The Pentagon faces "significant" cyber security challenges as the U.S. military becomes reliant on electronic networks and infrastructure to conduct its operations, according to the Defense Department's inspector general.
The Pentagon inspector general reviewed nearly two-dozen unclassified government reports addressing a "wide range of cyber security weaknesses" in Defense Department systems that were issued in fiscal year 2016, concluding that the department needs to overcome major hurdles in cyber security.
The report comes amid increased concern about cyber attacks from China and Russia.
"Correcting cyber security weaknesses and maintaining adequate cyber security is critical, as the DoD has become increasingly reliant on cyber space to enable its military, intelligence, and business operations to perform the full spectrum of military operations," the inspector general wrote in the report issued last week. "Although DoD has taken steps to increase cyber security over its systems, networks, and infrastructure, significant challenges remain."
The redacted report, which offers no new recommendations but synthesizes a number of findings about weaknesses between Aug. 2015 and July 2016, offers a stark look at how the Pentagon has "struggled" to manage information security.
Pentagon leaders still need to address 138 recommendations that the inspector general, individual military branches, and the Government Accountability Office had made as of August 2015 to improve a wide range of cyber security weaknesses in its systems and networks. In fiscal year 2016, government watchdogs made 61 additional recommendations to the Pentagon to correct weaknesses in cyber security.
In one case, investigators discovered that software used by the Navy's troubled Littoral Combat Ship was at risk of containing "vulnerabilities that, if exploited, could prevent the Littoral Combat Ship from performing its mission." Another audit faulted Air Force officials for not implementing controls on a web-based system used for acquisitions, which allowed hundreds of users who did not have requirements for accessing the system to create active accounts on it.
One of the reviews also found that some Pentagon agencies are not fully complying with a Homeland Security directive issued by President George W. Bush in 2004 that established a government-wide standard for secure forms of identification.
"Although Homeland Security Presidential Directive 12 was issued in 2004, one audit report indicated that DoD Components are still not fully complying with the directive," the inspector general wrote. "The report identified the lack of compliance leaves national security and Privacy Act information vulnerable to compromise and places soldiers, family members, civilians, and critical infrastructures at greater risk of an adverse incident occurring."
The audits completed in fiscal year 2016 found cyber security weaknesses in a number of different areas, most frequently risk management, identity and access management, security and privacy training, contractor systems, and configuration management.
The Pentagon is investing $6.7 billion in its cyber strategy for the current fiscal year and plans to spend $34.6 billion over the next five years to develop and train officials in cyber and develop technology to strengthen cyber defenses and capabilities.
Concerns about cyber threats have increased as foreign hackers have penetrated U.S. government networks, including those used by Pentagon officials. The Director of National Intelligence has for years named cyber threats among the top strategic global threats confronting the United States.
For example, Russian hackers launched a cyber attack on the unclassified email system used by the Joint Chiefs of Staff in August 2015, stealing the computer credentials of hundreds of military officials, including the chairman at the time, retired Gen. Martin Dempsey.
More than 22 million Americans also had their personal data stolen when Chinese hackers breached the computer system used by the Office of Personnel Management between 2014 and 2015.
The U.S. intelligence community has also accused the Russian government of directing cyber attacks on systems used by American political organizations in order to influence the 2016 presidential election. Sensitive assessments completed by the CIA and FBI are said to have concluded that Russia intervened in the election in part to help Donald Trump, now the president-elect.