Report finds Pentagon plagued by sweeping cybersecurity vulnerabilities

Some information security procedures hadn’t been updated in over a decade

Written by Shawn Musgrave
Edited by JPat Brown

In 2013, the Pentagon’s inspector general determined that military information systems were vulnerable to compromise. The newly-released report found that the Defense Information Systems Agency failed to address many vulnerabilities due to outdated risk-monitoring procedures.

Cybersecurity poses a considerable challenge for the Department of Defense. Last year, the DoD Inspector General listed cybersecurity among the seven most pressing issues facing the military.

“[T]he Department must be ever vigilant to continuously invent and reinvent how it operates in the cyber domain,” the inspector general’s office wrote in its 2014 report.

But a year earlier, the Pentagon inspector general found some information security procedures that were outdated by as much as 11 years. A review of how DISA, the agency charged with overseeing the military’s information and communications systems, manages vulnerabilities uncovered other longstanding issues, as well.

“If vulnerabilities are not addressed in a timely manner,” the report summarizes, then military information networks, “are at a risk of loss, misuse, or unauthorized access to sensitive DoD information.”

“Based on the vulnerabilities we identified,” the report continues, “an attacker could compromise DISA networks. In addition, effectiveness of US Cyber Command oversight may be reduced.”

The rather technical report was originally designated as “For Official Use Only”, and so unfit for public release. MuckRock requested the report in July 2013, and received a copy last week. Oddly, after nearly two years of review, the inspector general’s records office determined that the report could be released without any redaction or excision.

Security auditors and watchdogs have warned for years about information security deficiencies across the federal government. A report released by the Government Accounting Office in April — just weeks before the Office of Personnel Management hack that exposed millions of government workers’ personal data — found widespread deficiencies in information security controls across federal agencies.

The Pentagon inspector general’s review of DISA’s tracking system found that more than 10 percent of security vulnerabilities reported in August 2012 had not been addressed two months later. The report blames inconsistent and inadequate procedures for reporting such vulnerabilities and their respective patches.

Overall guidance for the issue tracking system had not been updated since 2001, reviewers found. Defense Department rules require all procedural documents such as these to be reviewed and certified as current every five years.

The audit did not uncover any network breaches, but warned that deficiencies left military information exposed.

“[B]ased on the vulnerabilities we identified, there is an increased risk of compromising sensitive DoD information,” the report concludes.

Read the full report on the request page, or embedded below:


Image by R. D. Ward via Wikimedia Commons