Security gaps persist in DOD nets

Despite countless warnings dating to 1996, the Defense Department's information networks continue to be plagued by serious security flaws and weaknesses that have opened up almost every area of the department to cyberattacks and fraud, according to a new General Accounting Office report.

Released last week, GAO's report, "DOD Information Security: Serious Weaknesses Continue to Place Defense Operations at Risk," comes just months after DOD formed the Joint Task Force for Computer Network Defense to serve as the focal point for DOD to organize the defense of its computer networks and systems. When cyberattacks are detected, the JTF-CND is responsible for directing departmentwide defenses to stop or contain damage.

The GAO report follows up on more than two dozen reports issued since 1996 that outlined serious security flaws throughout DOD. "DOD has made limited progress in correcting general control weakness we reported in 1996," GAO concluded. "As a result, these weaknesses persist across every area of general controls."

Security gaps identified in the report include weaknesses in access controls, software development and unauthorized roles and responsibilities for users.

According to the report, support personnel working with an unidentified DOD system were able to alter system audit logs, which record all system activity and are a critical tool in identifying fraud and unauthorized access.

In another case, access authorizations for more than 20,000 users were not documented, according to the report.

In addition, GAO found that application programmers, including outside contractors, "had direct access to production resources, increasing the risk that unauthorized changes to production programs and data could be made and not detected."

On one system, 74 users had privileges enabling them to change program source code without supervisory oversight, the report stated.

Mike Dorsey, a special agent with the Naval Criminal Investigative Service who is working directly with the JTF-CND to investigate computer crimes against DOD networks, said unauthorized attempts to access DOD systems are on the rise but that DOD does not have the resources to respond to every incident.

A spokeswoman for DOD said the department is addressing all the issues contained in the report.

Featured

  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

  • Cybersecurity
    Deputy Secretary of Homeland Security Alejandro Mayorkas  (U.S. Coast Guard photo by Petty Officer 3rd Class Lora Ratliff)

    Mayorkas announces cyber 'sprints' on ransomware, ICS, workforce

    The Homeland Security secretary announced a series of focused efforts to address issues around ransomware, critical infrastructure and the agency's workforce that will all be launched in the coming weeks.

Stay Connected