Who's in Charge at DoD During a Civilian Cyber Incident?GAO Questions Effectiveness of Military Aid to Civilian Agencies
Government auditors question the effectiveness of a U.S. military response to aid civil authorities during cyber-related emergencies because it's unclear which one of two defense units would lead such operations.
The two units are the Northern Command, which supports civil authorities at the federal, state and local levels, and the Cyber Command, which synchronizes the planning for cyber operations in cooperation with other commands as well as appropriate federal agencies, such as the Department of Homeland Security.
The Government Accountability Office, in a study requested by Congress, recommends the Defense Department issue or update guidance to clarify its responsibilities to support civil authorities in a domestic cyber incident. DoD concurred and said it would take the recommended steps.
Absence of Clarity
The Defense Department has developed a number of guidance documents on how the military would provide support in a number of circumstances to civil authorities, such as federal civilian agencies or state governments. "The absence of clarity in roles and responsibilities to address a cyber incident represents a clear gap in guidance," says Joseph Kirschbaum, director of defense capabilities and management at GAO. "The gap, and the uncertainty that results, could hinder the timeliness or effectiveness of critical DoD support to civil authorities during cyber-related emergencies that DoD must be prepared to provide."
But a former senior IT official at the Pentagon who helped direct DoD's information security operations questions GAO's conclusion that the absence of defined roles would hinder the military's response in aiding civil authorities during a cyber event. "The roles are, for the most part, already established [but] are they perfect? Probably not," says the former DOD official, who requested anonymity because, as a private practitioner, he still works with the Defense Department. "But DoD knows how to support civil authorities and exercises this capability yearly between U.S. Cybercom and Northcom."
Elevating Cyber Command
Although he did not specifically address Kirschbaum's comment, the Cyber Command commander - Navy Admiral Michael Rogers - told the Senate Armed Services Committee this week: "We've got to figure out how to bridge across not just the DoD but the entire U.S. government and the private sector about how we're going to look at this problem set [of responding to critical cyber matters] in an integrated, national way."
At the hearing, Rogers addressed a proposal to elevate the Cyber Command to a unified combatant command, which he contended would prove beneficial. As a unified combatant command, the Cyber Command would have more sway in incorporating cybersecurity needs in determining DoD's budget priorities, strategies and policies, he said. "My input to the process has been that a combatant command designation would allow us to be faster, which would generate better mission outcomes," said Rogers, who also serves as director of the National Security Agency.
Inconsistencies in Guidance
GAO's review of DoD guidance documents shows an inconsistency on whether Northern Command or Cyber Command would be in charge to support authorities in a cyber incident. In addition, GAO notes that DoD Directive 3025.18 specifies precise responsibilities of the assistant defense secretary for health affairs in providing military aid when responding to a health emergency. But it does not furnish any guidance to other Pentagon officials, such as the assistant secretary for homeland defense and global security, regarding support to civil authorities for cyber incidents.
"Without clarifying guidance on DoD roles and responsibilities in a cyber incident, DoD cannot reasonably ensure that the department will be able to most effectively employ its capabilities to support civil authorities in a cyber incident," Kirschbaum says.