A new report out from the Government Accountability Office (GAO) warns that the U.S. Department of Defense’s efforts to unify its cyber security operations has serious gaps and that the Department is “unprepared to meet the current threat” of cyber attack.
The report, issued on Monday, is an unclassified version of a classified report that has already been published. In it the GAO calls the Pentagon to task for failing to develop a uniform doctrine to govern its cyberspace operations, and for a lack of command and control authority necessary in the event of an attack.
The 79 page report, “Defense Department Cyber Efforts: DOD Faces Challenges in Its Cyber Activities” (GAO 11-75) (PDF) provides a snapshot of the military’s cyber security effort at a moment of transition. GAO credits the DOD for taking steps to simplify its organization. Chief among those efforts is the creation of a unified U.S. Cyber Command, GAO said. However, the government’s internal watchdog also describes a cyber security response system that is decentralized: spread across different military, civilian and intelligence services and agencies, with little oversight and no clear roadmap.
Even the DOD’s efforts to understand its own cyber security systems are a tangle. The Department has published 16 documents that discuss cyberspace related topic and eight on cyberspace operations, alone. However, none of them is sufficient to serve as a unified doctrine for cyber operations, GAO found. The creation of such a governing document is now being “debated” within the DOD, but no timetable has been set for producing such a document, and efforts to even update existing doctrine are lagging.
Despite clearly recognizing the threat to the United States government and military, the DOD and related agencies unprepared to address that threat: with an “undersized and under prepared” cyber workforce, GAO found. The agency recommended that the DOD clarify the command and control structure, identify gaps in its current capabilities with regard to cyber operations and then make funding them a priority.
Beyond that, the DOD needs to bring its current doctrine in line with the current cybersecurity landscape and decide whether it needs a new, over arching cybersecurity doctrine that will unite cyberspace operations across the government.
Warnings about the sorry state of cyber security within U.S. Government and Military networks have been growing louder and more stark. Just this month, Deputy Defense Secretary William Lynn revealed that the government had suffered a massive DOD data breach in March that resulted in the theft of 24,000 files by an unknown attacker. That follows Lynn’s revelation in August of last year about a 2008 security breach, dubbed “Buckshot Yankee” that penetrated the U.S. Government’s classified network, known as SIPRnet. The Department of Defense this month released its Strategy for Operating in Cyberspace, a document that received a lukewarm reception from security experts, who said it staked out little new ground.