The Department of Defense issued a memorandum at the end of fiscal year 2015 entitled, “Department of Defense Cybersecurity Culture and Compliance Initiative (DC3I).” The DC3I Memo is important because it shows that DoD is (finally) getting serious about cybersecurity. Significantly, the memo gives context to DoD’s cybersecurity efforts by providing some information about the raw numbers of attacks on DoD Information Networks, the numbers of successful compromises and the root causes. The memo also suggests that additional burdens may be placed on the federal contracting community.
How many cyber attacks does DoD endure? How many are successful?
The DC3I Memo, signed jointly by the Chairman of the Joint Chiefs of Staff and the Secretary of Defense, provides some chilling information that should keep every American awake at night. The memo states: “Less than 0.1 percent of the 30 million known malicious intrusions on DoD networks between September 2014 and June 2015 compromised a cyber system.” Any way you slice it, the DoD cyber numbers do not paint a pretty picture.
First, there were “30 million known malicious intrusions on DoD networks.” That’s 30 million cyber attacks over ten months. That translates to 3 million attacks per month or 100,000 attacks per day. Every day.
The “good news” in all this is that 99.9% of those attacks were thwarted or failed. On the other hand, because of the sheer number of attacks, there were tens of thousands of successful intrusions. Though the memo is not clear, less than 0.1 percent of 30 million is less than 30,000. Thus, in the ten month period ending on June 30, 2015, there were up to 30,000 cyber attacks on DoD networks that successfully compromised a cyber system.
These numbers are truly staggering and highlight the very real problem that DoD faces in keeping its networks secure.
What are the causes of all of the cyber attacks on DoD?
The DC3I Memo also reveals the root cause of these attacks. The answer is no surprise. It’s human error. According to DoD: “roughly 80 percent of incidents in the cyber domain can be traced to three factors: poor user practices, poor network and data management practices, and poor implementation of network architecture.” The memo recognizes that “technical upgrades and cyber organizational changes” can only do so much. For DoD, the real challenge comes from “human error by both IT professionals and the great number of everyday DoD users.” Based on DoD’s figures, 80,000 of the daily cyber attacks against DoD are caused by human error.
DoD’s Cyber Culture Change
The DC3I Memo introduces a Cyber Culture Change that consists of Principles to guide operations and accounts for the different populations that use DoD networks—including contractor personnel. The memo does not set any standards and does not contain a list of best practices to follow. But DoD identifies some practices or user behaviors that will not be tolerated, including: “downloading software, accessing inappropriate Web sites, and using portable memory devices”; “clicking on suspicious email” and failing to use “a PKI certificate for two-factor authentication.”
DoD also includes a warning shot across the bow of the contractor community, as follows: “These professionals literally have the keys to the cyber kingdom and must be held personally accountable for failures to adhere to the highest standards of cybersecurity best practices.” DoD has taken several recent steps to shore up cybersecurity, including changes to the Defense Federal Acquisition Regulations (DFARS). Based on the sheer number of cyber attacks suffered by DoD and the volume of successful attacks, and given the urgent need for action, we can only hope that DoD is looking to the contractor community not as a scapegoat but as a vital partner in DoD’s evolving cyber strategy.