DOD Must Better Monitor Its Implementation of Cybersecurity Strategies

The Pentagon, headquarters for the U.S. Department of Defense. Photo: DOD.

The Government Accountability Office (GAO) has recommended the U.S. Department of Defense (DOD) finalize its decision on whether to end the dual-hat leadership agreement between the National Security Agency (NSA) and Cyber Command, according to a report released this month.

In 2010, then President Barak Obama designated the director of the NSA to simultaneously lead Cyber Command. While the GAO noted that the leadership arrangement does improve coordination between the two agencies, it highlighted that the arrangement has resulted in increased potential for NSA/Cyber Command operations and tools to be exposed. GAO stated that too broad a span of control could also potentially limit effective leadership.

The recommendation is just one, outlined in the GAO report, which aims to improve the resiliency of DOD’s cybersecurity measures. According to GAO, DOD must improve how it monitors the implementation of cybersecurity strategies, as the agency has closed tasks before they were fully implemented.

Additionally, GAO recommends DOD implement a timeframe for the objectives laid out in the DOD Cybersecurity Campaign to ensure a level of accountability as the agency transitions to commander-driven operational risk assessments for cybersecurity readiness.

DOD suffered a significant network compromise in 2008 due to a malicious computer code. According to GAO, the code spread throughout DOD’s unclassified and classified networks and enabled data to be transferred to servers under foreign control. Since then, DOD has worked to improve its resiliency against evolving cyber threats, including establishing Cyber Command in 2009.