In a Monday report titled "DOD Needs to Take Decisive Actions to Improve Cyber Hygiene,” the GAO noted three cybersecurity programs the Pentagon had neglected for years, leaving the department at “an enhanced risk of successful attack.”
According to the GAO, the Pentagon’s DoD Cybersecurity Culture and Compliance Initiative (DC3I), Cybersecurity Discipline Implementation Plan (CDIP) and Cyber Awareness Challenge training are all years behind schedule - at least, the GAO has had to assume they are behind schedule, because in many cases either no one is in charge of reporting on the process or the DoD doesn’t know whose job it is to do so.
For example, DC3I was supposed to complete 11 tasks in fiscal year 2016, including cyber education, training and integration into other exercises, but in 2020, seven of those tasks still have not been completed.
The CDIP has 17 tasks aimed at ridding Pentagon networks of preventable vulnerabilities. While the GAO could firmly state that four of those tasks have not been implemented, the status of seven others was unknown “because no DOD entity has been designated to report on the progress,” the watchdog noted.
When it came to Cyber Awareness Challenge training, the GAO noted that “selected components in the department do not know the extent to which users of its systems have completed this required training.” The agency noted that of 16 selected components, six had no information on which users had completed the training, and eight lacked information on which users had network access and which had their access revoked for not completing the training.
The GAO’s recommended course of action was simple and direct: “GAO continues to believe that all recommendations are warranted.”
Monday’s report is far from the first time the Defense Department has been taken to task for its cybersecurity practices.
A March 2019 report by the US Navy blasted the country's state of cybersecurity as a “national miscalculation,” leaving the Pentagon’s computer networks “compromised to such extent that their reliability is questionable.”
A similar message has come up time and again, from the Pentagon Office of the Inspector General to the head of US Cyber Command and even private academics. In one particularly damning GAO report from October 2018, a Pentagon hacker testing the F-35 stealth fighter for weaknesses was able to crack the advanced plane’s computer password in just nine seconds; four months later, the GAO noted this gaping security hole still had not been fixed.