Pentagon failed to address cybersecurity vulnerabilities exposed by friendly hackers

The Pentagon has failed to consistently respond to cybersecurity weaknesses identified by its "Red Teams" of friendly hackers, the agency's internal watchdog reports.

The Defense Department inspector general's warning comes as concerns in Washington grow about possible state-sponsored hacking designed to further interrupt the American economy during the coronavirus health scare.

Officials confirmed an escalation of hacking attempts at the Department of Health and Human Services and were on high alert for more attempted penetrations.

The DoD Office of Inspector General first published an audit report in 2012 that said the department’s Cyber Red Teams, tasked with rooting out DoD system and network weaknesses, failed to effectively report their findings. The 2012 report also found that DoD components failed to take proper action to remedy problems identified by Red Teams.

The IG “found that the DoD Components did not effectively correct or mitigate Red Team-identified vulnerabilities and did not track or report the vulnerabilities on a plan of action and milestones as required by the Chairman of the Joint Chiefs of Staff Instruction 6510.01F.”

The IG’s followup audit this month found that DoD components were not consistently taking appropriate actions to fix vulnerabilities.

"For this followup audit, we determined that the DoD Components did not consistently mitigate or include unmitigated vulnerabilities identified in the prior audit and during this audit by DoD Cyber Red Teams during combatant command exercises, operational testing assessments, and agency-specific assessments in plans of action and milestones," the IG stated.

The IG notes that there was no supervisory structure holding DoD components accountable to address vulnerabilities.

The Department "did not have an organization responsible for ensuring that DoD Components took action to manage vulnerabilities identified by DoD Cyber Red Teams and did not establish processes that held DoD Components responsible for mitigating those vulnerabilities," the report said.