Pentagon Has No Policy To Track Attempted Cyber Hacks By Russia, China, Iran

Defense Department hit with more than 12,000 attempted hacks since 2015

China hack
Getty Images
November 28, 2022

The Pentagon has failed to put in place policies to track attempted cyberattacks by Russia, China, Iran, and other malicious hackers leaving the U.S. government with incomplete information on the more than 12,000 attempted hacks from enemies since 2015, according to findings by a federal watchdog.

Hackers have attempted to penetrate computer systems belonging to the Defense Department with more than 1,500 cyberattacks per year, according to data from 2015 to 2021 published by the Government Accountability Office (GAO), a federal investigatory group that recently determined the Pentagon is often not properly logging these attacks or reporting them to leadership. China, Iran, and Russia conducted many of the most high-profile attacks.

"DOD’s system for reporting all incidents often contained incomplete information and DOD could not always demonstrate that they had notified appropriate leadership of relevant critical incidents," according to the GAO. "Until DOD assigns such responsibility, DOD does not have assurance that its leadership has an accurate picture of the department’s cybersecurity posture." These failures are primarily due to the Defense Department’s failure to assign an organization the task of tracking these incidents, even though the agency itself and Congress have mandated officials do so.

Though the number of reported cyber incidents have dropped during the past several years—from 3,880 in 2015 to 948 in 2021—without the ability to fully detail and report these incidents, Pentagon leaders and those who have their personal information breached may not know an attack took place, according to the report. The failure to put safeguards in place serves as a boon to malicious cyber hackers, including foreign nations that are trying daily to penetrate these networks.

The DOD still "lacks an accountable organization and consistent guidance to ensure complete and updated reporting of all cyber incidents," according to the GAO. Reports that were submitted "were often incomplete and not always updated."

Ninety-one percent of the reports reviewed by government investigators "did not include information on the discovery date of the incident, hindering DOD’s ability to determine whether incidents were reported … in a timely manner," according to the report. Nearly 70 percent of the reports did not include information about the specific type of cyberattack, "limiting DOD’s ability to identify trends in the prevalence of various threats affecting its networks."

Those in charge of monitoring and reporting hack attacks "also did not consistently notify DOD leadership of incidents that had a detrimental impact on DOD’s ability to perform its mission or availability of its networks," according to the report, which found little evidence that leadership knew about an estimated 47 percent of cyber incidents logged from 2015 to 2020.

"Until DOD assigns responsibility for ensuring complete and updated incident reporting and proper leadership notification, the department will not have assurance that its leadership has an accurate picture of its posture," the report warns. "As a result, the department may miss opportunities to assess threats and weaknesses, gather intelligence, support commanders, and share information."

The "vast majority" of cyberattacks logged during the reporting period were "malicious logic" penetrations, a hacking technique in which malicious software is unwittingly downloaded onto a computer and then used by an adversary to gain access and information without the user’s knowledge. These accounted for more than 11,500 of the incidents logged from 2015 to 2021.

Other incidents included "unauthorized privileged access to an information system" and denial-of-service attacks, a crude form of hacking that disrupts a computer system.

While the DOD established two mechanisms to track and report cyberattacks, the GAO found that it "has not fully implemented either process."