- Majority of threats made since El Paso and Dayton shootings have been made online Thursday 8:00 PM
- Miley Cyrus tweets about cheating allegations and penis cake drama Thursday 6:32 PM
- ‘The Dark Crystal: Age of Resistance’ dazzles with a timely tale Thursday 6:00 PM
- The DOJ emailed a white nationalist blog post to immigration judges Thursday 5:31 PM
- The Amazon rainforest is on fire–and people are using memes to cope Thursday 4:11 PM
- Microsoft contractors listened in on Xbox users Thursday 2:15 PM
- Anti-vaxxer assaults pro-vaccine lawmaker on Facebook Live (updated) Thursday 2:15 PM
- Oreos licked by singer Lewis Capaldi are being auctioned off on eBay Thursday 1:54 PM
- Zach Braff predicted Sean Spicer would be on ‘Dancing With the Stars’ 2 years ago Thursday 1:38 PM
- NYPD sergeant who watched Eric Garner die punished with lost vacation days Thursday 1:27 PM
- Brie Larson haters have a meltdown over a joke about Thor’s hammer Thursday 1:26 PM
- This comedian attempted to make fun of women on Twitter—and it did not go over well Thursday 1:04 PM
- Logan Paul wants to help the Amazon rainforest Thursday 12:36 PM
- Nutaku announces redesign and filters for LGBTQ porn games (updated) Thursday 12:25 PM
- This video of dozens of inflatable mattresses taking off in the wind is perfect Thursday 12:20 PM
The Department of Defense needs to clarify how it will help civilian agencies deal with cyberattacks because its current guidance is unclear and insufficient, according to the Government Accountability Office.
The congressional watchdog agency faulted the Pentagon in a report issued Monday for not specifying which senior officials and military forces are responsible for helping local police, state agencies, and other civil authorities recover from and respond to cyberattacks.
“In some cases,” the GAO report said, “DOD guidance provides specific details on other types of [civilian support]-related responses, such as assigning roles and responsibilities for fire or emergency services support and medical support, but does not provide the same level of detail or assign roles and responsibilities for cyber support.”
The problem is twofold: There is both a lack of guidance on some issues and a lack of clarity in existing guidance on other issues.
For instance, the GAO noted clashing responsibilities between U.S. Northern Command, which protects the homeland and assists domestic law enforcement agencies, and U.S. Cyber Command, which has global jurisdiction over cyber operations and protects Defense Department networks from digital intrusions.
Another concern is that planning documents do not always name a single commander who will supervise both federal military and state National Guard forces, leading to “a lack of unity of effort” in a “recent cyber exercise” involving Northern Command troops.
Congress ordered the GAO to conduct the analysis of military cyber response plans in the latest Pentagon funding bill.
Unclear and inconsistent guidance, the agency warned, undermined the military’s goal of “creating and preserving unity of effort, coordination, and clarity in roles and responsibilities.”
The U.S. military has struggled in recent years to prepare a cyber force that can both conduct digital assaults and defend government computer networks from increasingly sophisticated intrusions. Cultural and technological problems have compounded each other, and problems persist even once funding is secured and cyber operators are hired, trained, and deployed.
The Pentagon’s sprawling bureaucracy—the U.S. military is the largest employer in the world—provides ample opportunity for both areas of overlapping jurisdiction and areas untouched by any division or task force.
The GAO found that several combatant commands—fighting forces composed of different service branches but linked based on their location or mission—disagreed over their role in supporting a civilian cyberattack response operation.
Combatant commands had different understandings of which combatant command would be designated the supported command in supporting civil authorities in a cyber incident. For example, U.S. Cyber Command officials told us that if a [Defense Support of Civil Authorities] incident involved a cyber response, the Secretary of Defense would likely assign U.S. Cyber Command, a different command than U.S. Northern Command, as the command responsible for providing support to civil authorities in the cyber domain. However, U.S. Northern Command officials stated as of September 2015 that their command had not delegated this responsibility to another command. Additionally, U.S. Pacific Command officials told us that they would be the supported command for a DSCA mission that included a cyber incident within their area of responsibility, with U.S. Cyber Command as the supporting command.
Until the Pentagon addressed these shortcomings, “DOD may not be positioned to effectively employ its forces and capabilities to support civil authorities in a cyber incident.”
The Pentagon did not respond to a request for comment on the GAO report, but according to the report, the department agreed with the GAO’s recommendation that the under secretary of defense for policy and the chairman of the Joint Chiefs of Staff should develop new guidance resolving these inconsistencies.
Eric Geller is a politics reporter who focuses on cybersecurity, surveillance, encryption, and privacy. A former staff writer at the Daily Dot, Geller joined Politico in June 2016, where he's focused on policymaking at the White House, the Justice Department, the State Department, and the Commerce Department.