DOD Cybersecurity: Enhanced Attention Needed to Ensure Cyber Incidents Are Appropriately Reported and Shared
Fast Facts
Cyber attacks threaten national security—but hackers continue to target DOD as well as private companies and others involved in the nation's military operations.
DOD has taken steps to combat these attacks and has reduced the number of cyber incidents in recent years. But we found that DOD:
- Hasn't fully implemented its processes for managing cyber incidents
- Doesn't have complete data on cyber incidents that staff report
- Doesn't document whether it notifies individuals whose personal data is compromised in a cyber incident
Our recommendations address these issues.
Ensuring the cybersecurity of the nation is on our High Risk list.
Highlights
What GAO Found
The Department of Defense (DOD) and our nation's defense industrial base (DIB)—which includes entities outside the federal government that provide goods or services critical to meeting U.S. military requirements—are dependent on information systems to carry out their operations. These systems continue to be the target of cyber attacks, as DOD has experienced over 12,000 cyber incidents since 2015 (see figure).To combat these incidents, DOD has established two processes for managing cyber incidents—one for all incidents and one for critical incidents. However, DOD has not fully implemented either of these processes.
Cyber Incidents Reported by Department of Defense's Cyber Security Service Providers from Calendar Years 2015 through 2021
Despite the reduction in the number of incidents due to DOD efforts, weaknesses in reporting these incidents remain. For example, DOD's system for reporting all incidents often contained incomplete information and DOD could not always demonstrate that they had notified appropriate leadership of relevant critical incidents. The weaknesses in the implementation of the two processes are due to DOD not assigning an organization responsible for ensuring proper incident reporting and compliance with guidance, among other reasons. Until DOD assigns such responsibility, DOD does not have assurance that its leadership has an accurate picture of the department's cybersecurity posture.
In addition, DOD has not yet decided whether DIB cyber incidents detected by cybersecurity service providers should be shared with all relevant stakeholders, according to officials. DOD guidance states that to protect the interests of national security, cyber incidents must be coordinated among and across DOD organizations and outside sources, such as DIB partners. Until DOD examines whether this information should be shared with all relevant parties, there could be lost opportunities to identify system threats and improve system weaknesses.
DOD has established a process for determining whether to notify individuals of a breach of their personally identifiable information (PII). This process includes conducting a risk assessment that considers three factors—the nature and sensitivity of the PII, likelihood of access to and use of the PII, and the type of the breach. However, DOD has not consistently documented the notifications of affected individuals, because officials said notifications are often made verbally or by email and no record is retained. Without documenting the notification, DOD cannot verify that people were informed about the breach.
Why GAO Did This Study
DOD and DIB information technology systems continue to be susceptible to cyber incidents as cybersecurity threats have evolved and become more sophisticated. Federal laws and DOD guidance emphasize the importance of properly reporting and sharing cyber incident information, as both are vital to identifying system weaknesses and improving the security of the systems.
House Report 116-442 included a provision for GAO to review DOD's cyber incident management. This report examines the extent to which DOD established and implemented a process to (1) report and notify leadership of cyber incidents, (2) report and share information about cyber incidents affecting the DIB, and (3) notify affected individuals of a PII breach.
To conduct this work, GAO reviewed relevant guidance, analyzed samples of cyber incident artifacts and cyber incident reports submitted by the DIB and privacy data breaches reported by DOD, and surveyed 24 DOD cyber security service providers. In addition, GAO interviewed officials from DOD and cyber security service providers and convened two discussion groups with DIB companies.
Recommendations
GAO is making six recommendations, including that DOD assign responsibility for ensuring proper incident reporting, improve the sharing of DIB-related cyber incident information, and document when affected individuals are notified of a PII breach. DOD concurred with the recommendations.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Department of Defense | The Secretary of Defense should ensure that the DOD CIO, Commander of CYBERCOM, and Commander of JFHQ-DODIN assign responsibility for overseeing cyber incident reporting and leadership notification, and ensuring policy compliance. (Recommendation 1) |
DOD concurred with the recommendation. On August 9, 2023, DOD CIO issued DOD Instruction 8530.CE "Cyber Incident Response" which clarifies policy, responsibilities, and procedures for the DoD cyber incident response. However, the new instruction does not meet all the deficiencies we identified in our report. We will continue to monitor DOD's efforts.
|
| Department of Defense | The Secretary of Defense should ensure that the DOD CIO, Commander of CYBERCOM, and Commander of JFHQ-DODIN align policy and system requirements to enable DOD to have enterprise-wide visibility of cyber incident reporting to support tactical, strategic, and military strategies for response. (Recommendation 2) |
DOD concurred with the recommendation. On August 9, 2023, the DOD CIO issued DOD Instruction 8530.CE "Cyber Incident Response" which clarifies policy, responsibilities, and procedures for the DoD cyber incident response. DOD is developing a larger Unified Platform with planned applications to be developed to increase collaboration. Deliberate efforts are being made to perform automated reporting into JIMS, to meet CJCSM 6510.0lB policy/guidance, while also providing timely enterprise-wide visibility of cyber incidents/events. DOD's estimated completion date is 12/31/24. We will continue to monitor DOD's efforts.
|
| Department of Defense | The Secretary of Defense should ensure that the DOD CIO, Commander of CYBERCOM, and Commander of JFHQ-DODIN include in new guidance on incident reporting include detailed procedures for identifying, reporting, and notifying leadership of critical cyber incidents. (Recommendation 3) |
DOD concurred with the recommendation. On August 9, 2023, DOD CIO issued DOD Instruction 8530.CE "Cyber Incident Response" which clarifies policy, responsibilities, and procedures for the DOD cyber incident response. USCYBERCOM plans to update its instruction/Manual to supplement CJCSM 6510.01B by providing operational guidance for cyberspace incident reporting of activities on the DOD IN and assist with reforming enterprise-wide strategies, and processes for reporting cyber incidents and events (e.g., summaries, major cyber incidents, trends, enterprise-wide issues). Estimated completion date for the manual is 12/31/24. As of May 2024, this recommendation continues to remain open. We will provide an update when we determine what actions DOD has taken to address this recommendation.
|
| Department of Defense | The Secretary of Defense should ensure that the Commander of CYBERCOM—in coordination with DOD CIO and Directors of DC3 and DCSA—examines whether information on DIB-related cyber incidents handled by CSSPs is relevant to the missions of other DOD components, including DC3 and DCSA, and identifies when and with whom such information should be shared. (Recommendation 4) |
DOD concurred with the recommendation. As of May 2024, this recommendation continues to remain open. We will provide an update when we determine what actions DOD has taken to address this recommendation.
|
| Department of Defense | The Secretary of Defense should ensure that the DOD CIO determines what actions need to be taken to encourage more complete and timely mandatory cyber incident reporting from DIB companies. (Recommendation 5) |
DOD concurred with the recommendation. As of May 2024, this recommendation continues to remain open. We will provide an update when we determine what actions DOD has taken to address this recommendation.
|
| Department of Defense | The Secretary of Defense should ensure—through the Director of the Privacy, Civil Liberties, and Freedom of Information Directorate—that DOD components document instances where individuals affected by a privacy data breach were notified. (Recommendation 6) |
DOD concurred with the recommendation. As of May 2024, this recommendation continues to remain open. We will provide an update when we determine what actions DOD has taken to address this recommendation.
|