From the U.S. Government Accountability Office, www.gao.gov

Transcript for: DOD's Cyber Hygiene

Description: Cyber hygiene includes practices used to protect against
some of the most common cybersecurity threats. Joe Kirschbaum is on the
Watchdog Report to talk about the how the Department of Defense handles
cyber hygiene.

Related GAO Work: GAO-20-241, Cybersecurity: DOD Needs to Take Decisive
Actions to Improve Cyber Hygiene

Released: April 2020

[ Background Music ]

[Joe Kirschbaum:] Culture, process, training, individual and collective
vigilance is where the key to success lies.

[ Music ]

[Matt Oldham:] Welcome to GAO's Watchdog Report, your source for news
and information from the US Government Accountability Office. I'm Matt
Oldham.

[ Music ]

[Matt Oldham:] Cybersecurity experts estimate basic cyber hygiene and
sharing best practices could thwart 90% of cyber attacks. On the other
hand, the Department of Defense has not fully implemented three of its
key initiatives aimed at improving cyber hygiene. Joe Kirschbaum is a
Defense Capabilities and Management director, and he's here to talk with
me about a GAO report evaluating DOD's cyber hygiene efforts. Thanks for
joining me, Joe.

[Joe Kirschbaum:] My pleasure.

[Matt Oldham:] So, first off, what is cyber hygiene, is it different
from cyber security?

[Joe Kirschbaum:] It's heavily related. So, the first thing we found
when we were asked to do this work, and by the way, the term has been
used by Department of Defense officials with the Congress before,
improving "cyber hygiene." So, that's where it came from when we were
directed to do the work. We found, as you probably will not be
surprised, there is no definition of what cyber hygiene is. Now, we've
looked outside the Department of Defense and found, for example, that
Carnegie Mellon University has that concept kind of under review. And
they define it as a set of practices for managing the most common and
pervasive cyber security risks. So, in shorthand, we view this as a
culture over technology issue. So, the other way to look at this is by
analogy. We are asked to take precautions to prevent against the spread
of viruses.

[Matt Oldham:] Sure.

[Joe Kirschbaum:] The flu, for example, the common cold and other
viruses. You wash hands, you do things like that, those are very
distinct practices. The culture of remembering to do those things,
making sure your family is doing those things, that's the hygiene
portion, maintaining that hygiene.

[Matt Oldham:] How important is it for DOD's cybersecurity mission, this
cyber hygiene?

[Joe Kirschbaum:] In short, it is vital. And the reason is because, the
most mundane to the most critical defense systems, missions, and
practices are reliant, as never before, on information technology, on
devices that transmit across the internet, cyber devices. They're
embedded everywhere in the Department of Defense, it kind of runs
everything. And we've reported before on the vulnerabilities of many of
those things. So, what happens is, you get breaches that can be an
inconvenience, they can be annoying. They could also compromise
important personal information, national security information, or they
could end up causing harm to actual military readiness and operations.
So, being able to protect those systems at a basic level is absolutely
vital across the board. From those very basic, common cybersecurity
techniques and tasks, to the most important department-wide efforts.

[Matt Oldham:] So, is the Department of Defense where they need to be on
this?

[Joe Kirschbaum:] No, they're not. However, it would also be fair to
say, this is one of those things that's more a journey than a
destination. And I want to give the, to be fair to the Department, they
are taking a great deal of action related to cybersecurity across the
board and cyber hygiene in general. They do analyses of critical attacks
against the Department, and they understand where those are coming from.
What we tracked in particular were, efforts the Department have made to
look at cyber hygiene across the board. Those, and you mentioned three
particular efforts. We looked at these three major efforts over time,
and what we saw was some gaps in implementation. Not sure who's
implementing them at what rate? Or there were areas of
implementation-planning that had not been under the purview of the Chief
Information Office that usually attracts these things. So, there's kind
of a lack of understanding about where the Department in some of these
things. And then also, some other gaps we found in consistent monitoring
of those actions the Department has definitely taken to counteract some
of the prime attack vectors and threats to security.

[ Music ]

[Matt Oldham:] So, it sounds like DOD has a pretty good idea of how
hackers could attack their systems. And they've come up with practices
to protect those systems, but there are still some unknowns about the
extent to which implementations of some of those cyber hygiene practices
is happening department-wide.

[ Music ]

[Matt Oldham:] So, Joe, how does the DOD improve things?

[Joe Kirschbaum:] There's really two ways. I mean, we have specific
recommendations that, in the report, that deal with all of these issues
whether it's better tracking of their implementation-planning that are
informing leadership. I kind of boil those down to two general areas.
One is, looking at cyber-related issues from a department level, so that
there's an appreciation where those risks need to be taken, even if it's
-- -- if it's minor issues that can be dealt with at lower echelons. And
then, the other one is that cultural aspect -- -- convincing the
Department, its leaders, to every employee, of the value and of the
culture of doing cyber hygiene. How important it is, because as you
mentioned, what we find is a great percentage of the time major cyber
security vulnerabilities come from within -- the unwitting, the people
not following the right hygiene practices.

[Matt Oldham:] And so, what's the bottom line of this report?

[Joe Kirschbaum:] The bottom line of the report is that, cybersecurity
and cyber hygiene, they have major technical and technological issues,
right? It's always, cyber's always going to be technical, I mean, hard
to understand for a lot of people, but culture, process, training,
individual and collective vigilance is where the key to success lies.

[Matt Oldham:] Joe Kirschbaum was talking about a GAO report looking at
DOD's cyber hygiene efforts. Thank you for your time, Joe.

[Joe Kirschbaum:] Thank you.

[Matt Oldham:] And thank you for listening to the Watchdog Report. To
hear more podcasts, subscribe to us on Apple Podcasts. For more from the
Congressional Watchdog, the US Government Accountability Office, visit
us at gao.gov.

[ Music ]