The Department of Defense has again received unsatisfactory marks from the Government Accountability Office regarding how it would assist the U.S. government in the event of a major cyber incident.
The GAO’s report, released Nov. 30, discovered that not only did DoD not develop a comprehensive plan for Cyber Command, but DoD submitted a report that only fully addressed two of the six elements required by the fiscal year 2016 National Defense Authorization Act requiring DoD to develop a comprehensive plan for Cyber Command to support civil authorities in responding to cyberattacks by foreign powers.
The six items included:
- Descriptions of the roles, responsibilities, and expectations of federal, state, and local authorities as the Secretary understands them;
- A description of such legislative and administrative action as may be necessary to carry out the plan;
- Descriptions of the roles, responsibilities, and expectations of the active and reserve components of the armed forces;
- Plans for coordination with heads of other federal agencies and state and local governments pursuant to the exercises required in the previous clause;
- A list of any other exercises previously conducted that are used in the formulation of the plan, and;
- A plan for internal DOD collective training activities that are integrated with exercises conducted with other agencies and state and local governments.
The first two were fully addressed, the next three were partially addressed, while the last item was not addressed on DoD training activities, GAO found.
Moreover, GAO said DoD did not ensure staff were properly trained under Presidential Policy Directive on United States Cyber Incident Coordination — often referred to as PPD-41 — which established the government’s response to cyber incidents affecting both the private and public sectors.
GAO noted DoD officials agreed their submission wasn’t a comprehensive plan as the report they submitted under the NDAA’s mandate was a “collection of separate documents that, according to DoD, outline core federal, state, local and private-sector roles and responsibilities; summarize plans for coordination at all levels of government and across sectors in the event of a cyber incident; and prescribe the roles and responsibilities of the active and reserve components.”
DoD officials also acknowledged there are several planning and guidance documents that need to be updated to clarify roles and responsibilities, something GAO addressed in an April 2016 report outlining confusion regarding commands and responsibilities between various DoD entities such as Northern Command and Cyber Command.
“Until DoD clarifies the roles and responsibilities of its key entities for cyber incidents, as we recommended, department leaders and components will continue to experience uncertainty about the roles and responsibilities of different components and commands in providing support to civil authorities in the event of a significant cyber incident,” GAO said.
DoD officials recently sparred with Congress regarding their role in protecting civilian infrastructure from cyber incidents.
“Although DoD has built capacity and unique capabilities, for a number of reasons, I would caution against ending the current framework and against reassigning more responsibility for incident response to the Department of Defense,” Kenneth Rapuano, assistant secretary of defense for homeland defense and global security and a principle cyber adviser, wrote in prepared testimony.
“[T]he United States has a long normative and legal tradition limiting the role of the military in domestic affairs. This strict separation of the civilian and the military is one of the hallmarks of our democracy and was established to protect its institutions. Designating DoD as the lead for the domestic cyber mission risks upsetting this traditional civil-military balance,” Rapuano‘s testimony read.
Senator John McCain, R-Ariz. — chairman of the Senate Armed Services Committee, which Rapuano was testifying in front of — was not pleased with this state of affairs.
“You said that it’s not Department of Defense responsibility — suppose if the Russians had been able to affect the outcome of the last election,” Sen. McCain, charged. “For you to sit there and say, ‘Well, but it’s not Department of Defense’s responsibility’ — it is; to defend the nation … if you can change the outcome of an election, that has consequences far more serious than a physical attack.”
GAO also found issues with DoD’s training when it comes to defense to civil authorities and cyber, noting DoD has not conducted a command and control, operational level exercise.
The exercises outlined by DoD — which include Cyber Guard 16 Legal and Policy table top exercises and Cyber Guard 16 — are only focused on strategic-level decision-making and tactical-level actions, respectively.
GAO previously recommended DoD conduct a tier 1 exercise to prepare its forces in the event of a disaster with cyber effects, which seeks to integrate a diverse audience in a joint training environment and identify core competencies, procedural disconnects, and common ground.
While CYBERCOM told GAO they are planning an internal staff exercise to address recommendations, this is not consistent with DoD guidance on tier 1 exercises. Moreover, GAO noted Cyber Guard is not a tier 1 exercise.
GAO made two recommendations in its report, which DoD largely concurred with. First, the Assistant Secretary of Defense for Homeland Defense and Global Security, in coordination with the Chairman of the Joint Chiefs of Staff and other appropriate DoD components, should update the department’s cyber incident coordination training to incorporate the tenets of PPD-41. Second, the Chairman of the Joint Chiefs of Staff should maintain a list of senior DoD officials from organizations that could represent the department during a Cyber Unified Coordination Group, which is formed and activated in the event of a significant cyber incident per PPD-41, and that are trained in the National Incident Management System.