Even the U.S. Department of Department of Defense – with its $590 billion budget – struggles with cyber security.
A new summary report from the DoD Inspector General covers 24 reports on cyber security problems in the U.S. military. It highlights specific examples of security policies ignored and network systems unmanaged.
The 24 reports were issued between July 2017 and June 2018 and are a mix of classified and unclassified material. Where possible, we linked to the original report in each example.
The most interesting cyber security lapses from the summary report are described below. They demonstrate that security is a struggle in every organization – no matter the size.
Missile Data on Unscanned Workstations
Several contractors working with the Missile Defense Agency (MDA) did not perform vulnerability scans on workstations that contained classified, technical material about missile defense systems.
In short, the contractors believed that they did not have to scan the workstations because they did not connect to the corporate network or the Internet, according to the summary of a March 2018 report.
While isolating workstations may lower their risk of compromise, the risk is not eliminated. The machines remained exposed to employees and others via physical access, and – given the information they stored – should have been secured.
Take note: when it comes to cyber security, don’t be lazy. Critical data should never be stored on systems that are not maintained, scanned, and secured.
Weapons with Duct-Tape Security
Unfortunately, cyber security is often an afterthought. Rather than incorporating it into projects at the outset, it’s tacked on at the end.
The result is a duct-taped patchwork of systems and policies. Hospitals have been struggling with this problem for years, trying to secure systems that were never meant to be secure.
Apparently, the Airforce has the same problem, even with weapon systems.
Various Airforce officials “did not ensure that cybersecurity was integrated into weapon systems during design,” according to the summary of a report from Dec. 2017.
“Instead, weapon systems’ cybersecurity was addressed through a set of activities and products that were not fully integrated, creating overlaps and gaps in the program cybersecurity.”
Take note: cyber security should be a factor in almost any decision relating to technology from the outset. The days of open systems and default passwords are over (we hope).
NIST Framework: Only a Suggestion
The National Institute of Standards and Technology (NIST) sets a variety of U.S. national standards. Among them are the standards for securing data in federal computer systems.
Last year, NIST published the Framework for Improving Critical Infrastructure Cybersecurity version 1.1, a set of guidelines for organizations within the U.S. critical infrastructure to manage and reduce cyber security risk.
The framework was created in response to a 2013 Presidential Executive Order and its use is voluntary.
However, no one knows how many organizations considered “critical infrastructure” are following the framework, according to the summary of a Feb. 2018 report.
“The DoD officials under review stated that they did not have a mechanism to assess overall use of the framework because its use by the Defense Industrial Base is voluntary,” according to the report.
Take note: a security policy is only useful it it’s followed. If you cannot require and verify compliance with a policy, then it is merely a suggestion.
Staff Who Are Too Smart for Policy
Civilian healthcare organizations have struggled with HIPAA – the set of requirements for protecting patient health data – for years. Apparently, some corners of the military struggle with it, too.
Officials from the Army and Defense Health Agency (DHA) failed to “comply with DoD password complexity requirements” for several systems because “system administrators considered existing network authentication requirements sufficient to control access,” according to the summary of a July 2017 report.
Two hospitals and an “ambulatory care center” also failed to “develop standard operating procedures to manage system access because they did not consider document procedures necessary.”
Take note: security policies exist for a reason. When a policy is routinely ignored, do not be afraid to act, whether by collaborating with stakeholders to craft a more workable solution, or with carrots and sticks.
Network Hardware that Doesn’t Exist
The Airforce apparently has an issue with IT asset inventory, according to the summary of an Oct. 2017 report.
Auditors reviewed 15 Airforce installations and found that 8,852 of 8,951 (99%) wireless access points were not properly accounted for in the Airforce’s asset management system.
A statistical sample of the AP’s (1,094 total) revealed 26.9% could not be located.
As you can imagine, it’s difficult secure and budget for network hardware that may or may not exist.
“By not accounting for wireless assets in the Asset Inventory Management system, Air Force financial statements were understated by at least $52.5 million,” according to the summary report.
Airforce personnel also struggled to accurately identify systems comprising the Airforce Information Network.
Only 285 IT systems were reported for the network, although later audits on a limited set of locations identified closer to 2,400.
Take note: the first of the CIS 20 Critical Security Controls is “inventory and control of hardware assets”. Inventory management is critical to network security, so don’t overlook it.
IT Staff Who Don’t Exist
Training IT staff is critical to ensuring they remain up-to-date on security policies and best practices. But to train personnel, you must first know they exist.
Defense Contract Management Agency (DCMA) may not be sure of how many people comprise its “cyber workforce”, according to the summary of a July 2017 report.
The program used to track cyber personnel in the agency contained only 212, although other data sources revealed 496. That’s only 42.7% coverage.
“This lack of visibility created issues with ensuring cyber workers received proper resources and training to obtain required certifications,” according to the summary report.
Take note: a training program must account for the trainee’s role and responsibilities to be relevant. It also must account for the number of trainees to estimate an accurate budget. If you are aware of less than half of the workforce you must train, the training will likely fall short and your security will suffer.