Watchdog finds decrease in cyber incidents on DOD networks, but major increase in PII breaches

Despite a decline in overall cyber incidents on Department of Defense networks since 2015, the number of reported data breaches of personally identifiable information have more than doubled, according to the Government Accountability Office.

In a new report, the GAO found that the DOD has experienced more than 12,000 cyber incidents since 2015. However, those incidents have become less frequent in recent years with 1,331 in 2019, 812 in 2020 and 948 in 2021. By comparison, there were 3,880 such incidents in 2015.

Pentagon officials attribute the decline to an increase in the deployment of defense mechanisms during that time period. However, despite this reduction, the DOD’s reporting of them remains an issue.

“DOD’s system for reporting all incidents often contained incomplete information and DOD could not always demonstrate that they had notified appropriate leadership of relevant critical incidents,” the GAO found. “The weaknesses in the implementation of the two processes are due to DOD not assigning an organization responsible for ensuring proper incident reporting and compliance with guidance, among other reasons. Until DOD assigns such responsibility, DOD does not have assurance that its leadership has an accurate picture of the department’s cybersecurity posture.”

One process DOD established but is not fully implementing is a cyber incident management process for all incidents that requires cybersecurity service providers (CSSPs) to report all incidents into a repository called JIMS and notify appropriate leadership, according to the watchdog. Another is an operational reporting process in which CSSPs report critical cyber incidents in the form of a significant activity report that is used to notify commanders at all levels.

The GAO noted that the Pentagon has not clearly assigned an organization responsible for ensuring components and CSSPs follow policy guidance.

“Until DOD assigns responsibility for ensuring complete and updated incident reporting and proper leadership notification, the department will not have assurance that its leadership has an accurate picture of its posture,” the watchdog said. “As a result, the department may miss opportunities to assess threats and weaknesses, gather intelligence, support commanders, and share information. Further, until DOD improves the reporting of cyber incidents, DOD will be limited in its ability to achieve the department’s goals and policy for enabling cyberspace accountability of DOD components and information systems.”

Additionally, differences in reporting requirements in DOD guidance to record cyber incidents has resulted in a lack of complete reporting.

Moreover, the GAO discovered that PII breaches have more than doubled with 928 in 2015, 1,551 in 2019, 1,608 in 2020 and 1,891 in 2021 — for a total of 8,886 since 2015.

The watchdog discovered that the DOD’s notification of affected users in these cases is somewhat unclear. The department could not provide evidence it had always notified affected individuals, noting that components will often notify individuals verbally, by phone or by email with no record of the notification retained.

Notably, the GAO also determined that there is no fully established process for reporting and sharing cyber incident information that affects the defense industrial base.

“DOD has not yet decided whether DIB cyber incidents detected by cybersecurity service providers should be shared with all relevant stakeholders, according to officials. DOD guidance states that to protect the interests of national security, cyber incidents must be coordinated among and across DOD organizations and outside sources, such as DIB partners,” the report said. “Until DOD examines whether this information should be shared with all relevant parties, there could be lost opportunities to identify system threats and improve system weaknesses.”

GAO Recommendations

The GAO issued six recommendations, which Pentagon officials concurred with.

The recommendations include:

–The Defense secretary should ensure the chief information officer, commander of U.S. Cyber Command and the commander of Joint Force Headquarters-DOD Information Networks assign responsibility for overseeing cyber incident reporting and policy compliance.

–The Defense secretary, CIO, commander of Cybercom and commander of JFHQ-DODIN should align policy and system requirements to enable an enterprise-wide visibility of cyber incident reporting to support tactical, strategic and military strategies for response.

–The Defense secretary should ensure the CIO, commander of Cybercom and commander of JFHQ-DOIN include in new guidance on incident reporting detailed procedures for identifying and reporting to leadership.

–The Defense secretary should ensure the commander of Cybercom, in coordination with others, examine if information on DIB-related cyber incidents handled by CSSPs is relevant to the missions of other DOD components — and who it should be should be shared with.

–The Defense secretary should ensure the CIO determines what actions need to be taken to encourage more complete and timely mandatory cyber incident reporting from DIB companies.

–The Defense secretary should ensure DOD components document instances where individuals affected by a privacy data breach were notified.