GAO: Pentagon still not able to adequately protect U.S. cyber infrastructure

cyber_command

(Cyberwar.news) The Pentagon has been working to improve its ability to protect vital U.S. infrastructure from cyber attacks and hacking but still has a ways to go before such protection will have been deemed adequate, according to the government’s own watchdog agency.

“Cyber threats to U.S. national and economic security are increasing in frequency, scale, sophistication, and severity of impact,” says a newly released assessment by the Government Accountability Office (GAO). “[Department of Defense’s] 2013 Strategy for Homeland Defense and Defense Support of Civil Authorities states that DoD must be prepared to support civil authorities in all domains—including cyberspace—and recognizes that the department plays a crucial role in supporting a national effort to confront cyber threats to critical infrastructure.”

Further, the assessment [PDF] contends, the Defense Department has not adequately defined which military command – Northern Command or Cyber Command – would talk the lead in responding to a major cyberattack from abroad on a critical U.S. infrastructure.

The Pentagon “has developed a significant body of guidance on how the department is to effectively provide support to civil authorities in a broad range of circumstances,” the assessment noted. “However, the absence of clarity in roles and responsibilities to address a cyber incident represents a clear gap in guidance.

More:  

“The gap, and the uncertainty that results, could hinder the timeliness or effectiveness of critical DoD support to civil authorities during cyber-related emergencies that DoD must be prepared to provide,” it said.

The assessment also noted that cyber attacks and incidents of hacking by foreign entities against military, government and private sector systems were increasing in frequency and complexity. Previous government assessments by other agencies have found IT systems similarly vulnerable.

“To help improve DoD’s planning and processes for supporting civil authorities in a cyber incident, we recommend that the Secretary of Defense direct the Under Secretary of Defense for Policy in coordination with the Chairman of the Joint Chiefs of Staff to issue or update guidance that clarifies roles and responsibilities for relevant entities and officials— including the DoD components, supported and supporting commands, and dual-status commander—to support civil authorities as needed in a cyber incident,” GAO recommended.

The watchdog said its assessment and resultant report was in response to a requirement in the 2014 National Defense Authorization Act, in which Congress tasked the agency with assessing the cyberwarfare capabilities of the active branches of the armed forces as well as National Guard and Reserve forces as well.

While the military has developed and issued policy guidance about how it planned to respond to a cyber emergency in the private sector, the Pentagon has been unclear as to which command would take the lead response role. Each of them – NORTHCOM and CYBERCOM – likely would have a role, but it’s not clear which would be in charge, though coordination of action would flow through the Department of Homeland Security.

NORTHCOM officials have said their command would be lead, but CYBERCOM officials have disputed that.

DHS is the lead civilian agency that is tasked with responding to cyberattacks.

“DoD officials acknowledged the limitations of current guidance to direct the department’s efforts in supporting civil authorities in a cyber incident and discussed with GAO the need for clarified guidance on roles and responsibilities,” the report acknowledged. “DoD officials stated that the department had not yet determined the approach it would take to support a civil authority in a cyber incident and, as of January 2016, DoD had not begun efforts to issue or update guidance and did not have an estimate on when the guidance will be finalized.

“Until DoD clarifies the roles and responsibilities of its key entities for cyber incidents, there would continue to be uncertainty about which DoD component or command should be providing support to civil authorities in the event of a major cyber incident,” the GAO report concludes.

 

See also:

FierceGovernmentIT

Cyberwar.news is part of the USA Features Media network.