Cracking down on poor cyber hygiene

Defense Department Chief Information Officer Terry Halvorsen is taking a no-holds-barred approach to DOD network users with sloppy cyber habits.

The Pentagon’s top IT official “is drawing a line in the sand and saying enough is enough. If you don’t comply, you are not on the network, you are off,” David Cotton, deputy CIO for information enterprise, said at a May 20 cybersecurity symposium at George Mason University.

The DOD CIO’s office is developing a more data-rich template for assessing “cyber hygiene” – the prevalence of basic security practices such as decent passwords – across the department, Cotton said. The goal is to give department leadership a consolidated view of basic network vulnerabilities.

According to Cotton, various components of the department are currently graded on criteria that include the security compliance of operating systems and responses to data breaches. Halvorsen gets weekly briefings on those assessments, Cotton added.

The new approach is designed to meet a cyber hygiene challenge that is “just eating our shorts,” said the retired brigadier general.

The stricter regime could see something as important as a command and control system booted off DOD networks if it is a security liability, Cotton said, adding that the days of officers asking for a year to clean up the security footprint of a program of record are gone.

“We’ll give you a week,” he said. “It’s going to be that draconian” because a good amount of DOD network vulnerabilities are self-inflicted wounds – the result of failing to apply a security patch, for example, Cotton added.

The Pentagon’s Office of Operational Test and Evaluation’s (OT&E) fiscal 2014 cybersecurity review confirms Cotton’s diagnosis of DOD’s basic network vulnerabilities. The office’s “assessments revealed numerous violations of DOD password security policies, which indicates the policies are either too difficult to implement, too hard to enforce, or both,” the review states.

With that report card in mind, Halvorsen’s office has stressed the basics of computer security to Pentagon employees.

In March, the DOD CIO issued a memo warning about potential phishing attacks on defense personnel through third-party social media accounts.

“Phishing continues to be successful because attackers do more research, evolve their tactics and seek out easy prey,” the memo states. “We need to arm ourselves and our families with the defensive skills and knowledge to protect them from being victimized by a phishing email, computer or phone scam.”

Help wanted

Cotton appealed to the vendors in the audience to “figure out how to help us in this area” of cyber hygiene, to “help us identify those things so we can actually continue to operate.”

David Stickley, a services executive at the Defense Information Systems Agency, made a similar appeal later in the symposium. Software vendors that provide security patches and the defense programs in need of them are often on different timelines, creating a dangerous waiting game, Stickley said.

“You’ll probably start to hear a lot more from our DOD senior leadership about pushing patches on a timely basis,” he told the audience.

For all of the Pentagon’s focus on defending its networks against sophisticated cyber menaces, the rudimentary threats can land their punches, too. “The asymmetric nature of cyber operations allows even a single default or weak password to lead to rapid access and exploitation of the network,” the OT&E report states.

Stickley echoed that premise of basic security enabling the more sophisticated kind. “If we don’t fix the known things, we’re never going to get ahead” of the zero-day vulnerabilities, the cyber exploits unbeknownst to the IT security community, he said.