GAO: Can DoD Keep Pace with Cyber Threats?Too Early to Judge Effectiveness of U.S. Cyber Command
That's a conclusion of a Government Accountability Office report to congressional oversight committees, made public Monday, entitled Defense Department Cyber Efforts: DoD Faces Challenges In Its Cyber Activities.
Though America remains dominant on land, sea and air, technical and economic barriers to gain entry in cyberspace are much lower for adversaries, and as a result, place the United States' networks at great risk, GAO says in its 75-page report.
GAO says senior Defense leaders understand the severity of the challenge, and points out that DoD has taken important steps to better organize its cyber efforts, including the creation of the U.S Cyber Command (see Gates Describes Military Command's Role). "But it is too early to tell whether this will provide the necessary leadership and guidance DoD requires to address cybersecurity threats."
The Defense Department has much to protect, depending on 7 million computer devices, linked on over 10,000 networks with satellite gateways and commercial circuits that are composed of innumerable devices and components. And, that doesn't include computers, devices and networks operated by defense contractors that perform much work for the DoD.
Nearly two weeks ago, after the GAO report was written but before being made public, Deputy Defense Secretary William Lynn III revealed that hackers believed to be backed by another nation breached a defense contractor's computers and obtained 24,000 Pentagon files related to systems being developed for the Defense Department during a single intrusion in March, one of the worst digital attacks against the DoD. (see Hackers Breach Most Sensitive Military Systems).
But DoD faces more mundane challenges that could put its IT at risk. GAO cites DoD's numerous joint doctrine publications that discuss cyber-related topics that include content it deems incomplete or out of date. Discussions such as what constitutes a cyber force are not uniformly defined across DoD doctrine publications and guidance. GAO says DoD recognizes the need to develop and update cyber-related joint doctrine and is debating the merits of developing a single, overarching cyber joint doctrine publication in addition to updating all existing doctrine. Still, GAO says, DoD has yet to set a timetable for the completion of these efforts.
Another example of the deficit in existing doctrine is the lack of a common definition for what constitutes cyber personnel. GAO cites a U.S. Joint Forces Command report that found DoD employs 18 different cyber position titles across combatant commands to identify cyberspace forces. "This can cause confusion in planning for adequate types and numbers of personnel," the GAO says. "Because career paths and skill sets are scattered across various career identifiers ... there are cases in which the same cyber-related term may mean something different among the services."
In the report, GAO recommends that DoD establish a timeframe to decide whether to complete a separate joint cyberspace publication and for updating the existing body of joint publications; clarify command and control relationships regarding cyberspace operations and establish a timeframe for issuing the clarified guidance, and more fully assess cyber-specific capability gaps and develop a plan and funding strategy to address them. DoD concurred with the recommendations.