The Department of Defense needs to clarify how it will help civilian agencies deal with cyberattacks because its current guidance is unclear and insufficient, according to the Government Accountability Office.
The congressional watchdog agency faulted the Pentagon in a report issued Monday for not specifying which senior officials and military forces are responsible for helping local police, state agencies, and other civil authorities recover from and respond to cyberattacks.
“In some cases,” the GAO report said, “DOD guidance provides specific details on other types of [civilian support]-related responses, such as assigning roles and responsibilities for fire or emergency services support and medical support, but does not provide the same level of detail or assign roles and responsibilities for cyber support.”
The problem is twofold: There is both a lack of guidance on some issues and a lack of clarity in existing guidance on other issues.
For instance, the GAO noted clashing responsibilities between U.S. Northern Command, which protects the homeland and assists domestic law enforcement agencies, and U.S. Cyber Command, which has global jurisdiction over cyber operations and protects Defense Department networks from digital intrusions.
Another concern is that planning documents do not always name a single commander who will supervise both federal military and state National Guard forces, leading to “a lack of unity of effort” in a “recent cyber exercise” involving Northern Command troops.
Congress ordered the GAO to conduct the analysis of military cyber response plans in the latest Pentagon funding bill.
Unclear and inconsistent guidance, the agency warned, undermined the military’s goal of “creating and preserving unity of effort, coordination, and clarity in roles and responsibilities.”
The U.S. military has struggled in recent years to prepare a cyber force that can both conduct digital assaults and defend government computer networks from increasingly sophisticated intrusions. Cultural and technological problems have compounded each other, and problems persist even once funding is secured and cyber operators are hired, trained, and deployed.
The Pentagon’s sprawling bureaucracy—the U.S. military is the largest employer in the world—provides ample opportunity for both areas of overlapping jurisdiction and areas untouched by any division or task force.
The GAO found that several combatant commands—fighting forces composed of different service branches but linked based on their location or mission—disagreed over their role in supporting a civilian cyberattack response operation.
Combatant commands had different understandings of which combatant command would be designated the supported command in supporting civil authorities in a cyber incident. For example, U.S. Cyber Command officials told us that if a [Defense Support of Civil Authorities] incident involved a cyber response, the Secretary of Defense would likely assign U.S. Cyber Command, a different command than U.S. Northern Command, as the command responsible for providing support to civil authorities in the cyber domain. However, U.S. Northern Command officials stated as of September 2015 that their command had not delegated this responsibility to another command. Additionally, U.S. Pacific Command officials told us that they would be the supported command for a DSCA mission that included a cyber incident within their area of responsibility, with U.S. Cyber Command as the supporting command.
Until the Pentagon addressed these shortcomings, “DOD may not be positioned to effectively employ its forces and capabilities to support civil authorities in a cyber incident.”
The Pentagon did not respond to a request for comment on the GAO report, but according to the report, the department agreed with the GAO’s recommendation that the under secretary of defense for policy and the chairman of the Joint Chiefs of Staff should develop new guidance resolving these inconsistencies.