Federal News Radio on the DoD CIO plans to start holding users more accountable for cyber mistakes:
DoD CIO Terry Halvorsen noted that military culture is accustomed to disciplining members who violate even the simplest of rules, but said the Pentagon has not yet found its way to apply that type of rigor to users who, for example, plug their personal devices into a government computer’s USB port.
He said the Pentagon intends to implement measures that will hold both users and their commanders accountable when they violate basic rules of cyber hygiene.
“What happens if you negligently discharge a firearm? Do you get a little piece of paper that says, ‘Please don’t do that again?’ We treat that pretty seriously,” he said. “And I would argue that the weapon represented by the network is far more dangerous, far more powerful and can cause us far more damage than a single stray shot from an M-16. We have got to raise our accountability level.”
The stated example is pretty weak. All DoD IT assets should have HBSS installed with device control, therefore plugging in a prohibited USB device should have almost no effect.
A better example would be how the DoD CIO plans to handle users who fail to meet their yearly cyber security awareness training schedule? How about people who cause inadvertent disclosures? These are more realistic and the types of accountability DoD needs to transparently discuss.
What concerns me more than anything is the people who are most at risk – high ranking senior leaders – are the very people who need to be held to higher standards. If they have a cyber misstep then the outcome could be far more disastrous than when the average user performs the same mistake. However, DoD senior leaders feel like they are above the law and rarely are ever disciplined for their continued bad cyber hygiene. Compare that to the average enlisted user who may be written up for doing the same thing.
Double standards are not going to help DoD get through these difficult cyber security accountability issues.