GAO: Conflicting orders have led to confusion over DOD’s cyber strategy

The military’s war-fighting commands are unsure how to handle cyberspace activities, but a strategy that could alleviate the confusion is months from completion, government auditors said Tuesday.

“Conflicting statements have led to confusion among the combatant commands about command and control over cyber operations,” Government Accountability Office analysts said. 


A 2008 Defense Department-wide plan assigns the new U.S. Cyber Command with the duties for overseeing military network operations, as well as all planning for and defending against cyberspace foes.

“But it also states that geographic combatant commanders are to exercise authority over all commands and forces within their areas of responsibility,” the GAO analysts said in a briefing presented as part of an online forum sponsored by Government Executive magazine.

What’s more, the auditors found “there is not a consensus across [the Defense Department] as to what constitutes a cyber force.”

DOD officials have yet to assign “authorities and responsibilities for cyber operations [and] the supporting relationships necessary for effective command and control remain unclear,” according to the GAO analysts, Davi D'Agostino and Nelsie Alcoser.

But help could soon be on the way in the form of a sweeping new cybersecurity strategy document being developed by the Joint Staff.

It is called “Joint Test Publication 3-12,” and Pentagon officials say the document would consolidate guidance now contained in “16 separate documents” into “one cohesive document,” Alcoser said during the webinar.

That is, if it is ever finished.

“This document has been under development since September 2009, but was still in draft as of May 2011,” GAO said in its presentation. “According to officials with the Joint Staff and the Office of the Secretary of Defense (Policy), this publication ... may not be finalized and approved for some time.”

The auditors did applaud the Pentagon for several steps it has taken to shore up its online defenses, including creating Cyber Command and reorganizing its top policy shop to include a new cybersecurity point person.

But as the Pentagon plans and revises documents that could clear its murky cybersecurity operations waters, potential U.S. foes are ramping up their cyberattack activities, tactics and technologies.

South Korea on Monday fingered North Korea for a cyberattack that targeted one of its top banks. 

And the Pentagon’s annual report on Chinese military power, released last week, noted its People’s Liberation Army is focused on using cyberspace to target enemies.

“In 2010, numerous computer systems around the world, including those owned by the U.S. Government, were the target of intrusions, some of which appear to have originated within [China],” according to the DOD report. “These intrusions were focused on exfiltrating information. Although this alone is a serious concern, the accesses and skills required for these intrusions are similar to those necessary to conduct computer network attacks.”