Title:  How Does DOD Protect Itself and Contractors from Cyberthreats?

Description: The Department of Defense and its industrial base depend on
information technology systems and electronic data to do their work. But
these systems are attractive targets for hackers and other U.S.
adversaries. So how does the DOD respond to these threats? We find out
more from GAO's Jennifer Franks and Joe Kirschbaum.

Related GAO Work: GAO-23-105084, DOD Cybersecurity: Enhanced Attention
Needed to Ensure Cyber Incidents Are Appropriately Reported and Shared.

Released: November 2022

[Music]

[Jennifer Franks:] DOD still experiences hundreds of incidents annually
and cybersecurity threats have become increasingly more sophisticated.

[Holly Hobbs:] Hi and welcome to GAO's Watchdog Report--your source for
news and information from the U.S. Government Accountability Office. I'm
your host, Holly Hobbs. The Department of Defense and its industrial
base depend on information technology systems and electronic data to do
their work. But these systems are attractive targets for hackers and
other U.S. adversaries. So how does the DOD respond to these threats?
Today, we'll find out more from Jennifer Franks and Joe Kirschbaum, two
directors here at GAO, and experts on cybersecurity threats and the
federal response to them. Thanks for joining us.

[Jennifer Franks:] Thanks for having me, Holly.

[Joe Kirschbaum] Thank you, Holly.

[Holly Hobbs:] So, Joe, how big of a problem is this? And can you give
us some examples?

[Joe Kirschbaum] It's a fairly big problem. There is a constant drumbeat
of cyberattacks against the Department of Defense's information and
other systems. So we found, for example, that there were 12,000 or more
cyber incidents since 2015. Now, that number itself is a subset from the
number of attempted attacks. A cyber incident is a potential loss or a
loss of information due to a successful penetration. So the specific
details of a lot of these incidents are obviously classified, but a few
examples will suffice. So in the spring and summer of 2019, for example,
hackers breached one of the Department's major networks. And that
potentially compromised personal information, including things like
Social Security numbers. Another example from 2021 was when Chinese
hackers breached five U.S. defense firms' information systems. So these
are companies that work with the Department of Defense for a broad range
of services and acquisitions. This is what we refer to as the defense
industrial base. And those attacks compromised potential passwords. The
information that was stored in the computers, including information that
sensitive communications for those systems.

[Holly Hobbs:] And Jennifer, what steps has DOD taken to combat these
threats to its IT systems?

[Jennifer Franks:] So over the years, DOD has taken a number of steps to
better protect its data and its systems. They have established
cybersecurity service providers to better protect and respond to and
even mitigate their cyberthreats. And the Department has established a
coordinating entity that was formed in order to analyze threat trends,
and then enable DOD-wide responses to those cyber threats. DOD has even
established policies and then guidance governing the management of cyber
incidents, which even includes a central repository for then reporting
the cyber incidents across the department. And then what's key here is
the department has also established processes for then sharing the
information across each of their components with their leadership.

[Holly Hobbs:] Joe, what is the DOD doing to help its contractors, the
defense industrial base, combat these threats?

[Joe Kirschbaum] The department has established a couple of agencies and
other organizations to help assist the defense industrial base. So one
example is the Department of Defense's Cyber Crime Center referred to as
DC3. This is essentially a public-private cybersecurity partnership with
the defense industrial base. They perform threat analysis and
diagnostics of their systems, and they also offer ways to mitigate
threats and remediate them, for strategies to do that and do
cybersecurity. They offer best practices, etc. It's a way for the
department defense to really assist companies that some of which have no
real experience doing this. Another example is the Defense
Counterintelligence and Security Agency. They also help provide
contractors by providing a platform that does real-time analysis of
things like emails that have suspicious attachments, if they're alerted
to those, which can help head off a lot of these cyber incidents
themselves. Additionally, since 2015, the Department of Defense has
required defense industrial based contractors that do suffer a cyber
incident to report those incidents to the department so that the
department can get an assessment of the potential threat, any affected
defense programs, and help take steps to minimize the damage.

[Holly Hobbs:] And also in our work. We found that the number of cyber
incidents each year is going down. That's a good thing, right?

[Jennifer Franks:] Yes, it is a good thing. But DOD still experiences
hundreds of incidents annually and cybersecurity threats have become
increasingly more sophisticated. In our report, we found weaknesses in
the steps DOD is taking to address cyber incidents. So, for example, the
DOD central repository for reporting all of their incidents, often
contain incomplete information, and the department could not always
demonstrate that they had notified appropriate leadership of relevant,
critical incidents. And in addition to this, the Department had not
assigned responsibility for ensuring that cyber incidents are properly
reported DOD-wide when appropriate.

[Holly Hobbs:] Joe, something people outside of the military might not
think about is that the DOD maintains individuals' personal and medical
data--not just that for service members, but also their spouses and kids.
What happens when this data is breached?

[Joe Kirschbaum] DOD is required to assess the risk of harm to
individuals. So, for example, they're supposed to assess the nature and
sensitivity of the personal information, the likelihood of nefarious
access to and use of that information. And then the type of the breach,
what kind of cyber breach? What we found is that DOD has these processes
and they essentially try to follow them, but they haven't done so
consistently. So, for example, they haven't consistently documented that
those risk assessments have taken place or when they were required to
contact affected individuals, whether or not they actually did it. So in
some cases we suspect they did so informally. We don't really know
whether or not they did or did not in some cases. That's really a gap
that it's an inconsistency in terms of a best practice that they need to
follow up on.

{MUSIC}

[Holly Hobbs:] So Jennifer and Joe just told us that the Department of
Defense has taken steps to protect itself and its contractors (the
defense industrial base) from cyberthreats--including better sharing of
information when incidents occur. But that these actions and
notifications have been inconsistent. So, Jennifer, given these
vulnerabilities, what more do we think DOD should be doing?

[Jennifer Franks:] So, DOD needs to assign responsibility for enhancing
proper incident reporting. They could improve the sharing of incident
information and then better document when affected individuals are
notified of breach of personal information.

[Holly Hobbs:] And last question, what's the bottom line of this report?
Jennifer, maybe you can kick us off.

[Jennifer Franks:] So the bottom line is, DOD continues to be
susceptible of cyber incidents, given the cyberthreats from around the
globe have evolved and become more sophisticated. And the department can
do more to improve its systems and then its processes for reporting and
sharing critical information regarding these cyber incidents.

[Holly Hobbs:] And Joe.

[Joe Kirschbaum] For the defense industrial based side of it, it's
really the same kind of thing we would expect of any major program. You
have to have a program. You have to follow the program and assess
whether or not the program is doing what you wanted it to do. So in this
case, they need to better follow up on the practices they've set in
place to identify when personal information is lost or potentially lost,
and whether or not they followed up with the right people to warn them
that that has happened so that they can take the right actions.

[Holly Hobbs:] That was Jennifer Franks and Joe Kirschbaum talking about
DOD's response to cyber threats against itself and the defense
industrial base. Thanks for your time.

[Jennifer Franks:] Thank you for having us, Holly.

[Joe Kirschbaum] Thank you very much, Holly.

[Holly Hobbs:] And thank you for listening to the Watchdog Report. To
hear more podcasts, subscribe to us on Apple Podcasts, Spotify, or
wherever you listen and make sure to leave a rating and review to let
others know about the work we're doing. For more from the congressional
watchdog, the U.S. Government Accountability Office, visit us at
GAO.gov.