- Ninja mocked for not knowing how to make a sandwich Wednesday 9:30 PM
- Marvel comics writer discusses misogyny in the industry Wednesday 9:09 PM
- TikTok conspiracy theorists think Juice WRLD is still alive Wednesday 7:03 PM
- Conservatives are protesting YouTube’s new harassment rules Wednesday 5:36 PM
- YouTuber’s ‘creepy’ comment about Taylor Swift’s eggs gets ratioed Wednesday 5:31 PM
- Bloomberg razzed for accidentally making an Alexa Fleshlight Wednesday 5:29 PM
- Who is putting cowboy hats on pigeons? Wednesday 4:33 PM
- Scammer reportedly bribed Facebook employee to keep posts up Wednesday 3:36 PM
- The 1975’s singer criticized for ‘Islamophobic’ rant Wednesday 3:22 PM
- Ready to dish out $52K for Apple’s new Mac Pro? Wednesday 3:03 PM
- N.K. Jemisin and Jamal Campbell discuss their new Green Lantern comic, ‘Far Sector’ Wednesday 3:00 PM
- YouTube says it will be harsher on creators with ‘patterns of harassing behavior’ Wednesday 1:15 PM
- Why one senator stopped a vote on net neutrality Wednesday 12:49 PM
- Man reportedly denied refugee status after officials fail to forward email Wednesday 12:09 PM
- ‘Jojo Rabbit’ star to lead Disney+ ‘Home Alone’ reboot Wednesday 12:08 PM
The Department of Defense needs to clarify how it will help civilian agencies deal with cyberattacks because its current guidance is unclear and insufficient, according to the Government Accountability Office.
The congressional watchdog agency faulted the Pentagon in a report issued Monday for not specifying which senior officials and military forces are responsible for helping local police, state agencies, and other civil authorities recover from and respond to cyberattacks.
“In some cases,” the GAO report said, “DOD guidance provides specific details on other types of [civilian support]-related responses, such as assigning roles and responsibilities for fire or emergency services support and medical support, but does not provide the same level of detail or assign roles and responsibilities for cyber support.”
The problem is twofold: There is both a lack of guidance on some issues and a lack of clarity in existing guidance on other issues.
For instance, the GAO noted clashing responsibilities between U.S. Northern Command, which protects the homeland and assists domestic law enforcement agencies, and U.S. Cyber Command, which has global jurisdiction over cyber operations and protects Defense Department networks from digital intrusions.
Another concern is that planning documents do not always name a single commander who will supervise both federal military and state National Guard forces, leading to “a lack of unity of effort” in a “recent cyber exercise” involving Northern Command troops.
Congress ordered the GAO to conduct the analysis of military cyber response plans in the latest Pentagon funding bill.
Unclear and inconsistent guidance, the agency warned, undermined the military’s goal of “creating and preserving unity of effort, coordination, and clarity in roles and responsibilities.”
The U.S. military has struggled in recent years to prepare a cyber force that can both conduct digital assaults and defend government computer networks from increasingly sophisticated intrusions. Cultural and technological problems have compounded each other, and problems persist even once funding is secured and cyber operators are hired, trained, and deployed.
The Pentagon’s sprawling bureaucracy—the U.S. military is the largest employer in the world—provides ample opportunity for both areas of overlapping jurisdiction and areas untouched by any division or task force.
The GAO found that several combatant commands—fighting forces composed of different service branches but linked based on their location or mission—disagreed over their role in supporting a civilian cyberattack response operation.
Combatant commands had different understandings of which combatant command would be designated the supported command in supporting civil authorities in a cyber incident. For example, U.S. Cyber Command officials told us that if a [Defense Support of Civil Authorities] incident involved a cyber response, the Secretary of Defense would likely assign U.S. Cyber Command, a different command than U.S. Northern Command, as the command responsible for providing support to civil authorities in the cyber domain. However, U.S. Northern Command officials stated as of September 2015 that their command had not delegated this responsibility to another command. Additionally, U.S. Pacific Command officials told us that they would be the supported command for a DSCA mission that included a cyber incident within their area of responsibility, with U.S. Cyber Command as the supporting command.
Until the Pentagon addressed these shortcomings, “DOD may not be positioned to effectively employ its forces and capabilities to support civil authorities in a cyber incident.”
The Pentagon did not respond to a request for comment on the GAO report, but according to the report, the department agreed with the GAO’s recommendation that the under secretary of defense for policy and the chairman of the Joint Chiefs of Staff should develop new guidance resolving these inconsistencies.
Eric Geller is a politics reporter who focuses on cybersecurity, surveillance, encryption, and privacy. A former staff writer at the Daily Dot, Geller joined Politico in June 2016, where he's focused on policymaking at the White House, the Justice Department, the State Department, and the Commerce Department.