The Defense Information Systems Agency (DISA) and the Department of Defense cyber workforce have made significant advances in recent years but still require more improvement, a Defense Department report and the CIO of DISA said earlier this week.
A recent report from the Office of Operational Test and Evaluation (OT&E), commonly known for summarized assessments of weapons systems performance, contained an eight-page section dedicated to Defense Department cybersecurity. In the section, it noted both successes and places for improvement in department cybersecurity practices.
Despite various successes in Defense Department cybersecurity practices, “the continued development of advanced cyber intrusion techniques makes it likely that determined cyber adversaries can acquire a foothold in most DoD networks, and could be in a position to degrade important DoD missions when and if they chose so,” the report warned.
Mark Orndorff, risk management executive and CIO at DISA, noted that while the agency has been asked to advance many difficult cybersecurity advances, it has succeeded and exceeded expectations.
“I think the DoD cyber workforce is asked to take on the impossible and manage to deliver. HBSS, PKI, IAP Defenses are examples of challenges where we’ve collectively delivered important capabilities. I’d highlight the STIGs as possibly the best example of progress faster than expected,” Orndorff said during an online chat hosted by Federal News Radio.
HBSS is Host Based Security System, PKI is public key infrastructure, and IAP is Internet Access Point. STIGs is Security Technical Implementation Guides, configuration standards for DoD IA and IA-enabled devices and systems.
However, the Defense Department must move beyond passwords entirely, he said. “They don’t work and we have better solutions. We just need to focus efforts (actually across DoD, rest of government and industry) and move on to solutions that users accept and actually work.”
The OT&E report noted that Department red teams used stolen passwords as a major method to enter mission-critical systems in 2014.
A single default or weak password can lead to “rapid access and exploitation of the network,” the report said. This is especially true when the password belongs to personnel with elevated privileges.
“FY14 assessments revealed numerous violations of DoD password security policies, which indicates the policies are either too difficult to implement, too hard to enforce, or both,” the report said.
Orndorff said that “In DoD, we pushed for PKI as the best identification, but failed to offer “good” solutions for situations where PKI won’t work (e.g. systems with non-DoD users or technology that won’t work with PKI). My view is that we need to open the door to innovations that may not be as good as PKI, but are better than passwords.”
He said that in 2015 the Department of Defense should eliminate passwords as an authentication technique, focusing on PKI or other recent innovations when PKI is not an option. “Running a system today that relies on passwords is as reckless as driving a car without brakes or headlights.”
Orndorff also highlighted a point made in the OT&E report, that the Department needs better methods and range environments to better characterize and simulate cyber effects.
“We have a foundation in the DoD Cyber Range that we need to build on and make range play part of the standard required for cyber defenders including system administrators, network managers and the cyber protection teams,” Orndorff said.