If the United States were to fall victim to a large-scale cyberattack that took out critical infrastructure, the Department of Defense could turn to little-used authorities to assist federal civilian agencies with its response.
Under a proposal in a new conference report from the Senate and House Armed Services Committees’ annual defense policy bill, the Department of Defense must hold a high-level exercise and walk through how they would support civilian agencies. Such an exercise would include U.S. Cyber Command, Northern Command and other DoD organizations.
The proposal in the legislation does not specific when such an exercise shall occur.
The bill states the exercise must include department-level leadership and decision making for providing cyber support to civil authorities, testing of the policy, guidance and doctrine for cyber-incident coordinating, operational planning and execution by the Joint Staff. The event would be coordinated with the Department of Homeland Security, the Federal Bureau of Investigation, and elements across federal and state governments and the private sector.
The proposal is in line with concerns from members of Congress and warnings from the Government Accountability Office that found DoD did not ensure staff were properly trained under Presidential Policy Directive on United States Cyber Incident Coordination — often referred to as PPD-41 — which established the government’s response to cyber incidents affecting both the private and public sectors.
A new Government Accountability Office report found the Department of Defense still has work to do when it comes to roles, responsibilities and training as it pertains to support national cyber incidents.
GAO’s report, released in November 2017, said the Defense Department had yet to conduct an operational-level exercise focused on providing support to civil authorities in a cyber incident. Leaders at Cyber Command disputed such claims pointing to its annual Cyber Guard exercises, which just wrapped up in mid-June and bring together over 100 organizations from government, academia, industry and the international community to respond to a mock national cyber incident.
However, despite CYBERCOM’s claim that Cyber Guard is classified as a tier 1 exercise, the GAO noted that “a 2015 DoD Cyber Strategy implementation document stated that while Cyber Guard is a valuable ‘whole-of-nation’ scenario, its focus is much more tactical in nature and that the department needed another tier 1-level exercise.”
Despite these concerns, DoD officials have long maintained they understand the relationships and what is needed in the case it must respond to a national cyber incident.
Lines of friction
Members of Congress have also sparred with the department regarding what they perceive as unclear lines of authority to defend the nation against widespread cyber and information-related incidents.
The chairman of the Senate Armed Services Committee sparred with DoD representatives regarding the Pentagon's role in cyberspace in protecting the nation.
Senate Armed Services Committee Chairman John McCain, R-Ariz., criticized DoD’s principle cyber adviser in an October 2017 hearing for maintaining the position that DoD should play a hands-off role in incident response.
The top uniformed military officer is offering to help secure the 2018 midterms, but some are leery of involving the armed forces.
DoD’s role in defending the nation
In his first public remarks since taking taking the helm at Cyber Command, Gen. Paul Nakasone said that DoD can be a critical partner to the Department of Homeland security.
The head of Cyber Command has laid out an approach of continuous engagement with competitors in cyberspace.
“Within the United States, the Department of Homeland Security has the responsibility for the defense of our critical infrastructure and so there’s a partnership there," he said at the Aspen Security Forum July 21. “As we can enable or we are asked to assist, certainly, that goes through a process and the Department of Defense would answer that request.”
Nakasone added that while Cyber Command’s authorities and focus remain on the protection of DoD networks, the organization is “an available force upon which if the nation needs it can be called on.”
Some believe the Department of Defense should move away from typical information network defense and expand its coverage to include industrial control and data acquisition systems more extensively.
In addition, Nakasone’s predecessor had also raised the prospect of Cyber Command’s cyber mission forces taking a more active approach to defending the industrial base and critical infrastructure, which means operating outside DoD networks.
“If DoD’s role is going to be to partner and defending critical infrastructure, what level of ability to operate outside the [DoD Information Network] would be appropriate for the cyber mission force,” retired Adm. Michael Rogers told the House Armed Services Subcommittee on Emerging Threats in April.
“I think that’s a good conversation for us to have because right now, not a criticism, an observation, right now the current construct, I don’t operate outside the DoDIN. I would suggest we ought to take a look at that.”