The Pentagon does not have a clear chain of command for responding to a massive cyber attack on domestic targets in the United States, according to the federal government’s principal watchdog.
While some Defense Department documents say that U.S. Northern Command would have primary responsibility for supporting civilian agencies in such an event, other documents suggest U.S. Cyber Command should be leading that effort, the Government Accountability Office found, according to a new report published Monday.
In the event of an attack on the nation’s electrical grid or financial system, for instance, the Defense Department would be expected to back up the U.S. Department of Homeland Security. Yet, the Pentagon has no clear rules in place for how that might play out.
“This absence has caused uncertainty about who in DoD would respond to support civil authorities in a cyber incident, and how they would coordinate and conduct such a response,” according to the GAO report. “The designation of cyber roles and responsibilities in DoD guidance is inconsistent.”
One major issue, according to the GAO, is the role of a “dual-status commander,” a legal designation specifically designed for domestic crises that require military support. Dual status allows a single officer to assume simultaneous command authority over both federal military forces and state-level National Guard troops.
Appointment of a dual-status commander is a standard arrangement for streamlining the military’s response to domestic disasters such as hurricanes or floods. However, that did not work during a major military exercise last year known as “Cyber Guard 15.”
During that exercise, which simulated a major cyber attack, the dual-status commander did not have tactical control of cyber units that reported to U.S. Cyber Command, and those cyber units were not able to fully participate and log into important online networks, the GAO said.
“According to the U.S. Northern Command officials, this led to a lack of unity of effort among the units responding to the emergency that were not under the control of the dual-status commander,” the GAO report said.
In response to the GAO’s report, Pentagon officials acknowledged the limitations of current rules for supporting civil authorities in a cyber incident.
Yet military officials say they still have not yet determined the best bureaucratic approach to supporting a civil authority in a cyber incident and, as of January 2016, the Pentagon has not begun efforts to issue or update its current guidance to provide better clarity.
The GAO report suggested that fixing that ambiguity would be wise.
“We believe that by issuing or updating guidance that clarifies roles and responsibilities for relevant DoD officials, DoD will be in a better position to plan for and support civil authorities in a cyber incident,” the GAO report concluded.