Defense Department Cyber Efforts: DOD Faces Challenges In Its Cyber Activities
According to the U.S. Strategic Command, the Department of Defense (DOD) is in the midst of a global cyberspace crisis as foreign nation states and other actors, such as hackers, criminals, terrorists, and activists exploit DOD and other U.S. government computer networks to further a variety of national, ideological, and personal objectives.
This report identifies:
- How DOD is organized to address cybersecurity threats
- Assesses the extent to which DOD has developed joint doctrine that addresses cyberspace operations
- Assigned command and control responsibilities
- Identified and taken actions to mitigate any key capability gaps involving cyberspace operations.
It is an unclassified version of a previously issued classified report. GAO analyzed policies, doctrine, lessons learned, and studies from throughout DOD, commands, and the services involved with DOD's computer network operations and interviewed officials from a wide range of DOD organizations.
DOD's organization to address cybersecurity threats is decentralized and spread across various offices, commands, military services, and military agencies. DOD cybersecurity roles and responsibilities are vast and include developing joint policy and guidance and operational functions to protect and defend its computer networks.
DOD is taking proactive measures to better address cybersecurity threats, such as developing new organizational structures, led by the establishment of the U.S. Cyber Command, to facilitate the integration of cyberspace operations.
However, it is too early to tell if these changes will help DOD better address cybersecurity threats. Several joint doctrine publications address aspects of cyberspace operations, but DOD officials acknowledge that the discussions are insufficient; and no single joint publication completely addresses cyberspace operations.
While at least 16 DOD joint publications discuss cyberspace-related topics and 8 mention "cyberspace operations," none contained a sufficient discussion of cyberspace operations. DOD recognizes the need to develop and update cyber-related joint doctrine and is currently debating the merits of developing a single cyberspace operations joint doctrine publication in addition to updating all existing doctrine.
However, there is no timetable for completing the decision-making process or for updates to existing doctrine. DOD has assigned authorities and responsibilities for implementing cyberspace operations among combatant commands, military services, and defense agencies; however, the supporting relationships necessary to achieve command and control of cyberspace operations remain unclear.
In response to a major computer infection, U.S. Strategic Command identified confusion regarding command and control authorities and chains of command because the exploited network fell under the purview of both its own command and a geographic combatant command.
Without complete and clearly articulated guidance on command and control responsibilities that is well communicated and practiced with key stakeholders, DOD will have difficulty in achieving command and control of its cyber forces globally and in building unity of effort for carrying out cyberspace operations.
DOD has identified some cyberspace capability gaps, but it has not completed a comprehensive, department-wide assessment of needed resources, capability gaps, and an implementation plan to address any gaps.
For example, U.S. Strategic Command has identified that DOD's cyber workforce is undersized and unprepared to meet the current threat, which is projected to increase significantly over time.
While the department's review of some cyberspace capability gaps on cyberspace operations is a step in the right direction, it remains unclear whether these gaps will be addressed since DOD has not conducted a more comprehensive department-wide assessment of cyber-related capability gaps or established an implementation plan or funding strategy to resolve any gaps that may be identified.
The General Accounting Office (GAO) recommends that DOD:
- Establish a timeframe for deciding on whether to complete a separate joint cyberspace publication and for updating the existing body of joint publications
- Clarify command and control relationships regarding cyberspace operations and establish a timeframe for issuing the clarified guidance
- More fully assess cyber-specific capability gaps
- Develop a plan and funding strategy to address them. DOD agreed with the recommendations
The GAO directs executives to:
- Strengthen DOD's cyberspace doctrine and operations to better address cybersecurity threats, the Secretary of Defense should direct the Chairman of the Joint Chiefs of Staff in consultation with the Under Secretary of Defense for Policy and U.S. Strategic Command to establish a time frame for (1) deciding whether or not to proceed with a dedicated joint doctrine publication on cyberspace operations and for (2) updating the existing body of joint doctrine to include complete cyberspace-related definitions.
- Strengthen DOD's cyberspace doctrine and operations to better address cybersecurity threats, the Secretary of Defense should direct the appropriate officials in the Office of the Secretary of Defense, in coordination with the Under Secretary of Defense for Policy and the Joint Staff, to clarify DOD guidance on command and control relationships between U.S. Strategic Command, the services, and the geographic combatant commands regarding cyberspace operations, and establish a time frame for issuing the clarified guidance.
- Ensure that DOD takes a more comprehensive approach to its cyberspace capability needs and that capability gaps are prioritized and addressed, the Secretary of Defense should direct the appropriate Office of the Secretary of Defense officials, in coordination with the secretaries of the military departments and the Joint Chiefs of Staff, to develop a comprehensive capabilities-based assessment of the department-wide cyberspace-related mission and a time frame for its completion.
- Ensure that DOD takes a more comprehensive approach to its cyberspace capability needs and that capability gaps are prioritized and addressed, the Secretary of Defense should direct the appropriate Office of the Secretary of Defense officials, in coordination with the secretaries of the military departments and the Joint Chiefs of Staff, to develop an implementation plan and funding strategy for addressing any gaps resulting from the assessment that require new capability development or modifications to existing programs.