The Defense Department has lists of ways to prevent cyberattacks, but doesn't know how well they're being followed or who's in charge of putting them into practice, according to a report from the Government Accountability Office.
The DoD has three initiatives underway on "cyber hygiene," or limiting cybersecurity risks, but "these efforts are incomplete or their status is unknown because no one is in charge of reporting on progress," the GAO said.
The DoD also maintains lists of the types of cyberattacks most commonly used and methods to counter them, but "the department does not know the extent to which these practices have been implemented," according to the report.
In addition, the DoD did not know the extent to which users of its networks have completed the mandatory Cyber Awareness training or whether those who have not completed the training have had their network access revoked.
The report notes that the DoD has become increasingly reliant on information technology systems and networks to manage logistics, budgeting and military operations, adding that the increasing reliance comes with increased risks.
"The risks to IT systems supporting DOD are increasing as cybersecurity threats continue to evolve and become more sophisticated," the GAO said.
"China presents a growing attack threat to our core military systems and Russia is staging cyberattack assets to allow it to disrupt or damage U.S. military infrastructure," according to intelligence reports cited in the report. "Compounding these threats, IT systems are often riddled with cybersecurity vulnerabilities -- both known and unknown."
The GAO report was issued Monday afternoon, hours after a Pentagon news conference at which DoD officials gave an upbeat account of efforts to prevent "spear phishing," or cyber cons aimed at getting usernames and passwords, as the department manages a huge increase in telework during the novel coronavirus pandemic.
Dana Deasy, DoD's chief information officer, said one factor in keeping the workforce cyber secure in telework "is the fact that we don't publish where we get the attack vectors from because that would just give insight to the adversary to know how to vector and pivot and change their tactics and techniques."
Deasy also signed off on the department's response to the GAO report, which made seven recommendations to improve cybersecurity. The DoD concurred with one recommendation, partially concurred with four, and did not concur with two.
It did not concur with the recommendation to have the deputy secretary of defense name a component in the DoD to oversee various tasks within the existing Cybersecurity Discipline Implementation Plan and report on progress in implementing them.
The DoD said the recommendation failed to take into account that "the cyber landscape is constantly evolving to changes in technology, threats and vulnerabilities."
The CDIP was approved in 2015 and it makes little sense to "monitor compliance with lower-risk areas that DoD identified nearly five years ago," it added.
The second GAO recommendation that the DoD did not concur with -- and its reasons for not concurring -- were blacked out for security reasons.
-- Richard Sisk can be reached at Richard.Sisk@Military.com.