A new report from the U.S. Government Accountability Office (GAO) pointed to several weaknesses in the Department of Defense’s (DoD) processes for reporting and managing cyber incidents. Overall, the GAO report said that the DoD had experienced over 12,000 cyber incidents since 2015.
While reported cyber incidents have dropped from 3,880 in 2015 to 948 in 2021, the GAO report shed light on several key gaps in how the DoD manages the reporting of these incidents. The incident reports submitted through the DoD's programs often contained incomplete data, for instance, and the DoD did not always demonstrate that the appropriate authorities had been notified of various incidents. The DoD had also established two processes for managing cyber incidents, including one for all incidents and the other for critical incidents - but the GAO report said that the DoD had not yet fully implemented either program.
“The weaknesses in the implementation of the two processes are due to DOD not assigning an organization responsible for ensuring proper incident reporting and compliance with guidance, among other reasons,” according to the GAO report, which was released this week. “Until DOD assigns such responsibility, DOD does not have assurance that its leadership has an accurate picture of the department’s cybersecurity posture.”
The DoD has various policies and guidance related to reporting cyber incidents. Cybersecurity service providers (CSSPs), which are a set of 24 DoD organizations that provide cybersecurity services to various DoD agencies, must report incidents via the DoD’s joint incident management system. Cyber incidents that impact the defense industrial base must be reported via the DoD’s Cyber Crime Center. Finally, the DoD has a set of criteria (in conjunction with the Office of Management and Budget and National Institute of Standards and Technology) for reporting data breaches that impact personal identifiable information.
Incident reporting is especially critical for the DoD’s defense industrial base sector, which is classified as critical infrastructure and houses sensitive data like the research, development and production behind the DoD’s military weapons systems. Earlier this year, multiple U.S. government agencies warned that a defense industrial base organization had been compromised by multiple advanced persistent threat groups, showing that sophisticated actors are targeting this sector.
The GAO in its report said that defense industrial base companies - which submitted over 1,500 mandatory incident reports between 2015 and 2921 - did not always submit reports with complete information or in a timely manner. For instance, 20 percent of incident reports in this sector had an unclear or no response about whether DoD programs, platforms or systems were involved in the incidents, while more than half of the reports indicated that an incident outcome (a successful compromise of the system versus failed attempt) was unknown.
“The weaknesses in the implementation of the two processes are due to DOD not assigning an organization responsible for ensuring proper incident reporting and compliance with guidance, among other reasons.”
The DoD has also not decided if defense industrial base incidents that have been detected by CSSPs should be reported to all relevant stakeholders.
“DOD guidance states that to protect the interests of national security, cyber incidents must be coordinated among and across DOD organizations and outside sources, such as DIB partners,” according to the GAO report. “Until DOD examines whether this information should be shared with all relevant parties, there could be lost opportunities to identify system threats and improve system weaknesses.”
Overall, various details about who gets notified about what, and how, have yet to be fleshed out by the DoD, according to the report. For instance, while processes are in place for notifying individuals if their personal identifiable information has been breached, the DoD has not consistently documented the notifications of impacted individuals, with some affected parties even being notified verbally.
Cyber incident reporting has been top of mind for several various organizations, particularly after the Cyber Incident Reporting for Critical Infrastructure Act was signed into law in March 2022, bringing with it a renewed focus not just on reporting requirements for critical infrastructure sectors with built-in liability protections, but also an overall effort by the governments to better improve and standardize federal incident reporting. Increased incident reporting could help authorities both understand the security weaknesses of agencies and support those affected by cyberattacks, but also better understand the cybercrime landscape overall.
The GAO recommended that the DoD assign a designated role responsible for overseeing cyber incident reporting and that the agency develop guidance with detailed procedures for identifying, reporting and notifying leadership of critical cyber incidents. For defense industrial base companies, the DoD was urged to consider measures for more timely incident reporting. The DoD concurred with all of the GAO’s recommendations.
“The lack of accountable organization to ensure complete incident reporting and proper notification of leadership and the lack of an incident management system that is aligned with policy requirements are concerning because leaders throughout DOD need to have a complete and accurate picture of the department’s cybersecurity posture,” according to the GAO report.