Top Stories
Top Stories

Gaps found in Pentagon guidance on Internet of Things devices, overall cybersecurity

Key Points
  • The Government Accountability Office report Tuesday concludes the Pentagon's cybersecurity efforts "can be strengthened."
  • The GAO report found the Department of Defense prematurely "closed a task that, among other things, would require completing cyber risk assessments on 136 weapon systems."
  • A separate report by the independent U.S. agency looked at DoD's guidance on Internet-enabled devices such as smart TVs and digital wearables and found there were policy gaps that needed to be fixed to reduce security risks.
A US army soldier plays on a smartphone as he lies on a bed at coalition force Forward Operating Base (FOB) Connelly in the Khogyani district in the eastern province of Nangarhar.
Wakil Kohsar | AFP | Getty Images

A government agency has found there are gaps in the Department of Defense's policies on new Internet-capable devices such as smart TVs and also suggests cybersecurity efforts "can be strengthened."

"Unless DoD improves the monitoring of its key cyber strategies, it is unknown when DoD will achieve cybersecurity compliance," the Government Accountability Office said in a report released Tuesday.

According to the report, "DoD faces tens of millions of attempted malicious cyber intrusions per year as adversaries seek to take advantage of the department's reliance upon computer networks."

The GAO said that although "only a small fraction of these attempts are successful," any time such a breach occurs there is "the potential to provide adversaries with the ability to collect valuable intelligence about capabilities and operations, degrade networks, and manipulate information that commanders need to make timely and critical decisions."

The GAO, an independent nonpartisan agency, also issued a separate report that looked at the Pentagon's assessments of the security risks of so-called Internet of Things (or IoT) devices, from Internet-capable wearable devices and smartphones to smart TVs and machinery. The agency said while the DoD has started to look at the security risks of such electronic devices it needed to do more to close policy gaps to reduce potential security risks.

GAOinternetofthings 20170801

As for the Pentagon's implementing cybersecurity guidance, from cloud computing to cyber strategy and its broader security campaign, GAO said progress had varied over time. And in some cases it said the process for monitoring implementation of those programs "resulted in the closure of tasks before they were fully implemented."

For example, the GAO pointed out that the Pentagon prematurely "closed a task that, among other things, would require completing cyber risk assessments on 136 weapon systems."

Also, the GAO report found the department had closed a task for the department to assess cybersecurity for both current and future weapon systems. The DoD's previous strategy required the department "to assess and initiate cybersecurity improvements for existing weapon systems" as well as to "mandate cybersecurity requirements for future weapon systems."

That said, the GAO indicated that the DoD believes it is "on track" for the completion of the cyber-risk assessments by Dec. 31, 2019, but added that as of May of this year "the task was not complete."

The GAO said one "significant compromise" years ago was traced to a DoD-owned laptop in the Middle East and an infected flash drive. It resulted in the spread of a "malicious code" throughout the classified and unclassified networks of the department.

"Addressing the gaps in DoD's plans and timeframes for completing the remaining action will help DoD find and fix any root causes of cybersecurity breaches," the GAO said. "Failure to implement this objective makes DoD vulnerable to cyber threats that may negatively affect mission readiness and could hinder mission accomplishment."

Meantime, last week's GAO report on the DoD's guidance on Internet-capable devices and cybersecurity found that the existing policies and guidance that the department has issued "do not clearly address some security risk relating to IoT devices."

Specifically, the GAO said the current policies and guidance are lacking as they relate to "certain DoD-acquired IoT devices, such as smart televisions in unsecure areas, and IoT device applications."

Furthermore, the GAO said, "DoD policies and guidance on cybersecurity, operations security, information security, and physical security do not address IoT devices. Updates to DoD policies and guidance would likely enhance the safeguarding and securing of DoD information from IoT devices."