How should the Pentagon confront civil cyber emergencies?

The Department of Defense has clearly stated strategies for intervening and cooperating with civil authorities for natural disasters and other security emergencies, but lacks similar clarity in defining how to deal with national cyber emergencies, according to an April 4 Government Accountability Office report. 

The report audited DOD's Defense Security Cooperation Agency guidance, and raised concerns that the Pentagon does not clearly define departmental roles and responsibilities for cooperating with civil authorities in the event DOD is called on for support.

The DSCA's mission is to oversee the execution of DOD directives and cooperation with civil authorities on security issues. However, the audit -- conducted from June 2015 to April 2016 -- found that DSCA guidance lacked specific instruction regarding the coordination of DOD components, and how to command both federal military and state National Guard forces during a cyber crisis. 

There is also a lack of clarity as to which DOD command would be assigned primary responsibility when providing support to civil authorities during a cyber incident. The GAO report noted that a 2011 Unified Command Plan identifies Northern Command and Pacific Command as the DOD components in charge, whereas a 2010 memorandum of agreement between DOD and the Department of Homeland Security identifies U.S. Cyber Command as the component that would oversee departmental support.

In the report, Defense officials told auditors that DOD had not yet determined its approach for fulfilling a request for cyber assistance, in part because the situation had never come up. The officials said DHS had never requested DOD assistance for cyber incidents, and it was unclear to them under what circumstances their assistance might be required. 

DOD officials acknowledged the limitations of current guidance practices, but as of January 2016 the department had not initiated efforts to update or issue new guidance. Nor did the department have a timetable as to when guidance would be implemented.

The GAO report cited a provision in the National Defense Authorization Act that requires DOD to develop a strategy for Cyber Command to assist civil authorities in response to potential cyber attacks from foreign nation-states by May 2016. Without updated guidance, the report said, this deadline will not be met. DOD officials offered no specific response in the report as to whether the department would meet this deadline. 

These organizational ambiguities are not a new concern within military circles.

In October 2010, Admiral James Winnefeld, former head of the U.S. Northern Command, said cybersecurity was not a primary focal point for Northern Command. And in July 2014, Admiral William Gortney, the current head of that command, told the Senate Armed Services Committee during his confirmation hearing that he was unaware of a formal guidance involving Northern Command in response to cyberattacks. 

Adm. Michael Rogers, who heads the U.S. Cyber Command and the National Security Agency, was asked about the GAO report by senators in an April 5 appearance before the Senate Armed Services committee. Rogers said that while he had not yet read the report, he was "always concerned about a clear chain of command and a clear articulation of responsibilities."

Rogers also noted that, " DOD is not resourced or tasked to defend every single computer in the U.S.," and that "DHS has overall responsibility in the federal government for the provision of government support to the private sector when it comes to cyber." 

In the report, GAO recommended that DOD issue or update guidance that clarifies roles and responsibilities of department components, supporting commands and the dual-status commander in the event that civil authorities would need DOD assistance in a cyber emergency

DOD concurred with the recommendation and stated it will take action to clarify the roles, but did not provide a timetable for any updates.

GCN and Defense Systems Editorial Fellow Mark Pomerleau contributed to this report.