To improve cybersecurity, DOD aims to eliminate passwords

Cybersecurity is a high-level priority for every organization within the federal government. However, it is doubtful that any agency is as focused on this issue as the Department of Defense. Considering the nature of the information that the DOD possesses, collects and utilizes, a data breach here has the potential to prove far more devastating than breaches affecting virtually any other part of the government.

Unfortunately, though, this does not mean that the DOD's cybersecurity posturing is invulnerable. As a recent internal test revealed, the DOD's systems are potentially vulnerable to hacking attacks. In light of this and other evidence, the DOD aims to take a number of steps to improve its defenses. Most notably, the agency hopes to fully eliminate passwords, as a top Defense Information Systems Agency official recently told Federal News Radio. 

A revealing test
The Office of Operational Test and Evaluation's latest report included an assessment of the DOD's overall cybersecurity preparedness. DOD "red teams" were commissioned to attempt to gain access to the agency's networks in order to determine how easy or difficult such a task would be for hackers to perform.

The results were discouraging. The report found that a large number of the DOD's IT systems are vulnerable not just to advanced, sophisticated hacking efforts, but also to low- or intermediate-level cyberattacks. In many cases, the red teams managed to gain access to a wide range of DOD systems, penetrating deeply into the agency network before defensive measures could be executed. And frequently, these defensive efforts proved to be too little, too late.

"The continued development of advanced cyber intrusion techniques makes it likely that determined cyber adversaries can acquire a foothold in most DOD networks, and could be in a position to degrade important DOD missions when and if they chose to," the report concluded.

Password removal
In light of these results, the DOD has acknowledged the need for revitalized cybersecurity efforts and new strategies. Among the most notable of these is the complete elimination of passwords, according to Mark Orndorff, DISA's top cybersecurity official.

This is due to the fact that password weaknesses were commonly exploited by the DOD red teams in the tests described above. The hackers would steal an employee's password and then use that to gain a foothold in the system. As Federal News Radio reported, many of the DOD's mission-critical systems are protected by authentication systems that are no stronger than the average Gmail account. This represents a major vulnerability.

"We need to make this the year we eliminate passwords," said Orndorff, the news source reported. "Running a system today that relies on passwords is as reckless as driving a car without brakes or headlights."

Instead, the DOD intends to turn to public key infrastructure solutions whenever possible. Orndorff told Federal News Radio that these tools have proven to be very secure options for identity and access management. However, while these tools are already in place in a number of areas throughout the DOD, there are many gaps that have until now been filled through password-based systems. 

"In DOD, we pushed for PKI as the best identification, but failed to offer 'good' solutions for those situations where PKI won't work," Orndorff explained, according to the source. "My view is that we need to open the door to innovations that may not be as good as PKI, but are better than passwords."

Password vulnerability is not limited to the DOD. Agencies throughout the government rely on these measures to protect their networks. In order to fully protect themselves, more departments will need to follow the DOD's lead and seek out more secure options.