If the U.S. military normally has one thing down pat it is knowing who is in charge. However, when it comes to handling a massive cyberattack on the country the Pentagon is not quite sure who should be issuing orders.
This according to a report released by the U.S. Government Accounting Office (GAO) that said two Department of Defense (DoD) commands each believe it would play the lead role in defending and recovering from a cyberattack. The confusion can be seen in the national Defense Support of Civil Authorities (DSCA) Response plan. This document details the Pentagon's mission on how it will provide support through the federal military force, National Guard and other resources in response to requests for assistance from civil authorities for domestic emergencies, including a cyberattack.
In reviewing the DSCA plan, the GAO found problems regarding the command structure, primarily that two of its combat commands each believes it would take charge.
“In reviewing DoD DSCA documents that DoD officials identified as key guidance to determine whether they address roles and responsibilities in cyber incidents, we found examples of lack of clarity on key roles and responsibilities – specifically for DoD components, the supported command and the dual status commander – to support civil authorities in a cyber incident,” the report stated.
One example pointed out was that the U.S. Northern Command commander, who is responsible for the 48 contiguous states and Alaska, would take the lead and be supported by other elements of the military and government to handle a cyber incident that took place in its region. However, other Defense Department writings indicate U.S. Cyber Command would hold that responsibility.
The GAO noted that this level of uncertainty has created a clear gap in the military's ability to support the civil government during a cyberattack.
“We recommend that the Secretary of Defense direct the Under Secretary of Defense for Policy in coordination with the Chairman of the Joint Chiefs of Staff to issue or update guidance that clarifies roles and responsibilities for relevant entities and officials – including the DoD components, supported and supporting commands, to support civil authorities as needed in a cyber incident,” the GAO wrote.
Another thought under consideration is to make Cyber Command a separate Combat Command. Adm. Mike Rogers, head of Cyber Command, believes such a change would make Cyber Command more nimble in responding to threats. This would place it on par with Northern Command, Central Command and the others reporting directly to the Pentagon. Currently, Cyber Command is subordinate to U.S. Strategic Command.
Updated to include information on making Cyber Command a separate Combat Command.