A new report from the Government Accountability Office (GAO) says the Department of Defense (DOD) has not fully implemented its processes for managing cyber incidents. The government watchdog also found weaknesses in data reporting and management.
DOD and the U.S. defense industrial base (DIB) are heavily dependent on information systems to carry out their operations. These systems continue to be targeted by cyber attackers, and DOD has experienced over 12,000 cyber incidents since 2015. For example, in November and December 2021, Chinese hackers breached five U.S. defense and technology firms. The hackers obtained passwords to access the organizations’ systems and intercept sensitive communications. Between May and July 2019, hackers breached the Defense Information Systems Agency’s network, potentially compromising personal information. Further, in February 2017, an Iranian hacker group targeted actors associated with the DIB in a campaign to steal credentials and other data.
Malicious logic incidents – the installation of software designed and/or deployed by adversaries with malicious intentions for gaining access to resources or information without the consent or knowledge of the user – make up the vast majority of the cyber incidents reported. Other incidents include root-level intrusion, user-level intrusion and denial of service.
To combat the cyber threat, DOD has established two processes for managing incidents – one for all incidents and one for critical incidents. GAO acknowledged the efforts already undertaken by DOD and the DIB, which have seen the number of incidents reported decline from a high of 3,880 in 2015 to 948 in 2021. Despite this reduction however, GAO found that weaknesses in reporting incidents remain. For example, DOD’s system for reporting all incidents often contained incomplete information and DOD could not always demonstrate that they had notified appropriate leadership of relevant critical incidents.
GAO’s November 14 report notes that 91 percent of cyber incident reports did not include information on the discovery date of the incident, which hinders DOD’s ability to determine whether incidents were reported in a timely manner. The report adds that 68 percent of cyber incident reports did not include information on the incident’s delivery vector, limiting DOD’s ability to identify trends in the prevalence of various threats affecting its networks.
GAO attributed the weaknesses in the implementation of the two processes to DOD not assigning an organization responsible for ensuring proper incident reporting and compliance with guidance, among other reasons. DOD officials acknowledged that its incident management system has limitations and told GAO that they are considering implementing a new solution to address those limitations.
The review also found that DOD had not fully implemented the critical cyber incident management process due to a lack of detailed procedures for determining which incidents are critical.
With regard to cyber attacks on the DIB, GAO found that the information submitted by DIB companies to DOD’s Cyber Crime Center (DC3) was not always comprehensive or timely. For example, an estimated 20 percent of these incident reports provided no response or an unclear response as to whether DOD programs, platforms, or systems were involved in the incident. An estimated 21 percent of the mandatory incident reports received by DC3 indicated that it was unknown whether there was an impact to covered defense information. An estimated 55 percent of the incident reports indicated that an incident outcome (successful compromise or failed attempt) was unknown.
In addition to excluding required information, GAO found that DIB companies often submitted mandatory incident reports outside of the three-day window required for reporting. The watchdog estimated that 51 percent of the cyber incidents submitted by DIB organizations from calendar years 2015 through 2021 were submitted more than four days after discovery and 20 percent were submitted more than 20 days after discovery. DC3 officials said that much of the information is unknown within the three-day window required for reporting and that it was unrealistic to expect a company to always have the required information within this time frame.
DC3 officials stated that during the SolarWinds cyber event, multiple DIB entities observed the presence of the malware but did not report it since they did not see the malware execute or see data being extracted.
DOD has not yet decided whether DIB cyber incidents detected by cybersecurity service providers should be shared with all relevant stakeholders, according to officials. GAO pointed out that DOD guidance states that to protect the interests of national security, cyber incidents must be coordinated among and across DOD organizations and outside sources, such as DIB partners.
Last week, DC3’s DOD-DIB Collaborative Information Sharing Environment (DCISE) officially onboarded the 1000th voluntary partner into DOD’s DIB Cybersecurity Program. The program works with cleared contractors to help prevent threats to contractor networks. DCISE initially attracted a significant number of larger cleared defense contract companies but recent growth has focused on small to medium sized companies. Defense companies involved in the program receive unique cyber threat intelligence reporting, free malware analysis, engagement opportunities with government and industry experts, and cybersecurity-as-a-service capabilities from DCISE in coordination with the larger DC3 Enterprise.
GAO’s review also examined personal data breaches and found that DOD has established a process for determining whether to notify individuals of a breach of their personally identifiable information (PII). This process includes conducting a risk assessment that considers three factors—the nature and sensitivity of the PII, likelihood of access to and use of the PII, and the type of the breach. However, GAO found that DOD has not consistently documented the notifications of affected individuals, because officials said notifications are often made verbally or by email and no record is retained.
GAO is making six recommendations, including that DOD assign responsibility for ensuring proper incident reporting, improve the sharing of DIB-related cyber incident information, and document when affected individuals are notified of a PII breach. DOD concurred with the recommendations.