The Pentagon doesn't know who’s in charge for responding to a massive cyber attack
By Andrew Tilghman
ANNAPOLIS, Md. (April 15,2015) U.S. Naval Academy Midshipmen 2nd Class Treye Harrison and Blair Mason work together during the 15th annual Cyber Defense Exercise hosted by the National Security Agency. The Naval Academy team won first place in the competition this year. (U.S. Navy photo by Mass Communications Specialist 2nd Class Tyler Caswell/RELEASED)
The Pentagon does not have a clear chain of command for responding to a massive cyber attack on domestic targets in the United States, according to the federal government's principal watchdog a new report from the Government Accountability Office.
While some Defense Department documents say that U.S. Northern Command would have primary responsibility for supporting the civilian agencies in such an event of responding to a domestic cyberattack, other documents suggest U.S. Cyber Command should be leading that effort, the Government Accountability Office found, according to a new report published released Monday said.
In the event of an massive cyberattack on domestic U.S. infrastructure such as the nation's electrical grid or financial system, for instance, the Defense Department would be expected to back up play a key role in supporting a national response led by civilians at the U.S. Department of Homeland Security. Yet, the Pentagon has no clear rules in place for how that key support might play out.
"This absence has caused uncertainty about who in DoD would respond to support civil authorities in a cyber incident, and how they would coordinate and conduct such a response," according to the GAO report. "The designation of cyber roles and responsibilities in DoD guidance is inconsistent," the report said."
One major issue, according to the GAO, is identified was the role of a "dual-status commander," a legal designation specifically designed for domestic criseis that require military support. Dual status allows a single individual officer to assume simultaneous command authority over both federal military forces and state-level National Guard troops.
Appointment of a dual-status commander is a standard arrangement for streamlining the military's response to domestic disasters such as hurricanes or floods. However, that did not work during a major military exercise last year known as "Cyber Guard 15."
During that exercise, which that simulated a major cyber attack, the dual-status commander did not have tactical control of cyber units that reported to U.S. Cyber Command, and those cyber units were not able to fully participate and log inonto important online networks, the GAO said.
"According to the U.S. Northern Command officials, this led to a lack of unity of effort among the units responding to the emergency that were not under the control of the dual-status commander," the GAO report said.
In response to the GAO's report, Pentagon officials acknowledged the limitations of current rules for supporting civil authorities in a cyber incident.
Yet military officials say they still have not yet determined the best bureaucratic approach to supporting a civil authority in a cyber incident and, as of January 2016, the Pentagon has not begun efforts to issue or update its current guidance to provide better clarity.
The GAO report suggested that fixing that ambiguity would be wise a good idea.
"We believe that by issuing or updating guidance that clarifies roles and responsibilities for relevant DoD officials, DoD will be in a better position to plan for and support civil authorities in a cyber incident," the GAO report concluded.
About Andrew Tilghman
Andrew Tilghman is the executive editor for Military Times. He is a former Military Times Pentagon reporter and served as a Middle East correspondent for the Stars and Stripes. Before covering the military, he worked as a reporter for the Houston Chronicle in Texas, the Albany Times Union in New York and The Associated Press in Milwaukee.