Sean Lyngaas of FCW reports the DoD CIO is finally coming to the realization there is a need to start cracking down on poor cyber hygiene of all DoD employees:
Defense Department Chief Information Officer Terry Halvorsen is taking a no-holds-barred approach to DOD network users with sloppy cyber habits.
The Pentagon’s top IT official “is drawing a line in the sand and saying enough is enough. If you don’t comply, you are not on the network, you are off,” David Cotton, deputy CIO for information enterprise, said at a May 20 cybersecurity symposium at George Mason University.
The DOD CIO’s office is developing a more data-rich template for assessing “cyber hygiene” – the prevalence of basic security practices such as decent passwords – across the department, Cotton said. The goal is to give department leadership a consolidated view of basic network vulnerabilities.
According to Cotton, various components of the department are currently graded on criteria that include the security compliance of operating systems and responses to data breaches. Halvorsen gets weekly briefings on those assessments, Cotton added.
The new approach is designed to meet a cyber hygiene challenge that is “just eating our shorts,” said the retired brigadier general.
In my experience, the worst offenders – those with the so-called worst cyber hygiene – are the senior military leaders. They have this sense of entitlement, believing they are above the law and should be able to do whatever they want on the network simply because of their status and position. While potentially true to some extent, it does not excuse the additional, unnecessary risk to an increasingly dangerous cyberspace, especially with China reportedly compromising military networks.
In one instance, I worked for a USMC General who wanted his personal iPod connected to a military computer attached to an unclassified military network. He directed the IT team to download videos of BYU football games – his alma mater – and sync them to his personal iPod connected to his government computer with iTunes installed. Someone signed off on this as an acceptable risk, not because it was acceptable but because the authorizing official did not have the cajones to explain to the General about the risk.
Hopefully DoD CIO Terry Halvorsen’s initiative here can change this mindset.