Incident & Breach Response , Managed Detection & Response (MDR) , Security Operations

Who's in Charge at DoD During a Civilian Cyber Incident?

GAO Questions Effectiveness of Military Aid to Civilian Agencies
Who's in Charge at DoD During a Civilian Cyber Incident?
Navy Admiral Michael Rogers, commander of U.S. Cyber Command

Government auditors question the effectiveness of a U.S. military response to aid civil authorities during cyber-related emergencies because it's unclear which one of two defense units would lead such operations.

See Also: Deception-Based Threat Detection: Shifting Power to the Defenders

The two units are the Northern Command, which supports civil authorities at the federal, state and local levels, and the Cyber Command, which synchronizes the planning for cyber operations in cooperation with other commands as well as appropriate federal agencies, such as the Department of Homeland Security.

The Government Accountability Office, in a study requested by Congress, recommends the Defense Department issue or update guidance to clarify its responsibilities to support civil authorities in a domestic cyber incident. DoD concurred and said it would take the recommended steps.

Absence of Clarity

The Defense Department has developed a number of guidance documents on how the military would provide support in a number of circumstances to civil authorities, such as federal civilian agencies or state governments. "The absence of clarity in roles and responsibilities to address a cyber incident represents a clear gap in guidance," says Joseph Kirschbaum, director of defense capabilities and management at GAO. "The gap, and the uncertainty that results, could hinder the timeliness or effectiveness of critical DoD support to civil authorities during cyber-related emergencies that DoD must be prepared to provide."

But a former senior IT official at the Pentagon who helped direct DoD's information security operations questions GAO's conclusion that the absence of defined roles would hinder the military's response in aiding civil authorities during a cyber event. "The roles are, for the most part, already established [but] are they perfect? Probably not," says the former DOD official, who requested anonymity because, as a private practitioner, he still works with the Defense Department. "But DoD knows how to support civil authorities and exercises this capability yearly between U.S. Cybercom and Northcom."

Elevating Cyber Command

Although he did not specifically address Kirschbaum's comment, the Cyber Command commander - Navy Admiral Michael Rogers - told the Senate Armed Services Committee this week: "We've got to figure out how to bridge across not just the DoD but the entire U.S. government and the private sector about how we're going to look at this problem set [of responding to critical cyber matters] in an integrated, national way."

At the hearing, Rogers addressed a proposal to elevate the Cyber Command to a unified combatant command, which he contended would prove beneficial. As a unified combatant command, the Cyber Command would have more sway in incorporating cybersecurity needs in determining DoD's budget priorities, strategies and policies, he said. "My input to the process has been that a combatant command designation would allow us to be faster, which would generate better mission outcomes," said Rogers, who also serves as director of the National Security Agency.

Inconsistencies in Guidance

GAO's review of DoD guidance documents shows an inconsistency on whether Northern Command or Cyber Command would be in charge to support authorities in a cyber incident. In addition, GAO notes that DoD Directive 3025.18 specifies precise responsibilities of the assistant defense secretary for health affairs in providing military aid when responding to a health emergency. But it does not furnish any guidance to other Pentagon officials, such as the assistant secretary for homeland defense and global security, regarding support to civil authorities for cyber incidents.

"Without clarifying guidance on DoD roles and responsibilities in a cyber incident, DoD cannot reasonably ensure that the department will be able to most effectively employ its capabilities to support civil authorities in a cyber incident," Kirschbaum says.

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.