DOD could improve how it monitors cyber strategies implementation progress, GAO says

The U.S. Department of Defense’s (DOD) progress in implementing cybersecurity strategies could be strengthened, according to a recent report published by the U.S. Government Accountability Office (GAO).

In recent years, the DOD has acknowledged that malicious cyber intrusions of its networks have aversely affected its information technology (IT) systems and that its adversaries have been becoming more capable over time.

To address this fact, the Obama Administration re-designated the director of the National Security Agency (NSA) as commander of the U.S. Cyber Command (CYBERCOM) in 2010, thereby making the position carry dual responsibilities.

GAO was tasked by the U.S. House of Representatives in two different reports to assess the DOD’s management of its cybersecurity enterprise, specifically examining department officials’ perspectives on the positives and negatives of the dual role for the NSA and CYBERCOM leader and the extent to which the department had implemented strategic cybersecurity guidance.

The report found a number of advantages for the dual-hat role including improved coordination and collaboration for the NSA and CYBERCOM, a faster decision-making process, and an efficient use of resources.

However, there were a number of potential disadvantages that were found as well. One issue raised by GAO centered on CYBERCOM priorities and the possibility that they may receive preference over other commands’ priorities with respect to NSA and Central Security Service (CSS) support.

Additional concerns were raised over the increased potential for NSA/CSS operations being exposed and that the broad span over the role’s responsibilities could potentially limit effective leadership.

GAO also found that DOD’s progress in implementing cybersecurity guidance—specifically regarding the DOD Cloud Computing Strategy, the DOD Cyber Strategy, and the DOD Cybersecurity Campaign—has varied.

While the DOD made progress in implementing its cyber strategy, the report found that the department’s process for monitoring its implementation has resulted in the closure of tasks before they were fully implemented. GAO cited an example of a closed DOD task that, among other things, would require completing cyber risk assessments on 136 weapons systems.

Further, GAO found that DOD lacked a time frame and process for monitoring the implementation of its cybersecurity campaign objective to transition to commander-driven operational risk assessments for cybersecurity readiness.

To address some of the issues raised in the report, GAO recommended that DOD modify its criteria for closing tasks from its cyber strategy and establish a time frame for implementing an objective of its cybersecurity campaign to transition to commander-driven operational risk assessments for cybersecurity readiness.