The federal government’s failure to follow recommended cybersecurity oversight practices has created a national security threat and may harm agencies, including the Department of Defense, according to a biannual report from the Government Accountability Office on high-risk behaviors.
The watchdog agency noted in a March 6 report that of the GAO’s 35 “priority” recommendations to improve cybersecurity oversight, 26 have “not been fully implemented.”
Among the issues that need to be addressed are: a shortage of skilled workers, clearly defined roles and responsibilities for key agencies and officials, and an audit of the National Cybersecurity and Communications Integration Center, a hub for cyber expertise, to measure its effectiveness.
While the Defense Department is not mentioned specifically in the report, Joseph W. Kirschbaum, GAO’s director of defense capabilities and management, said the Pentagon treats cyber as its own entity but leaders must incorporate digital security into overall responsibilities.
“It is not just a technical cyber matter; it’s a matter of those things that cut across doctrinal bounds, that cut across culture,” Kirschbaum said.
One of the major obstacles for DoD innovation is the need to establish timelines for weapons developments, said Michael Sullivan, director of acquisition and sourcing issues at GAO.
“They take on very risky requirements for these weapon systems — probably start them too soon before they have mature technologies and try to build them while they’re still designing them,” Sullivan said.
When it comes to supply-chain concerns, such vulnerabilities may create problems in using new technologies in military contracts. “Software development is very, very risky the way they do it,” he said. “They try to do it very quickly.”
Instead, GAO suggested the Defense Department share information across disciplines with cyber and physical security, such as the people who handle weapons, soldiers on the ground and those involved in deployment operations and “making sure they’re talking to each other,” Kirschbaum said.
“What they’re trying to do is bridge the gap between making sure that those businesses, especially those that are trying to contract with DoD, can have access to those expertise,” Kirschbaum said.
The GAO has warned about the DoD’s lack of skilled cybersecurity workers several times. In a report, the agency wrote that DoD “had not fully addressed cybersecurity workforce management requirements” set forth in the Federal Cybersecurity Workforce Assessment Act.
In August 2018, GAO reported DoD “had only partially addressed roles and responsibilities associated with its information technology (IT) workforce, such as (1) annually assessing the extent to which DoD personnel meet IT management knowledge and skill requirements, and (2) developing strategies for hiring and training to rectify any knowledge and skill deficiencies.”
But another GAO report released March 6 explains a June 2018 agreement between U.S. Cyber Command and U.S. Strategic Command for new cyber military training, which is scheduled to be fully operational by Sept. 30, 2024.
“We assessed Cyber Mission Force training because the House Armed Services Committee, in particular, has been concerned about the DoD’s organization, development, and readiness of defense cyber forces,” Kirschbaum said.
This training includes four phases and the first step is similar to “initial training performed by the military services that is delivered to any new recruit so that he or she may be assigned a military specialty.” The added positions will be intelligence analysts, linguists, and cyber operators and specialists.
“What it is absolutely not is a situation where, ‘Oh it’s a cyber issue, the cyber guys will take care of it,’” Kirschbaum said. “That’s not the way it works anymore.”