THE WATCH STAFF
The U.S. Department of Defense is making strides protecting sensitive computer networks against cyberattacks from foreign adversaries, a federal watchdog agency says. In a May 2022 report, the Government Accounting Office wrote that as of January, the DOD had achieved 70% compliance in implementing four key protections tied to controlled unclassified information (CUI), including data related to possible critical technologies and weapons and defense infrastructure.
“Safeguarding federal computer systems has been a longstanding concern,” the GAO wrote in a May 19, 2022, memo to congressional committees. “Underscoring the importance of this issue, we have included cybersecurity on our high-risk list since 1997.”
Department networks are under constant threat from adversaries Iran, North Korea, the People’s Republic of China and Russia. Adding to concerns, cybersecurity experts have warned that following its invasion of Ukraine, Russia may be planning cyberattacks against U.S. networks.
Although that hasn’t occurred, IT security experts remain vigilant given the Kremlin’s track record of malicious cyber activity to influence events beyond its borders. Notably, the country’s push into Ukraine was preceded by a sustained wave of cyber hacks that crippled government websites and scrambled communications, according to Ukraine’s State Service of Special Communication and Information Protection. Russia denies responsibility.
“To date, thankfully, we have not seen attacks manifest here,” Jen Easterly, director of the U.S. Cybersecurity and Infrastructure Security Agency, said in an April 28 Military Times article. “But we are very concerned that as the war drags on, there may, in fact, be retaliatory attacks given the very severe sanctions we have imposed on the Kremlin.”
The GAO’s audit offered no formal recommendations or fixes for the DOD to pursue. The Pentagon reported implementing more than 70 percent of four selected cybersecurity requirements for CUI systems based on the GAO’s analysis of DOD reports, including a June 2021 report to Congress, and data from the DOD’s risk management tools.
These selected requirements include:
- Categorizing the impact of loss of confidentiality, integrity and availability of individual systems as low, moderate or high.
- Implementing security requirements related to the Cybersecurity Maturity Model Certification.
- Implementing specific controls based in part on the level of system impact.
- Authorizing the systems to operate.
The extent of implementation varied in each of the four requirement areas. For example, implementation ranged from 70% to 79% for the Cybersecurity Maturity Model Certification program that the DOD established in 2020, whereas it was more than 90% compliant for systems to operate on a DOD network. (Pictured: U.S. Cyber Command Cyber National Mission Force members participate in a training and readiness exercise at Fort George G. Meade in Maryland.)
The GAO review focused on the department’s 2,900 CUI systems and examined relevant CUI cybersecurity requirements and data from DOD information technology tools. The GAO also interviewed DOD officials and analyzed documentation, including relevant cybersecurity policies and guidance on monitoring the implementation of cybersecurity requirements.
IMAGE CREDIT: AIYANA PASCHAL/U.S. CYBER COMMAND