Technology and security pros generally view audits as bad news, especially when material findings are released to the public. Nevertheless, audit reports can also offer unique opportunities to improve. Here are some silver linings to consider.
Very disappointing, some might even say demoralizing, security findings were made public this week in a report from a U.S. Government Accountability Office cybersecurity study regarding the Defense Department’s newest weapons systems.
Why was this audit report created, and what was the scope? According to the report highlights:
“DOD plans to spend about $1.66 trillion to develop its current portfolio of major weapon systems. Potential adversaries have developed advanced cyber-espionage and cyber-attack capabilities that target DOD systems. Cybersecurity—the process of protecting information and information systems—can reduce the likelihood that attackers are able to access our systems and limit the damage if they do.
GAO was asked to review the state of DOD weapon systems cybersecurity. This report addresses (1) factors that contribute to the current state of DOD weapon systems' cybersecurity, (2) vulnerabilities in weapons that are under development, and (3) steps DOD is taking to develop more cyber resilient weapon systems.
To do this work, GAO analyzed weapon systems cybersecurity test reports, policies, and guidance. GAO interviewed officials from key defense organizations with weapon systems cybersecurity responsibilities as well as program officials from a non-generalizable sample of nine major defense acquisition program offices. …”
While the GAO did not make any recommendations at this time, the results of this study are quite alarming. Put more bluntly, all of the arguments about cybersecurity “return on investment” or “more justifications needed for stronger action” go out the window when this eye-opening report is read in detail.
Media coverage of the GAO report was widespread and (not surprisingly) harsh.
National Public Radio (NPR) offered major coverage starting with the headline, “Cyber Tests Showed 'Nearly All' New Pentagon Weapons Vulnerable To Attack, GAO Says.”
Here’s an excerpt: “Passwords that took seconds to guess, or were never changed from their factory settings. Cyber vulnerabilities that were known, but never fixed. Those are two common problems plaguing some of the Department of Defense's newest weapons systems, according to the Government Accountability Office. …
Drawing data from cybersecurity tests conducted on Department of Defense weapons systems from 2012 to 2017, the report says that by using ‘relatively simple tools and techniques, testers were able to take control of systems and largely operate undetected’ because of basic security vulnerabilities. …”
Silicon Angle went even further with the headline: “Audit finds Defense Department weapons are easy to hack.”
The Government Accountability Office (GAO) found in its audit of the Defense Department’s weapon systems that test teams were easily able to bypass measures meant to keep hackers out, and that in some instances just scanning for the vulnerabilities was enough to shut down the systems altogether.
The report also found that some agencies in the department were aware of some of the cyber vulnerabilities, but did not take steps to resolve them.
It was also determined that DOD not know the extent of the cyber vulnerabilities, as some of the tests on the systems were limited or cut off early. …”
Need for Security Audit Lessons for All
No doubt, this new GAO report is not viewed as “good news” for most people in the military nor in the defense contractors that built these weapons systems nor in the halls of Congress nor in the White House. But I am not ready to “throw stones” in this blog or call for firings or individual accountability. I’ll leave that for others at another time.
So why highlight this audit report now?
We can all learn from this GAO report. Read it. Afterwards, wait a day or two and read it again.
Yes — everyone in the technology and security industries and even in the general business community needs to take notice.
Some readers are no doubt thinking: Wait! This report is about billions of dollars being spent on the most sophisticated weapons systems in the world — with the latest high-tech computers and artificial intelligence, robotics, smart systems and much, much more. How does this relate to my situation or to state government or local government or in my medium or small-size company?
Simply stated, if these vulnerabilities, hacking opportunities, weaknesses, human errors, management denials, process problems and systematic oversights and worse can happen in billion dollar systems, how much more are these same problems happening on your local office network(s)? How much more is this occurring in everyday life or in lower cost systems?
Answer: A LOT. We all need to pay attention. AND NOW!
These same challenges exist worldwide on networks small and large. No organization is exempt. While the attacks are no doubt different against the DoD, every network is being targeted by hackers and facing cyberattacks daily — even hourly or more.
Nevertheless, there is also still hope. There is a silver lining to these cybersecurity audit findings and reportable weaknesses. Let’s explore.
Quick History on Audit Lessons
First, this is not the first time, nor will it be the last, that this topic has come up. Back in 2011, when I was the Michigan government’s enterprise-wide chief technology officer (CTO), I wrote this article on how government agencies need to rethink their approach to audits. Based upon my experiences over my initial seven years as Michigan’s chief information security officer, I wrote about the vital role of these cybersecurity audits — even if you don’t like the outcomes.
Here’s an excerpt from that piece, “The breadth and depth of these challenges covered multiple agencies, programs and business areas. The scope seemed overwhelming and expensive. Staff complained that they couldn’t keep up with audits and day-to-day tasks. We needed a new strategic approach to legal and policy compliance. …”
Several others have written about learning from security audit findings. I like this small business blog from Randy Johnson. “In relationship to technology, Bill Gates has said, “We always overestimate the change that will occur in the next two years and underestimate the change that will occur in the next 10 years. Don’t let yourself be lulled into inaction.” It is definitely wise to apply this thinking to security. Security will improve in the next 10 years, but the state of our computer security now is worse than it was 20 to 30 years ago. In the short term, expect many more bad events to happen to others, your clients, and possibly even you. …”
I also like the words of Jack Danahy of Barkly in the guide, Cybersecurity Made Simple, that today’s top cybersecurity issues are as follows:
I also like these top 5 findings from many security audits conducted by Securit360:
It holds true that almost everyone likes the “idea” of being secure. However, far less actually want to take the steps to become “secure,” usually due to one or more myths:
Cost – they believe they require an expensive “widget” to achieve their security goals
Effort – the time/manpower simply does not exist (and cannot be prioritized)
Impact – the changes proposed will affect the user population too greatly
Denial – that will never happen to us OR we are already secure
Five Don’ts and Five Do’s Related to Security Audit Findings
So how do we take this lemon and make lemonade, based on my 30+ years of cybersecurity experience in the public and private sectors? I have gone through (and helped others traverse) many dozens of federal, state and local audits. I have seen all of these tactics used at various times — for better or worse.
Here are five things you should NOT do:
Here are five things you SHOULD do:
Over seven years ago, I ended the article on the benefits of security audits this way:
“Remember that although it may not feel like it, auditors can be helpful to your organization. Early audit findings surrounding cyber-security helped steer enterprise priorities. This audit action data allowed us to obtain funding for key security and infrastructure initiatives during difficult budget times. We even gave our auditor general the results of internal security assessments. By developing positive relationships and building trust with auditors, you can solve problems simultaneously — like obtaining compliance and strengthening security.
Leaders must follow through with audit remediation plans. Corporate memory is often lost with staff turnover, but remember compliance because the auditors won’t forget.”
After reading this latest GAO report on DoD weapon systems, I’d say we all need to refocus (and perhaps reprioritize) our cyber efforts. Just like in (U.S.) football it may be back to the basics of (cyber) blocking, tackling, running, catching and throwing.
Sure, you may already know the basics. Nevertheless, it’s not happening nearly as much as most think. This GAO security audit is another wake-up call. But there is a potential silver lining.
Will you hit the snooze button?