The OIG Takes the DoD to Task for Ignoring Cybersecurity Recommendations for Over Ten Years
The Federal Government was caught flat-footed in January 2023 when the FAA grounded flights nationwide due to a glitch during routine maintenance. Just as the government was closing the door on that embarrassing chapter, less than a month later, the DoD found itself under scrutiny by the OIG for its failure to resolve and implement previous cybersecurity-related concerns and recommendations. Walt Szablowski, Founder and Executive Chairman of Eracent, is at the forefront of the Zero Trust Architecture initiative that implements designed-organization-specific Cybersecurity defense plans to identify, protect, detect, respond, and recover in the Government’s IT infrastructure before they pose a clear and present threat to national security.
When Hollywood depicts the underworld of computer hackers, with pulse-pounding scenes of a battle between good and evil government actors trying to save or take down the world, the lighting is ominous, fingers fly effortlessly across multiple keyboards at once while opening and closing firewalls at lightning speed. And slick federal intelligence agencies always have the latest in flashy, high-tech gadgetry. But reality rarely measures up. The Pentagon, the headquarters of the Department of Defense (DoD), is a powerful symbol of the military might and strength of the United States. However, from 2014 to 2022, 822 government agencies have been victims of cyberattacks, affecting nearly 175 million government records at a cost of approximately $26 billion. The DoD is under the watchful eye of the DoD OIG (Office of Inspector General), and their most recent audit report is a black eye to the reputation of the nation’s largest government agency. Walt Szablowski, Founder and Executive Chairman of Eracent, which has provided complete visibility into its large enterprise clients’ networks for over two decades, warns, “The implications could be catastrophic if the DoD, our biggest line of defense against internal and external cyberthreats, takes one day, one hour, or one minute too long to take corrective actions to remove vulnerability-packed and obsolete hardware and software from its critical IT infrastructure. Zero Trust Architecture is the biggest and most effective tool in the cybersecurity toolbox.”
As recently as January 2023, the world held its collective breath after a ground stop was initiated by the FAA, preventing all aircraft departures and arrivals. Not since the events of 9/11 have such extreme measures been taken. The FAA’s final judgment was that an outage in the Notice to Air Missions (NOTAM) system responsible for providing crucial safety information to prevent air disasters was compromised during routine maintenance when one file was mistakenly replaced with another. Three weeks later, the DoD OIG publicly released its Summary of Reports and Testimonies Regarding DoD Cybersecurity from July 1, 2020, Through June 30, 2022 (DODIG-2023-047) audit summarizing the unclassified and classified reports and testimonies regarding DoD cybersecurity.
According to the OIG report, federal agencies are required to follow the guidelines of the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity. The framework includes five pillars — Identify, Protect, Detect, Respond, and Recover — to implement high‑level cybersecurity measures that work together as a comprehensive risk management strategy. The OIG and other DoD oversight entities have focused primarily on two pillars — Identify and Protect, with less emphasis on the remaining three — Detect, Respond, and Recover. The report concluded that of the 895 cybersecurity-related recommendations in the current and past summary reports, the DoD still had 478 open security issues dating back as far as 2012.3
In May 2021, the White House issued Executive Order 14028: Improving the Nation’s Cyber Security, requiring federal agencies to enhance cybersecurity and software supply chain integrity by adopting Zero Trust Architecture with a directive to employ multifactor authentication encryption. Zero Trust enhances the identification of malicious cyber activity on federal networks by facilitating a government-wide endpoint detection and response system. Cybersecurity event log requirements are designed to improve cross-communication between federal government agencies.
Zero Trust Architecture, at its most basic level, assumes the posture of resolute skepticism and mistrust of every component along the cybersecurity supply chain by always presupposing the existence of internal and external threats to the network. But Zero Trust is much more than that.
Implementations of Zero Trust force the organization to finally:
- Define the organization’s network that is being defended.
- Design an organization-specific process and system that protects the network.
- Maintain, modify, and monitor the system to ensure the process is working.
- Constantly review the process and modify it to address newly defined risks.
The Cybersecurity and Infrastructure Security Agency (CISA) is developing a Zero Trust Maturity Model with its own five pillars — Identity, Devices, Network, Data, and Applications and Workloads — to assist government agencies in the development and implementation of Zero Trust strategies and solutions.
Zero Trust Architecture remains a theoretical concept without a structured and auditable process like Eracent’s ClearArmor Zero Trust Resource Planning (ZTRP) initiative. Its unabridged framework systematically synthesizes all components, software applications, data, networks, and endpoints using real-time audit-risk analysis. Successful deployment of Zero Trust requires every constituent in the software supply chain to prove beyond doubt that it can be trusted and relied upon.
Conventional vulnerability analysis tools do not methodically scrutinize all components of an application’s supply chain, such as outdated and obsolete code that can pose a security risk. Szablowski acknowledges and applauds these government initiatives, cautioning, “Zero Trust is a clearly defined, managed, and continuously evolving process; it is not ‘one and done.’ The first step is to define the size and scope of the network and identify what needs to be protected. What are the greatest risks and priorities? Then create a prescribed set of guidelines in an automated, continuous, and repeatable management process on a single management and reporting platform.”
Walt Szablowski is the Founder and Executive Chairman of Eracent and serves as Chair of Eracent’s subsidiaries (Eracent SP ZOO, Warsaw, Poland; Eracent Private LTD in Bangalore, India, and Eracent Brazil). Eracent helps its customers meet the challenges of managing IT network assets, software licenses, and cybersecurity in today’s complex and evolving IT environments. Eracent’s enterprise clients save significantly on their annual software spend, reduce their audit and security risks, and establish more efficient asset management processes. Eracent’s client base includes some of the world’s largest corporate and government networks and IT environments. Dozens of Fortune 500 companies rely on Eracent solutions to manage and protect their networks.