Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.
Frequent hand washing has become the new zeitgeist. But cybersecurity hygiene might still be the longer term concern. The Defense Department has not one but three cyber hygiene initiatives. But they’re incomplete and no one is reporting what’s going on. That’s according to research by the director of defense capabilities and management issues at the Government Accountability Office, Joe Kirshbaum. He joinedFederal Drive with Tom Temin to explain.
Tom Temin: So you looked at the cyber hygiene efforts at the Defense Department. And just to clarify, these are not cybersecurity efforts by the network operations and the CIO staff, but this is what they want their people to do to keep bad things from coming in. Correct?
Joe Kirshbaum: Correct. And your your analogy about hygiene hand washing is very apt. One of the things that we found right off the bat was even though DoD leadership used that term hygiene, there was an incomplete understanding of what it meant, but the analogy is actually spot on because there are hundreds and hundreds of technical practices, individual practices, cybersecurity efforts that need to be done. But the effort to convince people to do those things to make sure they’ve been done, and find out how well they’ve been done. That’s the hygiene portion. It’s just like we’re all practicing right now to prevent further spread of pandemics. So that’s what we were concentrate on those efforts, those cultural efforts that department needs to do and how well they are doing those and tracking them.
Tom Temin: And just briefly describe the three lines of effort they do have going.
Joe Kirshbaum: So three lines of effort that we followed, stemmed from the one of the last major cyber strategies that the Department of Defense put out in 2015. They followed up with a number of things, one of which was called the defense to cybersecurity culture and compliance initiative. This one’s important because it gets at one of the key facets of cybersecurity that we’ve found over the years and that is that yes, it is true, cybersecurity is undeniably a technical problem and technical issue, but it is not just for technical experts to solve, it is everyone’s responsibility. So that’s where the culture comes in. So DoD set up this culture and compliance initiative that set forth 11 overall tasks that everyone’s supposed to do. We also looked at something similar that was called the cyber discipline plan. Once again, it’s focused on how to view the defense culture with cybersecurity, get the right people doing the right things at the right time. And then the last one, of course, was kind of a yearly routine, the cyber awareness training that everyone in the department is supposed to perform.
Tom Temin: And when you look at these programs, you found that the 17 tasks in one the 11 tasks and the other were not completed or nobody was tracking them. Correct?
Joe Kirshbaum: Correct. And I think it’s important to note that in many of the cases, when we’re looking at things that were not fully tracked, when we dug deeper, we found instances where they were being done. So I’m not suggesting that we found like an absolute hole in cybersecurity. That’s not necessarily the case. What We did find was incomplete understanding of the extent to where some of these things are done. And some of these are basic cybersecurity practices, making sure you’ve got the principles throughout the department imputing all the training at the right levels, making sure you’re following through with who’s supposed to be doing that training. And you know, when they’ve done it, and when they have it. Those are the things that are important to make sure that cyber hygiene is much better than it has been. And they’re also key to making sure that the leadership of the department knows where the risks might be.
Tom Temin: And I guess this is particularly important in view of the fact that there’s so much turnover every year at DoD I mean, they get in 10s of thousands of new recruits. And presumably once they’re past basic training, they will have access to some DoD system to interact on, even if only for their personal lives, but still official business. So they really need to keep up that training because so many people are coming and going every year.
Joe Kirshbaum: Absolutely. And it’s even more important at this particular moment when the department is rapidly expanding their capabilities to do telework, which they have not done before. I mean, they have the resources to do that in the short term. But hopefully they’re doing it not just with the view to improving efficiency of their remote computing capability, but they’re also doing it with cybersecurity in mind.
Tom Temin: What were your principal recommendations here then?
Joe Kirshbaum: So one of the things we recommended was that the follow through on these initiatives be carried forward. In other words, we want the department to take the initiatives that they develop, which are frankly very good they achieve what you want them to achieve, that is making sure the culture is improved. And we want them to follow through on those things, to track the things that need to be tracked and to make sure that the department’s leadership is aware of those things and the status of those things so they can make those risks. management decisions. So those were our principal recommendations.
Tom Temin: And the response from DoD?
Joe Kirshbaum: We got a mixed response from DoD. They obviously agree with the importance of cybersecurity. That’s without question. One of the things they disagreed with was the extent to which they needed to follow up on some of these things, because they may be overcome by events, or there may be new strategies to follow. It is true that there may be things that are overcome by events, but by and large, most of what we found in these initiatives was still relevant or should be still relevant or needs to be assessed if they’re still relevant. And as I said before, a lot of these are their basic cybersecurity practices. They’re enduring, they’re not going to go away. So there’s still relevance in what DoD found. And one of the other things we’re concerned about is you talked about the turnover for personnel that affects the leadership as well. What’ll happen is you’ll get a series of initiatives that are aimed at a certain number of really good goals, and then they’ll chug along for a few years of implementation at then that leader will get replaced. And suddenly that initiative receives much less attention in favor of a new initiative that either overlaps, doesn’t fully replace, or is otherwise downgraded in relevance. So what you end up leaving is you end up leaving momentum that you’ve already built. So we’re trying to make sure that they’re focusing on maintain that momentum through to their vision they want to achieve.
Tom Temin: And sometimes it looks like the tasks that they have given themselves under these initiatives seem almost like something you could check off on a box but not actually affect cybersecurity. I’m looking at one for example, combatant commanders, service chiefs agency and DoD component heads will take appropriate actions to incorporate the DC3I principles into all levels of training. And that sounds like a really kind of bureaucratic exercise and it’s hard to tell and it’s one you notice that it’s not fully implemented. When it’s done, there’s a change the cybersecurity posture at all of DoD, seems hard to measure also.
Joe Kirshbaum: It is. I would agree with that. 100%. And that’s one of the reasons we would find that not only tracking implementation because some of these are almost like compliance drills, you’re supposed to do x, have you done x, check that off. Some of these are are enduring, or they’re there. What’s the phrase, “they’re a journey, not a destination.” So one of the things that makes it so important that they track these things is not just to understand where the department is in implementation, but also that assessment side, making sure that what they’ve ended up doing to meet whatever recommendation they’ve made whatever task is ensuring that that action actually affects the original intent. So your ideas, you’re constantly assessing whether or not where you are is where you want to be.
Tom Temin: Yes, because you could put something in training or something in a service chiefs responsibilities, but if you still get 10,000 people a day clicking on a phishing email, then you haven’t really done much?
Joe Kirshbaum: Absolutely. That’s absolutely right.
Tom Temin: Joe Kirschbaum is director of Defense Capabilities and Management Issues at the Government Accountability Office. Thanks so much.