Pentagon falls short on its cyber hygiene goals, GAO says

Millions of Pentagon workers teleworking may be more vulnerable to cyberattack

An aerial photo of the Pentagon and Arlington, Va., from 2018.  (U.S. Marine Corps photo)
An aerial photo of the Pentagon and Arlington, Va., from 2018. (U.S. Marine Corps photo)
Posted April 21, 2020 at 6:30am

The Pentagon is falling short on implementing its own promised cybersecurity safeguards, according to a new government watchdog report, even as officials undertake a massive transformation to telework policies for millions of Defense Department employees because of the coronavirus pandemic.

The report, issued by the Government Accountability Office last week, found the Defense Department has not completed tasks associated with a trio of “cyber hygiene” training initiatives dating back to 2015, including some that were supposed to be completed in 2016 and 2018.

“Overall, until DOD completes its cyber hygiene initiatives and ensures that cyber practices are implemented, the department will face an enhanced risk of successful attack,” the report said.

The incomplete tasks included developing cybersecurity training briefs for Pentagon employees in leadership positions. Officials from U.S. Cyber Command provided the Defense Department with a pair of manuals to be used in leadership training, but those briefings had not been shared as of last October, the GAO report said.

Had the briefs been incorporated into Pentagon leadership training, the report said, Pentagon officials “would have been better positioned to address cybersecurity risks” and “may have learned, among other things, how to understand, assess, and interpret cyber-reportable events and incidents and how they affect military operations.”

The GAO report comes amid the rapid expansion of the Defense Department’s teleworking capabilities, which are being scaled to accommodate 4 million military and civilian teleworkers because of COVID-19. The Pentagon has faced a surge in spear phishing attacks, officials told reporters last week, and cybersecurity experts say defenses are stretched thin with enemies on the prowl.

“Work-from-home is one giant invitation to foreign intelligence agencies,” said James Lewis, who directs the technology policy program at the Center for Strategic and International Studies. “You’re a softer target when you work from home and the Russians and Chinese know that.”

“The problem is that it’s just such a massive organization and it’s hard in the best of times to get a handle on cybersecurity,” Lewis added. “They have millions of devices, people sometimes use their own devices, and now you’ve got people working from home. I’m sympathetic.”

‘Extraordinary’ expansion, increased risk

The scale of the Defense Department’s telework expansion has been nothing short of staggering. Nearly every branch of the military has seen a sharp increase in the number of teleworking employees. The Army has at least 800,000 employees using Defense Department networking systems, said Lt. Gen. Bradford Shwedo, chief information officer of the Joint Chiefs of Staff. The Navy is expected to reach 500,000 remote employees in the coming weeks.

The expansion of telework has coincided with a rapid increase in the number of online accounts used by remote employees. Shwedo said the number of Navy employees with Outlook Web Access increased from 10,000 prior to the spread of coronavirus to 80,000 in a matter of weeks, with the total expected to reach 300,000 users by the end of April.

And following a March 27 rollout, the department has already activated more than 900,000 accounts for its Commercial Virtual Remote Environment tool, which provides employees with communications tools, like video conference and chat, similar to those in Microsoft Teams.

“The speed and magnitude of what the department has implemented in such a short amount of time is truly extraordinary,” Dana Deasy, the Pentagon’s chief information officer, told reporters last week.

Deasy said the Pentagon is prioritizing the importance of cybersecurity as a key aspect of the telework expansion and that the Defense Department workforce is “well-trained on best practices for cybersecurity.” The department recently put out a list of cybersecurity “dos and don’ts” to “augment” each employee’s ability to maintain best practices while working remotely.

But according to the GAO report, the Pentagon lacks a sufficient understanding of how well-trained its employees really are. The department does not know the extent to which several recommendations in its 2015 Cyber Discipline Implementation Plan are completed because the plan did not assign responsibility for them to a specific office, the report said. 

One of the plan’s recommendations left unassigned to a specific office included ensuring that commanders and supervisors disable hyperlinks in Outlook email clients on unclassified networks and mobile devices. Hyperlinks are a typical vessel for phishing attacks.

The Pentagon also does not know how many of its employees have completed the 2018 Cyber Awareness Challenge, which the department requires all network users to undergo annually. An insufficient understanding of how widespread the department’s cybersecurity practices are implemented could increase vulnerabilities as the number of remote employees increases.

“It’s a much broader attack surface than was available before,” said Joe Kirschbaum, GAO's director of defense capabilities and management, who wrote the report. “Many more opportunities for attacks to happen.”

Kirschbaum said the Pentagon’s greatest cybersecurity risk is cultural, not technical.

The Defense Department “knows a lot about what types of attacks there are, who is doing the attacking, where they happen and what to do about them,” he said. “Trying to get everybody on board with the right measures to address those cybersecurity attacks — that’s the hard part.”

Gone phishin’

Speaking to reporters last week, Shwedo declined to provide details about the surge in spear phishing attacks that have targeted the Pentagon since the pandemic began. But he said the increase was “not surprising because most spear phishing campaigns tend to exploit current events to produce convincing products.”

Shwedo said that providing information on which Pentagon offices were targeted “would give the bad guys insight on who we're tracking and give them insight into our overwatch.”

The key to keeping the department’s networks secure as the telework expansion transforms it into a target-rich environment is to move quickly to identify and close vulnerabilities, said Jamil N. Jaffer, a senior vice president at the cybersecurity firm IronNet.

“We know that in this environment, adversaries including nation-state actors like Russia, China, Iran and North Korea, as well as major criminal actors, are focused on the fact that companies and government agencies like DOD are going to telework,” Jaffer said.

Asked about the GAO’s concerns, Jaffer expressed confidence in the Pentagon’s ability to secure its most classified systems. “But there are always going to be gaps when it comes to cyber hygiene,” he said. “We have to make sure DOD will take action and move quickly to fix some of these things.”