The Defense Department has a lot of work to do to remedy some years-old cyber issues.
More than 250 cybersecurity vulnerabilities, some more than a decade old, remain unaddressed in the Defense Department’s networks, according to an internal watchdog.
Still, auditors found the agency has made significant strides in locking down its tech infrastructure.
The Defense Department Inspector General found the Pentagon had yet to correct 266 cyber vulnerabilities highlighted in numerous watchdog reports between July 2017 and June 2018. Some of the issues were identified long ago—two dated back to 2008—but the majority were only discovered in the last year, which auditors acknowledge had given the agency little time to fix them.
Most of the vulnerabilities revolved around the agency’s approach to identifying potential gaps in its cyber posture and proactively defending against those threats. Auditors specifically found many shortcomings related to cyber governance, or the policies and practices that help officials monitor risk.
“Without proper governance, the DoD cannot ensure that it effectively identifies and manages cybersecurity risk as it continues to face a growing variety of cyber threats from adversaries, such as offensive cyberspace operations used to disrupt, degrade, or destroy targeted information systems,” the IG wrote in the annual report on the Pentagon’s cyber posture.
In the redacted report, auditors detailed a myriad of issues that had gone unaddressed over the previous year.
The department, for instance, has not yet taken steps to comply with the cybersecurity framework developed by the National Institute of Standards and Technology. The Defense Contract Management Agency failed to ensure cyber specialists were properly trained and received necessary certifications, and the Defense Health Agency and Army also failed to consistently secure systems that house electronic health data.
The Air Force also couldn’t account for the various digital devices connected to its networks, and branch leaders failed to guarantee cybersecurity was built into the design of various weapons systems.
Auditors also reiterated the need to put in place more controls to limit user access and monitor activity across Pentagon networks. The IG on Tuesday published a separate report detailing how inadequate controls left billions of dollars in annual payments potentially vulnerable to bad actors.
“Without adequate controls ... the [department] cannot ensure that all of its systems, devices, personnel, and vulnerabilities are identified and manages,” auditors wrote.