GAO calls upon DOD to increase attention to ensure cyber incidents are appropriately reported and shared
The U.S. Government Accountability Office (GAO) disclosed on Monday that the Department of Defense (DOD) has not fully implemented its processes for managing cyber incidents. It also does not have complete data on cyber incidents that staff report and fails to document whether it notifies individuals whose personal data is compromised in a cyber incident.
Following the study, the GAO made six recommendations, including that DOD assigns responsibility for ensuring proper incident reporting, improve the sharing of defense industrial base (DIB)-related cyber incident information, and document when affected individuals are notified of a personally identifiable information (PII) breach. DOD concurred with the recommendations.
The DOD and the DIB include entities outside the federal government that provide goods or services critical to meeting U.S. military requirements that are dependent on information systems to carry out their operations. “These systems continue to be the target of cyber attacks, as DOD has experienced over 12,000 cyber incidents since 2015. To combat these incidents, DOD has established two processes for managing cyber incidents – one for all incidents and one for critical incidents. However, DOD has not fully implemented either of these processes,” the GAO report said.
GAO said that despite the reduction in the number of incidents due to DOD efforts, weaknesses in reporting these incidents remain. For example, DOD’s system for reporting all incidents often contained incomplete information and DOD could not always demonstrate that they had notified appropriate leadership of relevant critical incidents. “The weaknesses in the implementation of the two processes are due to DOD not assigning an organization responsible for ensuring proper incident reporting and compliance with guidance, among other reasons. Until DOD assigns such responsibility, DOD does not have assurance that its leadership has an accurate picture of the department’s cybersecurity posture.”
“In addition, DOD has not yet decided whether DIB cyber incidents detected by cybersecurity service providers should be shared with all relevant stakeholders, according to officials,” GAO reported. “DOD guidance states that to protect the interests of national security, cyber incidents must be coordinated among and across DOD organizations and outside sources, such as DIB partners. Until DOD examines whether this information should be shared with all relevant parties, there could be lost opportunities to identify system threats and improve system weaknesses.”
DOD has established a process for determining whether to notify individuals of a breach of their PII, the U.S. watchdog said in the report. “This process includes conducting a risk assessment that considers three factors—the nature and sensitivity of the PII, likelihood of access to and use of the PII, and the type of the breach. However, DOD has not consistently documented the notifications of affected individuals, because officials said notifications are often made verbally or by email and no record is retained. Without documenting the notification, DOD cannot verify that people were informed about the breach,” it added.
The GAO reports added that “not notifying individuals or notifying individuals inconsistently could leave some affected individuals more exposed to identity theft, which could lead to financial loss and emotional distress.”
Following the GAO report, the DOD recognized the importance of cyber incident management. For example, the department has issued guidance assigning overall responsibilities for protecting the DOD network against unauthorized activity or cyber threats. However, DOD faces challenges in implementing an effective process to report and share information on cyber incidents.
“The lack of accountable organization to ensure complete incident reporting and proper notification of leadership and the lack of an incident management system that is aligned with policy requirements are concerning because leaders throughout DOD need to have a complete and accurate picture of the department’s cybersecurity posture,” GAO said.
Additionally, DOD has also recognized the importance of improving the cybersecurity posture of the DIB, which has long been a target of, and has become increasingly vulnerable to cyber threats, GAO said. “For example, DOD issued guidance regarding the notification of DOD and congressional leadership of cyber incidents involving the DIB. However, weaknesses remain in the department’s processes for sharing and reporting DIB-related cyber incident information.”
Furthermore, by ensuring that all DIB-related cyber incidents are properly shared with relevant stakeholders, DOD components would be better positioned to alert their communities of interest of cyber incidents that may affect them, GAO said. “Moreover, by evaluating and implementing potential improvements to the completeness and timeliness of cyber incident information reported by the DIB, DOD would have a more complete and accurate understanding of the threat landscape affecting the private sector, which could alert DOD more quickly to potential threats and allow it to employ mitigation measures earlier,” the report added.
The GAO report also stated that when there is a data breach of PII, DOD is required to determine whether to notify affected individuals. “DOD officials told us that they follow this requirement but do not always document the notification. Without documenting the notification, there is no way to verify that DOD actually informed individuals that their privacy data was potentially compromised, which could leave some affected individuals more exposed than others to identity theft,” it added.
GAO calls upon the Secretary of Defense to ensure that the DOD CIO, Commander of CYBERCOM, and Commander of JFHQ-DODIN assign responsibility for overseeing cyber incident reporting and leadership notification and ensuring policy compliance. It also suggests that the Secretary of Defense should ensure that the DOD CIO, Commander of CYBERCOM, and Commander of JFHQ-DODIN align policy and system requirements to enable DOD to have enterprise-wide visibility of cyber incident reporting to support tactical, strategic, and military strategies for response.
The Secretary of Defense should ensure that the DOD CIO, commander of CYBERCOM, and commander of JFHQ-DODIN include in new guidance on incident reporting includes detailed procedures for identifying, reporting, and notifying leadership of critical cyber incidents. Additionally, the Secretary of Defense should ensure that the commander of CYBERCOM, in coordination with the DOD CIO and directors of DC3 and DCSA, examines whether information on DIB-related cyber incidents handled by CSSPs is relevant to the missions of other DOD components, including DC3 and DCSA, and identifies when and with whom such information should be shared.
The GAO report also laid down that the Secretary of Defense should ensure that the DOD CIO determines what actions need to be taken to encourage more complete and timely mandatory cyber incident reporting from DIB companies. Additionally, the Secretary of Defense should ensure, through the Director of the Privacy, Civil Liberties, and Freedom of Information Directorate, that DOD components document instances where individuals affected by a privacy data breach were notified.
In August, the GAO told the DOD to develop plans with scheduled completion dates to implement four tasks in the department’s Cybersecurity Discipline Implementation Plan that the DOD CIO oversees. Before that in May, the agency determined that the DOD has reported implementing more than 70 percent of four selected cybersecurity requirements for controlled unclassified information (CUI) systems, based on GAO’s analysis of DOD reports, including a June 2021 report to Congress, and data from DOD’s risk management tools.
A complimentary guide to the who`s who in industrial cybersecurity tech & solutions
Free DownloadRelated
