by the DIB “continue to be the target of cyberattacks,” the report released on Monday says. It includes a chart breaking down by year the over 12,000 cyber incidents reported since 2015.
The report says, “To combat these incidents, DOD has established two processes for managing cyber incidents -- one for all incidents and one for critical incidents. However, DOD has not fully implemented either of these processes.”
DOD has been able to reduce the number of incidents, GAO said, but “weaknesses in reporting these incidents remain,” including incomplete information on incidents and situations where DOD was unable to demonstrate how they notified “appropriate leadership of relevant incidents.”
The report says, “The weaknesses in the implementation of the two processes are due to DOD not assigning an organization responsible for ensuring proper incident reporting and compliance with guidance, among other reasons. Until DOD assigns such responsibility, DOD does not have assurance that its leadership has an accurate picture of the department's cybersecurity posture.”
Based on discussions with DOD officials, GAO found there is some confusion on “whether DIB cyber incidents detected by cybersecurity service providers should be shared with all relevant stakeholders.”
The report says, “DOD guidance states that to protect the interests of national security, cyber incidents must be coordinated among and across DOD organizations and outside sources, such as DIB partners. Until DOD examines whether this information should be shared with all relevant parties, there could be lost opportunities to identify system threats and improve system weaknesses.”
There are also concerns around the protection of personally identifiable information and when to notify individuals of a breach.
“DOD has not consistently documented the notifications of affected individuals, because officials said notifications are often made verbally or by email and no record is retained," the report states. "Without documenting the notification, DOD cannot verify that people were informed about the breach.”
The Pentagon changed its acquisition rules in 2015 to make incident reporting mandatory for the DIB. The report was required under the Fiscal Year 2021 National Defense Authorization Act.
The Cybersecurity and Infrastructure Security Agency is in the process under a March law of establishing mandatory requirements for industry across all 16 critical infrastructure sectors, including the DIB. The approach is a shift from CISA’s traditionally voluntary info-sharing relationship with industry.
GAO urges the DOD CIO and U.S. Cyber Command to work together to “assign responsibility for overseeing cyber incident reporting and leadership notification, and ensuring policy compliance” and align policies and system requirements to have “enterprise-wide visibility” for incident reports.
Another recommendation is the creation of new guidance from the DOD CIO and Cyber Command with “detailed procedures for identifying, reporting and notifying leadership of critical cyber incidents.”
The report says, “The secretary of defense should ensure that the DOD CIO determines what actions need to be taken to encourage more complete and timely mandatory cyber incident reporting from DIB companies.” It also includes a recommendation on reviewing on PII breach policies.