The United States Government Accountability Office, In November received the latest Department of Defence to conduct a cyber incident review .
The 70-page report published in November warns that hackers are continuing to target the DOD itself alongside the U.S. defense industrial base.
The report revealed DOD has not consistently documented the notifications of affected individuals, because officials said notifications are often made verbally or by email and no record is retained.
Failures in reporting cyber incidents at the U.S. Department of Defense risks leaving commanders in, the risks to DOD and DIB information systems are increasing as cybersecurity threats evolve and become more sophisticated.
For example, in November and December 2021, Chinese hackers breached five U.S. defense and technology firms. The hackers obtain passwords to access the organizations’ systems and intercept sensitive communications. Similarly, between May and July 2019, hackers breached the Defense Information Systems Agency’s (DISA) network in the dark about the effects hackers could have on their missions, according to the report .
While external information sharing around the Russian invasion of Ukraine has won the DOD and broader U.S. security and intelligence community plaudits, the lack of internal information sharing within the DOD and the defense industry is leading to “lost opportunities to identify system threats and improve system weaknesses.”
“Until DOD assigns responsibility for ensuring complete and updated incident reporting and proper leadership notification, the department will not have assurance that its leadership has an accurate picture of its posture,” the report warns. “As a result, the department may miss opportunities to assess threats and weaknesses, gather intelligence, support commanders, and share information.”
Partially these issues are caused by the design of JIMS. While the DOD’s official Cyber Incident Handling Program Manual requires 46 different data fields for reporting a cyber incident, JIMS only requires users to include information on 13 of the 46 fields –with the other data fields either presented as optional (such as operational impact and system weaknesses) or unavailable (such as root cause(s) and systems affected) in the system.
DOD officials “acknowledged that JIMS has limitations” according to the GAO report and “are considering implementing a new solution to address those limitations.”
The GAO report concluded that the DOD needs to take stronger measures to protect its networks and data from cyber attacks. Specifically, the report recommended that the DOD improve its cybersecurity policies and procedures, increase its use of encryption and other security measures, and enhance its cyber threat intelligence capabilities.
The GAO also recommended that the DOD improve its coordination with other government agencies and private sector partners to better defend against cyber threats. Finally, the report urged the DOD to address staffing shortages and training gaps in its cybersecurity workforce, which could leave it vulnerable to attacks.
Overall, the GAO report highlights the ongoing challenge that the DOD and other government agencies face in defending against cyber threats, and the need for continued investment in cybersecurity infrastructure and personnel.
