Cybersecurity holes lurk everywhere. As the Defense Department hurries to get its chain of suppliers to tighten up, it has a major unlocked backdoor of its own — namely, the inventory management systems operated by the Defense Logistics Agency. It’s made some progress, but there’s still a ways to go. Federal Drive with Tom Temin got the latest from the director of information technology and cybersecurity issues at the Government Accountability Office, Vijay D’Souza.
Tom Temin: Vijay, good to have you back.
Vijay D’Souza: Thanks, it’s great to be here.
Tom Temin: And you have been watching these inventory management systems at DLA for some years now. And I was surprised to find out how many they have of systems that maintain inventory. Tell us the scope of the issue here to begin with.
Vijay D’Souza: Sure. So DLA is obviously in many ways the backbone of DoD. DLA makes sure the right materials, fuel, spare parts get to the right place at the right time for both warfighters and civilian to the employees. There have been some ongoing concerns both from GAO and within DoD, and other organizations about the cybersecurity of DLA systems. So what we did for this review that recently came out is we selected six key systems that do inventory management, ideally covering things such as fuel supplies, and routing of materials and payments as invoices and we looked at how well DLA had implemented DoD’s risk management framework for the system. So this wasn’t a detailed deep dive technical review, was more of a holistic approach to how DLA overall was implementing the DoD risk management framework.
Tom Temin: And how well were they implementing that framework?
Vijay D’Souza: Well, we definitely identified some issues. So the risk management framework has six steps. And for two of the steps, which are categorizing risks and developing an approach to implementing security controls, we thought that DLA had done a good job of. For the other four areas, we identified some issues. For example, one of the areas is selecting controls. And DLA did select controls, but what we were concerned about is they didn’t have a process in place to monitor some of these controls and some of the risk management controls at the system level. You may have heard kind of a buzzword now about zero trust architecture, the kind of the new thing in cybersecurity. Part of what that means is taking a look at security controls at the system level. So sort of assuming that there may be a bad actor on your network and not just monitoring things overall, but monitoring things system by system. So that was one area there were some issues. And then some of the other areas really related to kind of tracking and documentation. So DLA and DoD in general is relying heavily on a computer system to help it implement this risk management framework in the computer system basically walks people through the steps they need to do to follow all the steps of this risk management framework. What we found is there were some gaps in the data in the system. So DLA was kind of relying on the system to kind of make sure all the T’s were crossed, and I’s are dotted – and there was a lot of times blank and missing information. So one example I’ll give you is for monitoring, which is the last step of the risk management framework. We found that 70% of the remedial actions they had outstanding had exceeded the one year timeframe for addressing them. So that’s pretty important, right. So we had identified 1,600 remedial actions, and over 1,000 of them were past the one year deadline. And then of those 1/3 of those were significant enough that they would have required a waiver from DLA management – and we didn’t find any evidence of those waivers. So pretty significant as far as management oversight goes. That’s just some of the issues that we identified.
Tom Temin: We’re speaking with Vijay D’Souza, Director of Information Technology and Cybersecurity Issues at the GAO. And we should point out DLA handles everything that the military uses, basically, except ordinance and weapons themselves. And what’s the danger here should one of these systems be breached – one of the inventory management systems actually get breached?
Vijay D’Souza: Well, supply chain issue can have a catastrophic impact. I mean, I think the example that’s made it clear to all of us is the Colonial Pipeline incident, right. So one of the things DLA is responsible for is getting fuel out to the battlefield. So if there’s an error in the computer systems that identify how much fuel is needed and where it’s going, you could have equipment that’s unusable at a critical point in time. The same thing is true about spare parts for critical machinery. These computer systems all do sort of the underlying work of making sure things get to the right place. So if the systems are either breached or unavailable, for some reason, they can have real life impact.
Tom Temin: And are the systems in question here at DLA, are they generally posted in their data centers? Are they old legacy type systems or are some of them newer cloud instances? Or what do they look like?
Vijay D’Souza: So this systems we selected for review had generally been reviewed in the last two to three years. So these are, I can’t go into sort of the technical details, but I would say they’re not sort of buying large legacy systems. There’s a reason that they were kind of reauthorized. We were trying to look again at the DLA implementation of this newer risk management framework.
Tom Temin: Okay, and you had a series of recommendations then, fresh ones – or five kind of overarching ones to take care of the 1,600 that are partially acted on.
Vijay D’Souza: Correct. So we made five high level recommendations to DLA to basically give more thought to system specific monitoring, not just rely on overall enterprise monitoring for cybersecurity, and to basically make sure the data in this sort of tracking system that they use is accurate and thorough before approving the systems. And if you need to get a waiver, because you’re not able to remediate something, make sure that waivers actually done. What DLA told us is in the process of implementing this computer system to track all their cybersecurity issues, they had to make some workflow changes. And they acknowledged that there were some deficiencies which they’re trying to remediate. So they generally agreed with the recommendations we made and are taking steps to implement them.
Tom Temin: And so this was a look at the management oversight and the processes for obtaining cybersecurity – do you have any sense of whether the systems themselves are actually secure or not?
Vijay D’Souza: Well, we do look at the technical details. Part of the cybersecurity the risk management framework is DLA doing its own testing, and we looked at the test results that they had as part of the authorization process. And it varied system by system, some of the systems had as few as 10% controls that were non-compliant, some of them had as high as a third. So the situation was mixed. Now DLA would say that they have compensating controls at the enterprise level to head off some of these issues. But as I mentioned, some of these cybersecurity issues really need to be looked at on a system by system level.
Tom Temin: Yeah, especially if you’ve got that zero trust idea. Having something down the line or at the enterprise level may not help you with an individual intrusion at a specific system.
Vijay D’Souza: Exactly.
Tom Temin: Someone could just move around in there. And then by the time you find them, you’re too late. So it stands now that they have accepted those high level recommendations, which is, again, to kind of speed up the detailed recommendations and make sure those are done and documented.
Vijay D’Souza: Right, basically for the big picture we want DLA to be able to leverage the advantages it’s receiving from the automation tool that it’s using for cybersecurity. But it’s got to do that by having manual checks and using people to go behind all the automated tools to make sure the data is thorough and accurate and follows DLA processes.
Tom Temin: And we should point out this look was requested by the chairman and ranking member of the House Armed Services Committee. So there’s high level interest in this.
Vijay D’Souza: Yeah, definitely. And actually, this was also in part written into mandate language from the National Defense Authorization Act as well.
Tom Temin: Alright, so everywhere they look, they’ve got some mandates at DLA. Vijay D’Souza is Director of Information Technology and Cybersecurity Issues at the GAO. As always, thanks so much.
Vijay D’Souza: Thanks for having me.